On 2021-05-21 at 17:48:56, Daniel Kahn Gillmor wrote:
Alternately, maybe we should instead reframe OpenPGP's use of Ed25519 as
a "PureEdDSA" scheme that signs only the OpenPGP digest (not the signed
data directly). That bypasses the "PH" parameter, but it also means
that any cryptanalsis that is applied to EdDSA isn't necessarily
applicable to OpenPGP, because we have this additional step involved.
I would prefer this approach. OpenPGP has traditionally allowed users
to use whatever digest they like with keys, even when the standards have
traditionally fixed a digest. For example, DSA generally has specified
that either SHA-1 or SHA-2 has to be used and it has to be used with the
proper size q, but we've allowed RIPEMD-160 and SHA-256 with smaller q.
If, for example, we discover a weakness in SHA-512, it should be fine
to switch to SHA3-512 for signatures without problems.
I will admit that using multiple digests may require additional work for
cryptanalysis, but I suspect that if PureEdDSA is secure with arbitrary
messages and the hash function is collision resistant (both of which we
would reasonably expect), then this approach will likely be secure. I
provide no proof of my conjecture, though.
brian m. carlson (he/him or they/them)
Houston, Texas, US
Description: PGP signature
openpgp mailing list