Skip to main content

Signature Malleability

Note that our applets are currently vulnerable to Signature Malleability. See this article for more information.

Signatures produced by our applets are not "restricted", i.e., their s value is not restricted to values below n/2, where n is the order of the elliptic curve. Thus, when seeing a signature (r,s) we cannot know if it was produced by our applets or the actual signature produced by our applets was (r,-s), and (r,s) was derived from an attacker. Both, (r,s) and (r,-s) are valid signatures for the same message and public key.