Practical Fault Attack against the Ed25519 and EdDSA Signature Schemes

The Edwards-curve Digital Signature Algorithm (EdDSA) was proposed to perform fast public-key digital signatures as a replacement for the Elliptic Curve Digital Signature Algorithm (ECDSA). Its key advantages for embedded devices are higher performance and straightforward, secure implementations. Indeed, neither branch nor lookup operations depending on the secret values are performed during a signature. These properties thwart many side-channel attacks. Nevertheless, we demonstrate here that a single-fault attack against EdDSA can recover enough private key material to forge valid signatures for any message. We demonstrate a practical application of this attack against an implementation on Arduino Nano. To the authors' best knowledge this is the first practical fault attack against EdDSA or Ed25519.