On Tue, Aug 19, 2014 at 4:04 PM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
I just submitted an I-D for use of Ed25519 in OpenPGP:
This is terrific!
2. Supported Curves
Other curves may be used by using a specific OID for the curve and
its EdDSA parameters.
See infra. You should list EdDSA parameters that need to be encoded
into the OID.
3. Point Format
Are MPIs -- and the 0x40 prefix -- necessary? The curve OID already
determines the length the octet string.
Similarly for encoding the signature; it poses significant
interoperability concerns to deviate from the existing encoding used
by Ed25519 implementations.
Although that algorithm allows arbitrary data as input, its use with
OpenPGP requires that a digest of the message is used as input. See
section 5.2.4 of [RFC4880], "Computing Signatures" for details.
Truncation of the resulting digest is never applied; the resulting
digest value is used verbatim as input to the EdDSA algorithm.
This is confusing. EdDSA is defined to operate on messages of
arbitrary length; hashing the message is part of the EdDSA algorithm.
EdDSA has seven parameters:
- an integer _b_ ≥ 10;
- a cryptographic hash function _H_ producing **2b-bit output**;
- a prime power _q_ congruent to 1 modulo 4;
- a (_b_−1)-bit encoding of elements of the finite field _Fq_;
- a non-square element _d_ of _Fq_;
- a prime _L_ between 2^_b_−4 and 2^_b_−3 satisfying an extra
constraint [. . .];
- [and a point _B_]
Ed25519-SHA2-512 is widely implemented. No other hash functions
currently specified for use with OpenPGP provide long enough output to
be used with Curve25519.
10. Normative References
[ED25519] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
Yang, "High-speed high-security signatures", Journal of
Cryptographic Engineering Volume 2, Issue 2, pp. 77-89,
openpgp mailing list