[Cryptech Tech] Ed25519 use case

[Russ Housley]

> On Sep 5, 2017, at 3:19 PM, Bernd Paysan <bernd at net2o.de> wrote:
> 
> Am Dienstag, 5. September 2017, 18:46:32 CEST schrieb Russ Housley:
>> The IETF work that is using Ed25519 is not using the pre-hash version.  That
>> means that you need to be able to sign message, not hashes of messages.
>> 
>> See:
>> 	https://www.ietf.org/id/draft-ietf-curdle-pkix-05.txt
>> 	https://www.ietf.org/id/draft-ietf-curdle-cms-eddsa-signatures-07.txt
>> 	https://www.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.txt
> 
> I see no other option than to have both hash function and ed25519 in the FPGA, 
> and combine them in a flexible way (different users of Ed25519 may use 
> different hash algorithms). For PureEd25519, you need to feed in the message 
> twice, once to create the hash itself, and once to create the keyed hash for 
> the secret pseudo-random number.
> 
> net2o's signature is done in a way that avoids doing double hashing without 
> severely compromising the promise PureEd25519 gives: I use a SHA-3 variant, 
> and create the pseudo-random number by mixing in the secret (plus another 
> round) *after* having calculated the hash.  It therefore doesn't only depend 
> on the hash, but on the entire state, and that's about as good as a keyed 
> hash, without the double work.
> 
> However, with any reasonable good hash function, HashEd25519 is as good as 
> PureEd25519, anyways.

For small things, like a certificate, can the thing-to-be-signed be passed once?

What happens if the caller sends different bytes in the two passes?

Russ