Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

Summary

Brief In early 2025, while working on a project which required us to perform a broad audit of OSS elliptic curve implementations – we discovered several cryptographic issues in Cloudflare's CIRCL library – specifically with the implementation of the FourQ elliptic curve. We reported the issues through Cloudflare's HackerOne bug bounty plan in March 2025, and subsequently contacted Cloudflare directly, after having received a lukewarm and laconic response from the HackerOne triage team. Once the team at Cloudflare stepped in the issues were appropriately acknowledged and fixed. FourQ, Cloudflare's CIRCL CIRCL, which is Cloudflare's cryptography library, offers a basic implementation of the FourQ curve, as well as a Diffie-Hellman implementation named Curve4Q which offers shared secret functionality. FourQ is an elliptic curve with 128-bit security, developed by Microsoft Research and is defined by a twisted Edwards curve equation. The curve is defined over a two-dimensional extension of the prime field defined by the Mersenne prime \(p = 2^{127} - 1\), the curve twist parameter \(a = -1\) and \(d\) set to a quadratic nonresidue in \(F_{p^2}\). Simply put, much like the complex numbers are an extension field of the real numbers – the FourQ curve is defined over an extension of a prime field, its elements being of the form \(a + bi\) where \(a\) and \(b\) are in the integers\(\mod p\). In addition, the FourQ curve defines two endomorphisms, or structure-preserving functions, which serve as "shortcuts" to perform computations on the curve more efficiently. These endomorphisms, along with the other characteristics of the FourQ curve, make it fast and suitable for use-cases where computational resources are scarce – such as in embedded systems. Invalid point attacks A certain class of attacks on elliptic curve implementations allows an attacker to force the server to perform a calculation which discloses information about the secret key used. This type of attack is often ...