Nikos Mavrogiannopoulos <[email protected]> writes: > On Sun, 2014-08-31 at 21:12 +0200, Niels Möller wrote: >> I'm looking into EdDSA. According to the paper, signing of a message M, >> using private key (a, k), corresponding to public key A, is essentially >> >> r = H(k | M), with k the second half of the private key >> R = rB, with B the specified generator of the curve, >> S = ((r + H(R | A | M) a) mod l, l is the curve order >> with some rules to encode R, A, S as strings. H is typically sha-512. >> If M is the original, arbitrarily long, message to be signed, this >> breaks the common structure that you can first compute a message digest, >> and then apply the secret key to produce a signature. > > That is indeed quite different from any other signature scheme. I don't > know whether eddsa is going to be standardized or not, but it is > certainly being discussed in irtf. Maybe raising that issue there would > make more sense.
I asked djb, who pointed to the "Maximum security" paragraph close to the end of http://blog.cr.yp.to/20140323-ecdsa.html. As I understand it, the point is resilience to hash collisions: Collisions in the hash function doesn't automatically make signature forgeries possible. Quoting that post. "Using Ed25519 to sign H(m), rather than m, would mean hashing m only once (at the expense of collision resilience), but again the safest option is the default." Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
