Document that Safari generates randomized Ed25519 signatures

[twiss]

Summary

Document the fact that for the Ed25519 algorithm in Web Crypto's crypto.subtle.sign function, Safari generates randomized signatures as per draft-irtf-cfrg-det-sigs-with-noise, instead of deterministic signatures as per RFC 8032.

There is a discussion in WICG/webcrypto-secure-curves#28 to make this behavior legal, but as of now it isn't (although in most cases it shouldn't cause interoperability issues). Additionally, even if this becomes legal as per the Web Crypto spec, it may still be noteworthy for developers who (for some reason) require the deterministic behavior of Ed25519 as specified in RFC 8032.

Test results and supporting details

This behavior can be confirmed by running

const { privateKey } = await crypto.subtle.generateKey('Ed25519', false, ['sign']);
console.log(new Uint8Array(await crypto.subtle.sign('Ed25519', privateKey, new ArrayBuffer())));
console.log(new Uint8Array(await crypto.subtle.sign('Ed25519', privateKey, new ArrayBuffer())));

In deterministic implementations, both signatures will be identical. In randomized implementations, they'll be different. I tested desktop and mobile Safari 17 and 18 and all of them implement the randomized variant.

Related issues

Relevant WebKit issue: https://bugs.webkit.org/show_bug.cgi?id=262499.

[twiss]

@hamishwillee perhaps you're the right person to ask for a review for this? ☺️