Nikos Mavrogiannopoulos nmav@gnutls.org writes:
On Sun, 2014-08-31 at 21:12 +0200, Niels Möller wrote:
I'm looking into EdDSA. According to the paper, signing of a message M, using private key (a, k), corresponding to public key A, is essentially
r = H(k | M), with k the second half of the private key R = rB, with B the specified generator of the curve, S = ((r + H(R | A | M) a) mod l, l is the curve order with some rules to encode R, A, S as strings. H is typically sha-512. If M is the original, arbitrarily long, message to be signed, this breaks the common structure that you can first compute a message digest, and then apply the secret key to produce a signature.
That is indeed quite different from any other signature scheme. I don't know whether eddsa is going to be standardized or not, but it is certainly being discussed in irtf. Maybe raising that issue there would make more sense.
I asked djb, who pointed to the "Maximum security" paragraph close to the end of http://blog.cr.yp.to/20140323-ecdsa.html. As I understand it, the point is resilience to hash collisions: Collisions in the hash function doesn't automatically make signature forgeries possible. Quoting that post. "Using Ed25519 to sign H(m), rather than m, would mean hashing m only once (at the expense of collision resilience), but again the safest option is the default."
Regards, /Niels