ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Ed25519 and digest choices (issue 31)

2021-05-26 10:56:16
Hi Daniel--

On Tue 2021-05-25 10:59:39 +0000, Daniel Huigens wrote:
This is the function that the specification should (and I believe
tries to) reference. The OpenPGP specification indeed pre-hashes the
message as well, but this is irrelevant to (and comes before) RFC8032,
PH(x) is still x. There should be no need to reference PureEdDSA.

https://datatracker.ietf.org/doc/html/rfc8032#section-4 says:

   This document specifies parameters resulting in the HashEdDSA
   variants Ed25519ph and Ed448ph and the PureEdDSA variants Ed25519 and
   Ed448.

So the non-prehash variant named Ed25519 is indeed "PureEdDSA" -- but
it's being applied to something other than the user-visible "message" in
the OpenPGP context.  Maybe we don't need to reference PureEdDSA
explicitly, but the fact that "Ed25519" is often used as a shorthand for
the whole family of EdDSA mechanisms over curve 25519 introduces some
amount of ambiguity in the spec as it's currently written.

I welcome suggestions for text that clarifies this subtlety in the
draft.

        --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>