aboutsummaryrefslogtreecommitdiff
path: root/issues/ed25519-clamping-behavior.md
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus.dahlberg@kau.se>2021-09-27 22:06:31 +0200
committerRasmus Dahlberg <rasmus.dahlberg@kau.se>2021-09-27 22:06:31 +0200
commit0b0320d8f295394e2afc5f0cf012422e8625518b (patch)
treea32512c8d9ce63aa3b9fd92f58468c9e7a8edbb1 /issues/ed25519-clamping-behavior.md
parent3981cdc68052c5084c28ade768b635d24242aa6d (diff)
imported issues
Diffstat (limited to 'issues/ed25519-clamping-behavior.md')
-rw-r--r--issues/ed25519-clamping-behavior.md19
1 files changed, 19 insertions, 0 deletions
diff --git a/issues/ed25519-clamping-behavior.md b/issues/ed25519-clamping-behavior.md
new file mode 100644
index 0000000..6e8fed7
--- /dev/null
+++ b/issues/ed25519-clamping-behavior.md
@@ -0,0 +1,19 @@
+# Ed25519 clamping behavior
+Reported by: rgdd
+
+If I recall correctly an Ed25519 signature has 3 bits that should always be
+zero. What happens if any of the 3 bits are not zero during signature
+verification? It probably depends on the implementation. I would expect that the
+signature is rejected. However, a possible behavior that I would not expect is
+that the three bits are zeroed ("fixed").
+
+We need the signature to be rejected; not fixed. Otherwise it is possible to
+replay a logged entry several times by enumerating the remaining bit patterns.
+Replays are bad for the log (overhead). Replays are also bad for the legitimate
+submitter because it will eat into their rate limit (DoS vector).
+
+It would be great if anyone could:
+- Confirm if I recall correctly. And if so, confirm if the behavior of
+`crypto/ed25519` is to reject signatures if any of the three bits are set.
+- After a quick look this might be the place to understand:
+https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208