diff options
Diffstat (limited to 'issues/investigate-ed25519-clamping.md')
-rw-r--r-- | issues/investigate-ed25519-clamping.md | 20 |
1 files changed, 0 insertions, 20 deletions
diff --git a/issues/investigate-ed25519-clamping.md b/issues/investigate-ed25519-clamping.md deleted file mode 100644 index 46aaa39..0000000 --- a/issues/investigate-ed25519-clamping.md +++ /dev/null @@ -1,20 +0,0 @@ -**Title:** Investigate Ed25519 clamping behavior</br> -**Date:** 2021-12-09 </br> - -# Summary -Ed25519 signatures have three bits that should be zero due to clamping. What -happens when verifying a signature that has these three bits set to something -else? Sigsum requires that such a signature is rejected. - -# Description -First confirm that Ed25519 signatures are clamped as described in the summary, -then investigate how `Verify()` is implemented in `"crypto/ed25519"`. The -assumed sigsum-log-go behavior is that `Verify()` is strict. In other words, a -signature that is not clamped correctly should be rejected and not "fixed". - -If a signature is "fixed" it would be possible to replay add-leaf requests. A -replay is bad for the log due to overhead. A replay is also bad for the -legitimate submitter because it eats into their rate limit (DoS vector). - -The following part of Go's implementation might be a good place to start: -- https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208 |