Page MenuHome GnuPG

Ed25519: Signature (R,S), where S=0 is possible for EdDSA
Open, LowPublic


In EdDSA signature (R,S), S=0 is possible valid value (see Daniel J. Bernstein et al:

(Wikipedia article is wrong for this, saying 0 < S < l).

When GnuPG 2.2/2.3 handles such a signature of Ed25519, it rejects the signature by GPG_ERR_BAD_MPI wrongly.

This is quite rare case, but it should be handled correctly.

(Note that ECDSA, R != 0 and S !=0 is guaranteed.)

Event Timeline

gniibe updated the task description. (Show Details)
werner added a subscriber: werner.

The odds for this case are infinitesimal so this should not have high priority. I consider this only a code-is-as-specified thing.