[Cryptography] More efficient and just as secure to sign message hash using Ed25519?

[Allen]

> > I see it basically the same way.  Performing two full hashes of the 
> > message seems to buy only a very small marginal security benefit 
> > (maybe something on the order of 1 additional bit of security in the 
> > overall scheme?).  Even if I thought the additional 
> > computational/probabilistic security were needed, I could probably 
> > find a way to use those CPU cycles that would yield a better payoff 
> > (using a stronger curve or a more complicated hash function perhaps?).  
> > I'm comfortable signing the hash(message) rather than the message itself.

> So long as the full hash function remains resistant to internal collisions, the extra care is not required.
> The Ed25519 proposal however survives failures in internal collision resistance.  It is a more conservative design.
> You might conjecture it to be too conservative, but that's no excuse for arguing that there's no added robustness
> from defending against as yet impractical attacks.

Who claimed there is "no added robustness"?  It certainly wasn't me.  I specifically said there was a very small marginal benefit, but that I thought it was not the best use of the resources required.

It would also be more conservative to use five different 1024-bit hash functions in parallel and to sign messages twelve times using RSA, DSA, ECDSA and EdDSA with various curves and key lengths.  But it's not our job to be as conservative as possible without considering the costs and benefits.

You are correct that I believe the double-hashing in Ed25519 design is overly conservative for many application.   I also think that in some if not many cases the additional CPU cycles required to hash the full message twice could be put to other uses that would give a better security payoff.