[Cryptography] More efficient and just as secure to sign message hash using Ed25519?
Ron Garret
ron at flownet.com
Mon Aug 3 02:04:56 EDT 2015
On Aug 2, 2015, at 10:07 AM, Allen <allenpmd at gmail.com> wrote:
>> So if you hash first, you now have two collision risks whereas before you
> only had one. ... Almost certainly the least of your worries in any
> real-world application.
>
> I see it basically the same way. Performing two full hashes of the message
> seems to buy only a very small marginal security benefit (maybe something on
> the order of 1 additional bit of security in the overall scheme?). Even if
> I thought the additional computational/probabilistic security were needed, I
> could probably find a way to use those CPU cycles that would yield a better
> payoff (using a stronger curve or a more complicated hash function
> perhaps?). I'm comfortable signing the hash(message) rather than the
> message itself.
This is probably obvious, but I thought it might be worth stating explicitly for the benefit of lurkers: it’s important that the hash you sign be at least 256 bits. 512 is probably better just to give yourself a little more margin. If you sign a hash narrower than 256 bits then you really do lose.
(And, as long as I’m stating the obvious, these numbers are for Ed25519. If you are using a generalized EdDSA signature scheme you should sign a hash that is at least as wide as the signature you are producing. Making it wider is probably not a bad idea.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150802/791cd4db/attachment.sig>
More information about the cryptography
mailing list