On Thu, Aug 21, 2014 at 3:22 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Thu, 21 Aug 2014 00:24, coruus(_at_)gmail(_dot_)com said:
This is confusing. EdDSA is defined to operate on messages of
arbitrary length; hashing the message is part of the EdDSA algorithm.
Right but that can't be used in OpenPGP. Recall that there is a
preference system which goes along with encrypted messages and that we
have specific requirements of what needs to be hashed. Messing up the
well established OpenPGP layered structure won't do any good.
Compatibility with implementations that don't implement Ed25519 should not be
a priority.
We are talking about the EdDSA algorithm which required the Edwards form
of Curve25519. The internal use of a 64 byte digest is required by the
way EdDSA works. Using a SHA-256 hash as data to be signed matches this
nicely but if you don't like it you may sign any other hash.
So, to be clear: You are proposing that *hashes* of OpenPGP messages be
what is hashed by Ed25519.
Could you provide a reference with concrete security results for this
construction?
(It is no longer a collision-resistant signature scheme, at the very least.)
(This is not how OpenPGP ECDSA works.)
http://ed25519.cr.yp.to/ed25519-20110926.pdf
Web pages are not suitable as a normative reference.
Included for reader's convenience.
- David
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp