[Cryptography] More efficient and just as secure to sign message hash using Ed25519?
Viktor Dukhovni
cryptography at dukhovni.org
Mon Aug 3 00:35:00 EDT 2015
On Sun, Aug 02, 2015 at 09:28:06AM -0700, Ron Garret wrote:
> > What you're losing is collision resilience.
>
> I think it's important to note here that the collision resilience you are
> losing is resilience against collisions in the underlying hash H. Ed25519
> *is* a hash of M and the secret key, and it obviously cannot be resilient
> against collisions in *that* hash (i.e. collisions in ed25519 itself).
> So if you hash first, you now have two collision risks whereas before you
> only had one. But the output of Ed25519 is 256 bits, so if H is, say,
> SHA512 the incremental risks of collisions in H over the inherent risk of
> collisions in Ed25519 are (almost certainly) pretty darn low. Almost
> certainly the least of your worries in any real-world application.
>
> If you're really worried about collisions, you can probably produce an
> overall more collision-resistent signature scheme by concatenating the
> signatures of two different hashes of M. (But I am not an expert so don't
> do this until someone who actually knows what they're doing has analyzed
> it.)
This analysis is too naive. The risk is internal collisions in
the hash function, which might enable extension attacks. The
Ed25519 construct is resistant against internal collisions and
extension attacks, while SHA-2 is not.
Now of course internal collisions on the full SHA-2 are far from
feasible at present, but not depending on unexpected progress on
that front is reasonable defense in depth.
--
Viktor.
More information about the cryptography
mailing list