"Niels Möller" <ni...@lysator.liu.se> writes: > Hi, > > A few weeks ago, I stumbled on > https://hdevalence.ca/blog/2020-10-04-its-25519am. Summary: The > specification for Ed25519 signatures, RFC 8032, doesn't specify > unambiguously which bit strings are valid signatures, and which aren't. > And implementations differ on the details. > > This could matter in particular if you have a system that depends on > consensus, one could then feed the system a signed data item, where > different components of the system disagree on whether or not the > signature is valid. > > It's not clear to me what's the desired behavior for Nettle's > ed25519_sha512_verify function, advice appreciated. A first step would > be to add tests with the different kinds of corner-case inputs that may > or may not be recognized as valid signatures, and at least document how > they are handled.
This is a bit of a mess, unfortunately, and one solution may be to implement a non-solution approach: instead of changing the sign or verify operations, a new operation that can test the signature for conformance to each of the useful behaviours could be added. Then applications can chose which behaviour they want. The risk, of course, is that applications will get this wrong or forgot to add this additional check. Another solution may be to introduce 'Ed25519consensus' as a new algorithm that behave in the ZIP215-reliable way. /Simon
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
