[Cryptech Tech] Ed25519 use case

Bernd Paysan bernd at net2o.de
Wed Sep 6 00:40:04 UTC 2017

Previous message (by thread): [Cryptech Tech] Ed25519 use case
Next message (by thread): [Cryptech Tech] offline attacks on open hardware vs secure chips
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


Am 6. September 2017 01:52:40 MESZ schrieb Russ Housley <housley at vigilsec.com>:
>
>> On Sep 5, 2017, at 3:19 PM, Bernd Paysan <bernd at net2o.de> wrote:
>> 
>> Am Dienstag, 5. September 2017, 18:46:32 CEST schrieb Russ Housley:
>>> The IETF work that is using Ed25519 is not using the pre-hash
>version.  That
>>> means that you need to be able to sign message, not hashes of
>messages.
>>> 
>>> See:
>>> 	https://www.ietf.org/id/draft-ietf-curdle-pkix-05.txt
>>>
>	https://www.ietf.org/id/draft-ietf-curdle-cms-eddsa-signatures-07.txt
>>> 	https://www.ietf.org/id/draft-ietf-curdle-ssh-ed25519-01.txt
>> 
>> I see no other option than to have both hash function and ed25519 in
>the FPGA, 
>> and combine them in a flexible way (different users of Ed25519 may
>use 
>> different hash algorithms). For PureEd25519, you need to feed in the
>message 
>> twice, once to create the hash itself, and once to create the keyed
>hash for 
>> the secret pseudo-random number.
>> 
>> net2o's signature is done in a way that avoids doing double hashing
>without 
>> severely compromising the promise PureEd25519 gives: I use a SHA-3
>variant, 
>> and create the pseudo-random number by mixing in the secret (plus
>another 
>> round) *after* having calculated the hash.  It therefore doesn't only
>depend 
>> on the hash, but on the entire state, and that's about as good as a
>keyed 
>> hash, without the double work.
>> 
>> However, with any reasonable good hash function, HashEd25519 is as
>good as 
>> PureEd25519, anyways.
>
>For small things, like a certificate, can the thing-to-be-signed be
>passed once?
>
>What happens if the caller sends different bytes in the two passes?

He must send the signed object in the pass that creates the hash part, otherwise the signature will be invalid. What he sends for the other round to create the secret random number does not affect the validity of the signature, but can endanger his secret key, if he manages to create the same random number for two different messages. 

That's why HashEd25519 or the net2o variant is a better design for hardware: it is foolproof. 
-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/

Previous message (by thread): [Cryptech Tech] Ed25519 use case
Next message (by thread): [Cryptech Tech] offline attacks on open hardware vs secure chips
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list