It seems I mis-spoke on EdDSA. Curve448x uses SHAKE-256 as the internal compression function and that is a part of SHA-3. Curve25519 uses SHA-2. I thought I had lost that battle.
Now I have not read the specs deeply enough to work out if that means SHA-3 is a requirement. But just as you effectively get Blake2 for free with Cha-Cha, it means SHA-3 is going to be pulled along by Curve-X. There are actually important security reasons to insist on only using one hash function with a particular DSA key which is why DSA has always mandated use of a particular hash function rather than the mix-n-match approach of RSA. Also there is the issue of whether to pre-hash or not. Given that certs (and OCSP tokens) are small not pre-hashing looked like the way to go. > On Feb 24, 2017, at 3:37 PM, Rob Stradling via Public <[email protected]> > wrote: > > On 24/02/17 20:11, Adam Langley wrote: > <snip> >> (Although, I was just about to note that they often use OpenSSL and >> OpenSSL surely will support SHA-3 before BLAKE2. But it appears I'm >> wrong and OpenSSL has had BLAKE2 for nine months and still lacks SHA-3?) > > Correct. BLAKE2 is in OpenSSL 1.1.0. SHA-3 will be "Post 1.1.0" according > to https://github.com/openssl/openssl/issues/439 > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
