[Cryptech Tech] Ed25519 use case

Russ Housley housley at vigilsec.com
Tue Sep 5 16:46:32 UTC 2017


The IETF work that is using Ed25519 is not using the pre-hash version.  That means that you need to be able to sign message, not hashes of messages.

See:
	https://www.ietf.org/id/draft-ietf-curdle-pkix-05.txt
	https://www.ietf.org/id/draft-ietf-curdle-cms-eddsa-signatures-07.txt
	https://www.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.txt

Russ



> On Aug 23, 2017, at 6:44 AM, Wouter Kuhnen <w.j.a.kuhnen at student.ru.nl> wrote:
> 
> Hello all,
> 
> For Ed25519; what is the general use case for signing? I am working on an
> implementation and wondering if it's useful to (only) sign messages of constant
> length (i.e hashes of messages).
> 
> I have two reasons to favor constant-length messages:
>    - Simplicity: less things can go wrong with SHA-512 (input padding mostly).
>    - Storage constraints: Long messages will need to be send twice to the FPGA.
> 
> The downside is that any collision in the hash function used on the signers side
> will lead to identical signatures.
> 
> - Wouter



More information about the Tech mailing list