Added EdDSA universal signature gotcha #23
Conversation
|
I'm worried that this makes it look EdDSA is especially to fault when I'm pretty sure other signature schemes have similar problems. Maybe we could modify the earlier bullet point
as follows:
|
|
I think this is much better worded than what I had! One small thing: "just because the sig verifies for this message doesn't mean it doesn't verify for other messages" is not actually what went wrong in the Scuttlebutt protocol. Rather, what happened was that one party assumed that a valid signature on a message implies that the signer knows the contents of the message. So we could add this as another rule: "Just because a signature verifies under a message does not mean the signer knows the message". However, this is a super weird edge case and probably should not be one of the core assumptions people use with signatures in general. Rather, it should be something they're aware of as a weird edge case. So something more like "In EdDSA, a low-order public key can be used to sign messages that the signer has never seen" or something to that effect. Does that make sense? |
|
That's a good point. The problem here is that the attacker could create a signature over a message they did not know. They did this because they could create a signature which is valid for everything. I think that it is more clear that the "Signatures" section needs to be more fundamentally reworked so that it is clearer and can contain this gotcha in a smooth manner. As this is now well outside the scope of this PR, I'm going to close this and track in #24. My goal is to get this done in the next day or two. |
I'm pretty confident of this, but someone should check that I haven't mischaracterized the universal signature property.