Open covert-encryption opened 2 years ago
Merging #77 (a0a1189) into main (76a7570) will decrease coverage by
0.01%
. The diff coverage is100.00%
.
@@ Coverage Diff @@
## main #77 +/- ##
==========================================
- Coverage 74.47% 74.45% -0.02%
==========================================
Files 23 23
Lines 2174 2173 -1
Branches 510 510
==========================================
- Hits 1619 1618 -1
Misses 432 432
Partials 123 123
Impacted Files | Coverage Δ | |
---|---|---|
covert/blockstream.py | 81.21% <100.00%> (-0.10%) |
:arrow_down: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 76a7570...a0a1189. Read the comment docs.
Leaving this open for review and comments in case anyone wishes to have a word on it. In particular it should be noted that this violates the XEdDSA specification which says
The caller must pass in a new secret and random 64 byte value each time the signing function is called.
Even though our file hash is a unique random value for each signature, it is not a secret, as any recipient of the file can calculate it. Thus, the only truly secret value inside the SHA-512 that outputs r
(which itself is secret) is the signer secret key, where the specification additionally calls for 64 random secret bytes.
XEdDSA requires a 64-byte nonce as additional security against such a case where the same message was signed many times and a computational error or a side channel leak could then reveal the secret key. Such additional security is not of any use in the case of Covert where the message itself is always different, and would not be necessary in any case if an implementation was free of side channel leaks and the CPU was not broken. There is discussion of this trade off in the Signal XEdDSA specification and in RFC 6979 as well as in Bernstein's Ed25519 paper.
The message being signed in Covert is the file hash which should already be unique for each file, even if everything else stays the same, because it depends on the file nonce which is randomised. This patch removes the unnecessary use of additional random bytes on signatures and instead implements deterministic XEdDSA by using the file hash as both the message and the nonce (staying compatible with XEdDSA which requires a 64-byte nonce, rather than omitting the nonce from SHA-512 hashing).
The choice of nonce in signatures does not affect signature verification, and thus each implementation is free to do this whichever way they prefer without compatibility concerns. The nonce only affects the secret random commitment
r
, whose corresponding public keyR
is published as part of the signature.