Documented EdDSA signature malleability

Some users tend to rely on security properties that are not provided by
cryptographic signatures.  This has lead to serious problems int the
past, such as BitCoin transaction malleability (a replay attack where
the recipient could repeat a previously existing transaction).

Mitigations for signature malleability are possible, but they're at best
easily misunderstood, and at worst incomplete.  Better warn the users in
the manual than encouraging the reliance on non-standard security
properties.

Fixes #100

diff --git a/doc/man/man3/crypto_sign.3monocypher b/doc/man/man3/crypto_sign.3monocypher
index bc36cc09dcd15abeeee5380961b56785444f0ec0..f63a5080a1e0d003b6f429ba72d399cf5d426b9b 100644 (file)
--- a/doc/man/man3/crypto_sign.3monocypher
+++ b/doc/man/man3/crypto_sign.3monocypher
@@ -139,6 +139,16 @@ These functions implement EdDSA with Curve25519 and Blake2b.
 This is the same as Ed25519, with Blake2b instead of SHA-512.
 Ed25519 is described in RFC 7748.
 .Sh SECURITY CONSIDERATIONS
+.Ss Signature malleability
+EdDSA signatures are not unique like cryptographic hashes.
+For any given public key and message, there are many possible valid
+signatures.
+Some of them require knowledge of the private key.
+Others only require knowledge of an existing signature.
+Observing a valid signature only proves that someone with knowledge of
+the private key signed the document at some point.
+Do not rely on any other security property.
+.Ss Fault injection
 Fault injection (also known as glitching) may be used to manipulate the
 resulting signature and recover the secret key in some cases.
 This requires hardware access.