Hashing with EdDSA
Niels Möller <nisse@...
2014-08-31 19:12:36 GMT
I'm looking into EdDSA. According to the paper, signing of a message M,
using private key (a, k), corresponding to public key A, is essentially
r = H(k | M), with k the second half of the private key
R = rB, with B the specified generator of the curve,
S = ((r + H(R | A | M) a) mod l, l is the curve order
with some rules to encode R, A, S as strings. H is typically sha-512.
If M is the original, arbitrarily long, message to be signed, this
breaks the common structure that you can first compute a message digest,
and then apply the secret key to produce a signature. But this doesn't
work above, because the complete message has to be hashed twice, first
with the secret prefix k, next with the prefix R | A, and any hashing
without the private key available is useless. And even worse, one has to
buffer the complete message because the prefix of the second hash
depends on the output of the first hash.
Or should M itself be a digest of the message to be signed? That will
enable a more main-stream signature interface, where the inputs to the
signature function are the private key and the short message digest.
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.