On 7/26/2018 5:05 PM, Michael StJohns wrote:
The test vectors will not pass, because they are calling the byte
array from which the private key and the signing value are derived as
the private key.
However, each and every signature generated by the above approach
(e.g. using a *real* private key and a signing value downstream
derived from that private key) *will* verify, and each and every
signature by that private key over the same data using the above
approach will produce identical signatures.
I've stated in the JEP[1] that the goal of this effort is an
implementation of EdDSA as described in the RFC. What you are proposing
is a slightly different key generation and signing procedure. The fact
that the signatures will still verify is not sufficient to convince me
that the procedures that you are proposing offer the same security as
the ones in the RFC.
I understand that you don't like the fact that I am representing the
private key value as a byte array instead of an integer. If you can come
up with an alternative representation that still allows the same
functions that are specified in the RFC, then I will consider it.
[1] https://bugs.openjdk.java.net/browse/JDK-8199231
