Reword the part on fault injections

Fault injection is rarely part of the threat model for the typical minisign use case, and minisign already includes mitigations. What's more important is the fact that non-deterministic signatures are allowed if necessary, and are fully compatible with implementations using deterministic signatures.
2025-04-04 11:27:42 +03:00 · 2019-07-09 16:36:26 +02:00 · 2019-07-09 16:36:26 +02:00 · 76161c653e
commit 76161c653e
parent c295ceb267
1 changed files with 8 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -73,17 +73,13 @@ implementation.
 and [minisign-cli](https://wapm.io/package/jedisct1/minisign) are available on
 WAPM.

-Faults injections
-----------------
+Signature determinism
+---------------------

-Minisign uses the EdDSA signature system, and deterministic signature
-schemes are fragile against fault attacks. However, conducting these requires
-physical access or the attacker having access to the same physical host.
+This implementation uses deterministic signatures, unless libsodium
+was compiled with the `ED25519_NONDETERMINISTIC` macro defined. This
+adds random noise to the computation of EdDSA nonces.

-More importantly, this requires a significant amount of time, and messages
-being signed endlessly while the attack is being conducted.
-
-If such a scenario ever happens to be part of your threat model,
-libsodium should be compiled with the `ED25519_NONDETERMINISTIC` macro
-defined. This will add random noise to the computation of EdDSA
-nonces.
+Other implementations can choose to use non-deterministic signatures
+by default. They will remain fully interoperable with implementations
+using deterministic signatures.