doc: Document subtely with public input to eddsa signing.

diff --git a/ChangeLog b/ChangeLog
index 41b4c7fb295c0f49a88be65c180d4d064fcde9d3..8e670385e661bb1e5f5a22ea00bc06d034cf2330 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2026-03-19  Niels Möller  <nisse@lysator.liu.se>
+
+       * nettle.texinfo (Curve 25519 and Curve 448): Document that one
+       must be careful and always pass the correct public key as input to
+       the signing functons.
+
 2026-02-05  Niels Möller  <nisse@lysator.liu.se>
 
        * Released Nettle-4.0.

diff --git a/nettle.texinfo b/nettle.texinfo
index a632aa9b4607016e08002104f3d273a0359b67cf..59a395dabf9c81348d11c61d9cf71e5f8b88c4b7 100644 (file)
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -5730,6 +5730,21 @@ the message first and pass the short message digest as input to the sign
 and verify functions, however, the resilience to hash collision is then
 lost.
 
+One subtle detail is that the public key is prepended to the message in
+the signature process, but the public key is @emph{not} included in the
+nonce generation. For this reason, it is essential that the @var{pub}
+argument to @code{ed25519_sha512_sign} and @code{ed448_shake256_sign} is
+always the same as the output of
+@code{ed25519_sha512_public_key}/@code{ed448_shake256_public_key}. If
+one ever signs the same message twice using the same private key but
+with two different values for the @var{pub} input, enough private
+information is leaked to let an attacker forge signatures.
+
+For best performance, it is preferable to compute the public key only
+once, when the keypair is generated. It should then be stored together
+with the private key so that it cannot be tampered with, to ensure that
+the same, correct, value is available for every signing operation.
+
 @defvr Constant ED25519_KEY_SIZE
 The size of a private or public Ed25519 key, 32 octets.
 @end defvr