[Cryptography] More efficient and just as secure to sign message hash using Ed25519?

Ron Garret ron at flownet.com
Mon Aug 3 02:04:56 EDT 2015


On Aug 2, 2015, at 10:07 AM, Allen <allenpmd at gmail.com> wrote:

>> So if you hash first, you now have two collision risks whereas before you
> only had one. ... Almost certainly the least of your worries in any
> real-world application.
> 
> I see it basically the same way.  Performing two full hashes of the message
> seems to buy only a very small marginal security benefit (maybe something on
> the order of 1 additional bit of security in the overall scheme?).  Even if
> I thought the additional computational/probabilistic security were needed, I
> could probably find a way to use those CPU cycles that would yield a better
> payoff (using a stronger curve or a more complicated hash function
> perhaps?).  I'm comfortable signing the hash(message) rather than the
> message itself.

This is probably obvious, but I thought it might be worth stating explicitly for the benefit of lurkers: it’s important that the hash you sign be at least 256 bits.  512 is probably better just to give yourself a little more margin.  If you sign a hash narrower than 256 bits then you really do lose.

(And, as long as I’m stating the obvious, these numbers are for Ed25519.  If you are using a generalized EdDSA signature scheme you should sign a hash that is at least as wide as the signature you are producing.  Making it wider is probably not a bad idea.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150802/791cd4db/attachment.sig>


More information about the cryptography mailing list