[Cryptography] More efficient and just as secure to sign message hash using Ed25519?
Allen
allenpmd at gmail.com
Sat Aug 1 19:18:52 EDT 2015
According to the Ed25519 paper, the (potentially long) input message is
hashed twice (see http://ed25519.cr.yp.to/ed25519-20110926.pdf Section 4
page 12 steps 1 and 3). The webpage
https://blog.mozilla.org/warner/2011/11/29/ed25519-keys/ has a nice diagram
toward the bottom that illustrates this, and I confirmed it in the reference
code on Supercop (see supercop-20141124/crypto_sign/ed25519/ref/sign.c,
function calls crypto_hash_sha512(nonce, sm+32, mlen+32) and
crypto_hash_sha512(hram, sm, mlen + 64)).
My question is, for long messages, wouldn't it be more efficient and just as
secure to hash the entire message just once, and then use the 64 byte hash
as the input to the signing algorithm? In other words, the code would look
like:
crypto_hash_sha512(mhash, m, mlen);
crypto_sign(output, mhash, 64, key);
The would seem to me to be faster for mlen > approx 128 bytes without any
loss of security.
I'm I missing something here? Is there a potential loss of security to using
mhash as the signing input instead of the original message m?
More information about the cryptography
mailing list