Integrated Wicherproof
Ed25519 test vectors
Those test vectors assume SHA-512, and thus are only activated with the
-DED25519_SHA512 compilation option.
Note the omission of malleability test vectors. Monocypher will
happily accept signatures even when S is not in canonical form. This
is contrary to RFC 8032, which requires implementations to check that S
is lower than L.
I believe RFC 8032 is wrong. Non-malleability means that someone who
only knows the public key, message, and signature, cannot produce
another valid signature. It does *not* mean there is only one valid
signature. In fact, when we know the private key, we can produce a
virtually unlimited number of different, valid, canonical signatures.
Like ECDSA, EdDSA uses a nonce. Unlike ECDSA, that nonce doesn't come
from a random source, it comes from a hash of the message itself. This
determinism prevents nonce reuse, among other problems. However,
nothing prevents someone to bypass this rule, and use a random nonce
instead. This will naturally produce a different, yet valid, signature.
EdDSA signatures are not unique. The difference between this and
malleability is subtle enough that advertising non-malleability will
lead users to believe in uniqueness, and bake that faulty assumption in
their designs, which will then be insecure.
Fixes #99
projects / Monocypher.git / commit