From e6b9846acef55da0082890561dff030ff219fa21 Mon Sep 17 00:00:00 2001
From: Fabio Scotoni <34964387+fscoto@users.noreply.github.com>
Date: Sun, 4 Oct 2020 06:44:49 +0200
Subject: [PATCH] doc: clarify signature malleability in crypto_sign

Fixes #189; see the discussion there for details.
---
 doc/man/man3/crypto_sign.3monocypher | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/doc/man/man3/crypto_sign.3monocypher b/doc/man/man3/crypto_sign.3monocypher
index 0c6b34b..8b5205d 100644
--- a/doc/man/man3/crypto_sign.3monocypher
+++ b/doc/man/man3/crypto_sign.3monocypher
@@ -220,14 +220,23 @@ Monocypher 0.3;
 it was fixed in Monocypher 1.1.1 and 2.0.4.
 .Sh SECURITY CONSIDERATIONS
 .Ss Signature malleability
-EdDSA signatures are not unique like cryptographic hashes.
-For any given public key and message, there are many possible valid
-signatures.
-Some of them require knowledge of the private key.
-Others only require knowledge of an existing signature.
-Observing a valid signature only proves that someone with knowledge of
-the private key signed the message at some point.
-Do not rely on any other security property.
+Signature malleability is the ability of an attacker to produce a valid
+signature with knowledge of only an existing signature and the public
+key.
+That is, given a message, a signature and a public key,
+an attacker could generate a new signature for the same message that
+is valid under the same public key.
+Monocypher prevents signature malleability by only accepting
+signatures in canonical form.
+.Pp
+On the other hand, EdDSA signatures are not unique like cryptographic
+hashes.
+The signing procedure is deterministic by specification and
+.Fn crypto_sign
+follows this specification.
+However, someone with the private key can generate arbitrarily many
+valid, canonical, different signatures of the same message.
+Because of this, never assume that signatures are unique.
 .Ss Fault injection and power analysis
 Fault injection (also known as glitching) and power analysis may be used
 to manipulate the resulting signature and recover the secret key in
-- 
2.47.3