Am Dienstag, 5. September 2017, 18:46:32 CEST schrieb Russ Housley: > The IETF work that is using Ed25519 is not using the pre-hash version. That > means that you need to be able to sign message, not hashes of messages. > > See: > https://www.ietf.org/id/draft-ietf-curdle-pkix-05.txt > https://www.ietf.org/id/draft-ietf-curdle-cms-eddsa-signatures-07.txt > https://www.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.txt > > Russ
I see no other option than to have both hash function and ed25519 in the FPGA, and combine them in a flexible way (different users of Ed25519 may use different hash algorithms). For PureEd25519, you need to feed in the message twice, once to create the hash itself, and once to create the keyed hash for the secret pseudo-random number. net2o's signature is done in a way that avoids doing double hashing without severely compromising the promise PureEd25519 gives: I use a SHA-3 variant, and create the pseudo-random number by mixing in the secret (plus another round) *after* having calculated the hash. It therefore doesn't only depend on the hash, but on the entire state, and that's about as good as a keyed hash, without the double work. However, with any reasonable good hash function, HashEd25519 is as good as PureEd25519, anyways. -- Bernd Paysan "If you want it done right, you have to do it yourself" net2o ID: kQusJzA;7*?t=uy@X}1GWr!+0qqp_Cn176t4(dQ* http://bernd-paysan.de/ _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
