From 89f0a41e8baefddf2c6962a8f0eee71dfd124d21 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Thu, 9 Dec 2021 11:14:31 +0100 Subject: added issues --- issues/investigate-ed25519-clamping.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 issues/investigate-ed25519-clamping.md (limited to 'issues/investigate-ed25519-clamping.md') diff --git a/issues/investigate-ed25519-clamping.md b/issues/investigate-ed25519-clamping.md new file mode 100644 index 0000000..46aaa39 --- /dev/null +++ b/issues/investigate-ed25519-clamping.md @@ -0,0 +1,20 @@ +**Title:** Investigate Ed25519 clamping behavior
+**Date:** 2021-12-09
+ +# Summary +Ed25519 signatures have three bits that should be zero due to clamping. What +happens when verifying a signature that has these three bits set to something +else? Sigsum requires that such a signature is rejected. + +# Description +First confirm that Ed25519 signatures are clamped as described in the summary, +then investigate how `Verify()` is implemented in `"crypto/ed25519"`. The +assumed sigsum-log-go behavior is that `Verify()` is strict. In other words, a +signature that is not clamped correctly should be rejected and not "fixed". + +If a signature is "fixed" it would be possible to replay add-leaf requests. A +replay is bad for the log due to overhead. A replay is also bad for the +legitimate submitter because it eats into their rate limit (DoS vector). + +The following part of Go's implementation might be a good place to start: +- https://cs.opensource.google/go/go/+/refs/tags/go1.16.4:src/crypto/ed25519/ed25519.go;l=208 -- cgit v1.2.3