[Cryptography] More efficient and just as secure to sign message hash using Ed25519?
Peter Schwabe
peter at cryptojedi.org
Sun Aug 2 03:42:42 EDT 2015
Allen <allenpmd at gmail.com> wrote:
Dear Allen,
> My question is, for long messages, wouldn't it be more efficient and just as
> secure to hash the entire message just once, and then use the 64 byte hash
> as the input to the signing algorithm? In other words, the code would look
> like:
>
> crypto_hash_sha512(mhash, m, mlen);
> crypto_sign(output, mhash, 64, key);
>
> The would seem to me to be faster for mlen > approx 128 bytes without any
> loss of security.
What you're losing is collision resilience. For a more detailed
discussion please see our recent paper "EdDSA for more curves", page 5,
paragraph "Security notes on prehashing":
https://cryptojedi.org/peter/index.shtml#eddsa
Best regards,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 173 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150802/bee3cc40/attachment.sig>
More information about the cryptography
mailing list