From: Loup Vaillant Date: Mon, 2 Jul 2018 11:29:03 +0000 (+0200) Subject: Documented EdDSA signature malleability X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=224543fa840a1b27522ea2a9aec067927c183c6a;p=Monocypher.git Documented EdDSA signature malleability Some users tend to rely on security properties that are not provided by cryptographic signatures. This has lead to serious problems int the past, such as BitCoin transaction malleability (a replay attack where the recipient could repeat a previously existing transaction). Mitigations for signature malleability are possible, but they're at best easily misunderstood, and at worst incomplete. Better warn the users in the manual than encouraging the reliance on non-standard security properties. Fixes #100 --- diff --git a/doc/man/man3/crypto_sign.3monocypher b/doc/man/man3/crypto_sign.3monocypher index bc36cc0..f63a508 100644 --- a/doc/man/man3/crypto_sign.3monocypher +++ b/doc/man/man3/crypto_sign.3monocypher @@ -139,6 +139,16 @@ These functions implement EdDSA with Curve25519 and Blake2b. This is the same as Ed25519, with Blake2b instead of SHA-512. Ed25519 is described in RFC 7748. .Sh SECURITY CONSIDERATIONS +.Ss Signature malleability +EdDSA signatures are not unique like cryptographic hashes. +For any given public key and message, there are many possible valid +signatures. +Some of them require knowledge of the private key. +Others only require knowledge of an existing signature. +Observing a valid signature only proves that someone with knowledge of +the private key signed the document at some point. +Do not rely on any other security property. +.Ss Fault injection Fault injection (also known as glitching) may be used to manipulate the resulting signature and recover the secret key in some cases. This requires hardware access.