[Cryptography] More efficient and just as secure to sign message hash using Ed25519?
Allen
allenpmd at gmail.com
Sun Aug 2 13:07:27 EDT 2015
> So if you hash first, you now have two collision risks whereas before you
only had one. ... Almost certainly the least of your worries in any
real-world application.
I see it basically the same way. Performing two full hashes of the message
seems to buy only a very small marginal security benefit (maybe something on
the order of 1 additional bit of security in the overall scheme?). Even if
I thought the additional computational/probabilistic security were needed, I
could probably find a way to use those CPU cycles that would yield a better
payoff (using a stronger curve or a more complicated hash function
perhaps?). I'm comfortable signing the hash(message) rather than the
message itself.
More information about the cryptography
mailing list