[Cryptography] More efficient and just as secure to sign message hash using Ed25519?

[Ron Garret]

On Aug 2, 2015, at 12:42 AM, Peter Schwabe <peter at cryptojedi.org> wrote:

> Allen <allenpmd at gmail.com> wrote:
> 
> Dear Allen,
> 
>> My question is, for long messages, wouldn't it be more efficient and just as
>> secure to hash the entire message just once, and then use the 64 byte hash
>> as the input to the signing algorithm? In other words, the code would look
>> like:
>> 
>> crypto_hash_sha512(mhash, m, mlen);
>> crypto_sign(output, mhash, 64, key);
>> 
>> The would seem to me to be faster for mlen > approx 128 bytes without any
>> loss of security.
> 
> What you're losing is collision resilience.

I think it’s important to note here that the collision resilience you are losing is resilience against collisions in the underlying hash H.  Ed25519 *is* a hash of M and the secret key, and it obviously cannot be resilient against collisions in *that* hash (i.e. collisions in ed25519 itself).  So if you hash first, you now have two collision risks whereas before you only had one.  But the output of Ed25519 is 256 bits, so if H is, say, SHA512 the incremental risks of collisions in H over the inherent risk of collisions in Ed25519 are (almost certainly) pretty darn low.  Almost certainly the least of your worries in any real-world application.

If you’re really worried about collisions, you can probably produce an overall more collision-resistent signature scheme by concatenating the signatures of two different hashes of M.  (But I am not an expert so don’t do this until someone who actually knows what they’re doing has analyzed it.)

rg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150802/d13d74a0/attachment.sig>