aboutsummaryrefslogtreecommitdiff
path: root/issues/ed25519-clamping-behavior.md
diff options
context:
space:
mode:
Diffstat (limited to 'issues/ed25519-clamping-behavior.md')
-rw-r--r--issues/ed25519-clamping-behavior.md19
1 files changed, 0 insertions, 19 deletions
diff --git a/issues/ed25519-clamping-behavior.md b/issues/ed25519-clamping-behavior.md
deleted file mode 100644
index 6e8fed7..0000000
--- a/issues/ed25519-clamping-behavior.md
+++ /dev/null
@@ -1,19 +0,0 @@
-# Ed25519 clamping behavior
-Reported by: rgdd
-
-If I recall correctly an Ed25519 signature has 3 bits that should always be
-zero. What happens if any of the 3 bits are not zero during signature
-verification? It probably depends on the implementation. I would expect that the
-signature is rejected. However, a possible behavior that I would not expect is
-that the three bits are zeroed ("fixed").
-
-We need the signature to be rejected; not fixed. Otherwise it is possible to
-replay a logged entry several times by enumerating the remaining bit patterns.
-Replays are bad for the log (overhead). Replays are also bad for the legitimate
-submitter because it will eat into their rate limit (DoS vector).
-
-It would be great if anyone could:
-- Confirm if I recall correctly. And if so, confirm if the behavior of
-`crypto/ed25519` is to reject signatures if any of the three bits are set.
-- After a quick look this might be the place to understand:
-https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208