Hi Daniel--
On Tue 2021-05-25 10:59:39 +0000, Daniel Huigens wrote:
This is the function that the specification should (and I believe
tries to) reference. The OpenPGP specification indeed pre-hashes the
message as well, but this is irrelevant to (and comes before) RFC8032,
PH(x) is still x. There should be no need to reference PureEdDSA.
https://datatracker.ietf.org/doc/html/rfc8032#section-4 says:
This document specifies parameters resulting in the HashEdDSA
variants Ed25519ph and Ed448ph and the PureEdDSA variants Ed25519 and
Ed448.
So the non-prehash variant named Ed25519 is indeed "PureEdDSA" -- but
it's being applied to something other than the user-visible "message" in
the OpenPGP context. Maybe we don't need to reference PureEdDSA
explicitly, but the fact that "Ed25519" is often used as a shorthand for
the whole family of EdDSA mechanisms over curve 25519 introduces some
amount of ambiguity in the spec as it's currently written.
I welcome suggestions for text that clarifies this subtlety in the
draft.
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp