[Cryptech Tech] Ed25519 use case

[Bernd Paysan]

Am Dienstag, 5. September 2017, 18:46:32 CEST schrieb Russ Housley:
> The IETF work that is using Ed25519 is not using the pre-hash version.  That
> means that you need to be able to sign message, not hashes of messages.
> 
> See:
> 	https://www.ietf.org/id/draft-ietf-curdle-pkix-05.txt
> 	https://www.ietf.org/id/draft-ietf-curdle-cms-eddsa-signatures-07.txt
> 	https://www.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.txt
> 
> Russ

I see no other option than to have both hash function and ed25519 in the FPGA, 
and combine them in a flexible way (different users of Ed25519 may use 
different hash algorithms). For PureEd25519, you need to feed in the message 
twice, once to create the hash itself, and once to create the keyed hash for 
the secret pseudo-random number.

net2o's signature is done in a way that avoids doing double hashing without 
severely compromising the promise PureEd25519 gives: I use a SHA-3 variant, 
and create the pseudo-random number by mixing in the secret (plus another 
round) *after* having calculated the hash.  It therefore doesn't only depend 
on the hash, but on the entire state, and that's about as good as a keyed 
hash, without the double work.

However, with any reasonable good hash function, HashEd25519 is as good as 
PureEd25519, anyways.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/