> On Sep 5, 2017, at 3:19 PM, Bernd Paysan <be...@net2o.de> wrote: > > Am Dienstag, 5. September 2017, 18:46:32 CEST schrieb Russ Housley: >> The IETF work that is using Ed25519 is not using the pre-hash version. That >> means that you need to be able to sign message, not hashes of messages. >> >> See: >> https://www.ietf.org/id/draft-ietf-curdle-pkix-05.txt >> https://www.ietf.org/id/draft-ietf-curdle-cms-eddsa-signatures-07.txt >> https://www.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.txt > > I see no other option than to have both hash function and ed25519 in the > FPGA, > and combine them in a flexible way (different users of Ed25519 may use > different hash algorithms). For PureEd25519, you need to feed in the message > twice, once to create the hash itself, and once to create the keyed hash for > the secret pseudo-random number. > > net2o's signature is done in a way that avoids doing double hashing without > severely compromising the promise PureEd25519 gives: I use a SHA-3 variant, > and create the pseudo-random number by mixing in the secret (plus another > round) *after* having calculated the hash. It therefore doesn't only depend > on the hash, but on the entire state, and that's about as good as a keyed > hash, without the double work. > > However, with any reasonable good hash function, HashEd25519 is as good as > PureEd25519, anyways.
For small things, like a certificate, can the thing-to-be-signed be passed once? What happens if the caller sends different bytes in the two passes? Russ _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
