Switch to deterministic signatures

[covert-encryption]

XEdDSA requires a 64-byte nonce as additional security against such a case where the same message was signed many times and a computational error or a side channel leak could then reveal the secret key. Such additional security is not of any use in the case of Covert where the message itself is always different, and would not be necessary in any case if an implementation was free of side channel leaks and the CPU was not broken. There is discussion of this trade off in the Signal XEdDSA specification and in RFC 6979 as well as in Bernstein's Ed25519 paper.

The message being signed in Covert is the file hash which should already be unique for each file, even if everything else stays the same, because it depends on the file nonce which is randomised. This patch removes the unnecessary use of additional random bytes on signatures and instead implements deterministic XEdDSA by using the file hash as both the message and the nonce (staying compatible with XEdDSA which requires a 64-byte nonce, rather than omitting the nonce from SHA-512 hashing).

The choice of nonce in signatures does not affect signature verification, and thus each implementation is free to do this whichever way they prefer without compatibility concerns. The nonce only affects the secret random commitment r, whose corresponding public key R is published as part of the signature.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.45%. Comparing base (76a7570) to head (a0a1189).
⚠️ Report is 20 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #77      +/-   ##
==========================================
- Coverage   74.47%   74.45%   -0.02%     
==========================================
  Files          23       23              
  Lines        2174     2173       -1     
  Branches      510      510              
==========================================
- Hits         1619     1618       -1     
  Misses        432      432              
  Partials      123      123              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[covert-encryption]

Leaving this open for review and comments in case anyone wishes to have a word on it. In particular it should be noted that this violates the XEdDSA specification which says

The caller must pass in a new secret and random 64 byte value each time the signing function is called.

Even though our file hash is a unique random value for each signature, it is not a secret, as any recipient of the file can calculate it. Thus, the only truly secret value inside the SHA-512 that outputs r (which itself is secret) is the signer secret key, where the specification additionally calls for 64 random secret bytes.