Switch to deterministic signatures

[covert-encryption]

XEdDSA requires a 64-byte nonce as additional security against such a case where the same message was signed many times and a computational error or a side channel leak could then reveal the secret key. Such additional security is not of any use in the case of Covert where the message itself is always different, and would not be necessary in any case if an implementation was free of side channel leaks and the CPU was not broken. There is discussion of this trade off in the Signal XEdDSA specification and in RFC 6979 as well as in Bernstein's Ed25519 paper.

The message being signed in Covert is the file hash which should already be unique for each file, even if everything else stays the same, because it depends on the file nonce which is randomised. This patch removes the unnecessary use of additional random bytes on signatures and instead implements deterministic XEdDSA by using the file hash as both the message and the nonce (staying compatible with XEdDSA which requires a 64-byte nonce, rather than omitting the nonce from SHA-512 hashing).

The choice of nonce in signatures does not affect signature verification, and thus each implementation is free to do this whichever way they prefer without compatibility concerns. The nonce only affects the secret random commitment r, whose corresponding public key R is published as part of the signature.

[codecov[bot]]

Codecov Report

Merging #77 (a0a1189) into main (76a7570) will decrease coverage by 0.01%. The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main      #77      +/-   ##
==========================================
- Coverage   74.47%   74.45%   -0.02%     
==========================================
  Files          23       23              
  Lines        2174     2173       -1     
  Branches      510      510              
==========================================
- Hits         1619     1618       -1     
  Misses        432      432              
  Partials      123      123              

Impacted Files	Coverage Δ
covert/blockstream.py	81.21% <100.00%> (-0.10%)	:arrow_down:

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 76a7570...a0a1189. Read the comment docs.

[covert-encryption]

Leaving this open for review and comments in case anyone wishes to have a word on it. In particular it should be noted that this violates the XEdDSA specification which says

The caller must pass in a new secret and random 64 byte value each time the signing function is called.

Even though our file hash is a unique random value for each signature, it is not a secret, as any recipient of the file can calculate it. Thus, the only truly secret value inside the SHA-512 that outputs r (which itself is secret) is the signer secret key, where the specification additionally calls for 64 random secret bytes.