jedisct1
commented
2 years ago Signature schemes are usually non-deterministic. The same message signed twice will produce different signatures, and this is perfectly fine.
Ed25519, as originally specified, is a notable exception, but there are discussions to update the RFC the introduce non-determinism as well.
The issue with deterministic schemes is that they are particularly vulnerable to fault attacks. Not an issue unless attacks gain physical access, or rowhammer-like attacks are part of the threat model.
The C version of Minisign doesn't claim signatures to be deterministic. In fact, it depends on the platform (on WebAssembly, they are non-deterministic) and how libsodium was compiled (this is a compile-time option).
egfx-notifications
Hi,
I signed some data using both https://github.com/jedisct1/rsign2 and https://github.com/jedisct1/minisign
I was confused at first that the signatures did not match although both were valid. Going from the Signature format explanation on https://jedisct1.github.io/minisign/ I did not expect the second line of the signature to vary, though that may also be a result of me not being a cryptographer.
I then signed the same data a few more times to find out that minisign signature stays the same while rsign signature changes with every signing operation. Looking into the source code I saw that rust-minisign generates a nonce for every signing operation while the C minisign does not. Are there any security implications of this that would result in having to prefer one implementation over the other?
I also think it would be good to state the fact that rust-minisign uses a nonce in this crate's documentation, in rsign's documentation or in both. This would make it clearer to an investigating user that the second line of signature can change although the Signature format explanation does not mention any variable elements there (again, that's for a programmer with only basic knowledge of cryptography, maybe it would have been obvious to someone having a firm knowledge of ed25519 implementation).