From 0946d115ec193c35d563a4bf52271d1584192891 Mon Sep 17 00:00:00 2001
From: CuleX <cculex@gmail.com>
Date: Fri, 6 Oct 2017 13:41:14 +0200
Subject: [PATCH] Note Ed25519 fault injection on crypto_sign

See
https://research.kudelskisecurity.com/2017/10/04/defeating-eddsa-with-faults/
and
https://news.ycombinator.com/item?id=15415114
---
 doc/man/man3/crypto_sign.3monocypher | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/doc/man/man3/crypto_sign.3monocypher b/doc/man/man3/crypto_sign.3monocypher
index a58a768..cbd2eec 100644
--- a/doc/man/man3/crypto_sign.3monocypher
+++ b/doc/man/man3/crypto_sign.3monocypher
@@ -117,6 +117,20 @@ crypto_sign_public_key(pk, sk);
 .Xr crypto_key_exchange 3monocypher ,
 .Xr crypto_lock 3monocypher ,
 .Xr intro 3monocypher
+.Sh CAVEATS
+Fault injection (also known as glitching) may be used to manipulate the
+resulting signature.
+This requires hardware access.
+If your threat model includes attackers that have the equipment for
+fault injection and access to the hardware, you will want to use the
+.Fn crypto_check
+function to verify the signature that was just generated.
+Including a verification step when signing reduces speed for the whole
+operation by a factor of 3.
+This speed penalty is generally not noticeable unless creating a high
+number of signatures per second.
+If an attacker can inject faults at will, however, this is an incomplete
+protection, albeit better than none.
 .Sh IMPLEMENTATION DETAILS
 These functions provide public key signatures with a variant of Ed25519,
 which uses Blake2b as the hash instead of SHA-512.
-- 
2.47.3