Hi, A few weeks ago, I stumbled on https://hdevalence.ca/blog/2020-10-04-its-25519am. Summary: The specification for Ed25519 signatures, RFC 8032, doesn't specify unambiguously which bit strings are valid signatures, and which aren't. And implementations differ on the details.
This could matter in particular if you have a system that depends on consensus, one could then feed the system a signed data item, where different components of the system disagree on whether or not the signature is valid. It's not clear to me what's the desired behavior for Nettle's ed25519_sha512_verify function, advice appreciated. A first step would be to add tests with the different kinds of corner-case inputs that may or may not be recognized as valid signatures, and at least document how they are handled. Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
