aboutsummaryrefslogtreecommitdiff
path: root/issues/investigate-ed25519-clamping.md
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus@mullvad.net>2022-03-30 22:45:46 +0200
committerRasmus Dahlberg <rasmus@mullvad.net>2022-03-30 22:45:46 +0200
commitb09d20111227be5e6d5126ec905b44a7a4e96b0d (patch)
tree955fc6be7fb1e364a1d51bcca89080ea0cfa46bc /issues/investigate-ed25519-clamping.md
parent146cd30b9eb17dd3fa5c49c844c6045d62e54a7c (diff)
move issues to a common pad
Diffstat (limited to 'issues/investigate-ed25519-clamping.md')
-rw-r--r--issues/investigate-ed25519-clamping.md20
1 files changed, 0 insertions, 20 deletions
diff --git a/issues/investigate-ed25519-clamping.md b/issues/investigate-ed25519-clamping.md
deleted file mode 100644
index 46aaa39..0000000
--- a/issues/investigate-ed25519-clamping.md
+++ /dev/null
@@ -1,20 +0,0 @@
-**Title:** Investigate Ed25519 clamping behavior</br>
-**Date:** 2021-12-09 </br>
-
-# Summary
-Ed25519 signatures have three bits that should be zero due to clamping. What
-happens when verifying a signature that has these three bits set to something
-else? Sigsum requires that such a signature is rejected.
-
-# Description
-First confirm that Ed25519 signatures are clamped as described in the summary,
-then investigate how `Verify()` is implemented in `"crypto/ed25519"`. The
-assumed sigsum-log-go behavior is that `Verify()` is strict. In other words, a
-signature that is not clamped correctly should be rejected and not "fixed".
-
-If a signature is "fixed" it would be possible to replay add-leaf requests. A
-replay is bad for the log due to overhead. A replay is also bad for the
-legitimate submitter because it eats into their rate limit (DoS vector).
-
-The following part of Go's implementation might be a good place to start:
-- https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208