aboutsummaryrefslogtreecommitdiff
path: root/issues/investigate-ed25519-clamping.md
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus@mullvad.net>2021-12-09 11:14:31 +0100
committerRasmus Dahlberg <rasmus@mullvad.net>2021-12-09 11:14:31 +0100
commit89f0a41e8baefddf2c6962a8f0eee71dfd124d21 (patch)
tree85d7723d8e66225d9fe02304b0bac4c9f00c8eac /issues/investigate-ed25519-clamping.md
parente74021bee14cdc6a5aa22ddc2068c2f72dfe277f (diff)
added issues
Diffstat (limited to 'issues/investigate-ed25519-clamping.md')
-rw-r--r--issues/investigate-ed25519-clamping.md20
1 files changed, 20 insertions, 0 deletions
diff --git a/issues/investigate-ed25519-clamping.md b/issues/investigate-ed25519-clamping.md
new file mode 100644
index 0000000..46aaa39
--- /dev/null
+++ b/issues/investigate-ed25519-clamping.md
@@ -0,0 +1,20 @@
+**Title:** Investigate Ed25519 clamping behavior</br>
+**Date:** 2021-12-09 </br>
+
+# Summary
+Ed25519 signatures have three bits that should be zero due to clamping. What
+happens when verifying a signature that has these three bits set to something
+else? Sigsum requires that such a signature is rejected.
+
+# Description
+First confirm that Ed25519 signatures are clamped as described in the summary,
+then investigate how `Verify()` is implemented in `"crypto/ed25519"`. The
+assumed sigsum-log-go behavior is that `Verify()` is strict. In other words, a
+signature that is not clamped correctly should be rejected and not "fixed".
+
+If a signature is "fixed" it would be possible to replay add-leaf requests. A
+replay is bad for the log due to overhead. A replay is also bad for the
+legitimate submitter because it eats into their rate limit (DoS vector).
+
+The following part of Go's implementation might be a good place to start:
+- https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208