[Cryptography] More efficient and just as secure to sign message hash using Ed25519?
Viktor Dukhovni
cryptography at dukhovni.org
Mon Aug 3 14:26:24 EDT 2015
On Sun, Aug 02, 2015 at 01:07:27PM -0400, Allen wrote:
> > So if you hash first, you now have two collision risks whereas before you
> only had one. ... Almost certainly the least of your worries in any
> real-world application.
>
> I see it basically the same way. Performing two full hashes of the message
> seems to buy only a very small marginal security benefit (maybe something on
> the order of 1 additional bit of security in the overall scheme?). Even if
> I thought the additional computational/probabilistic security were needed, I
> could probably find a way to use those CPU cycles that would yield a better
> payoff (using a stronger curve or a more complicated hash function
> perhaps?). I'm comfortable signing the hash(message) rather than the
> message itself.
So long as the full hash function remains resistant to internal
collisions, the extra care is not required. The Ed25519 proposal
however survives failures in internal collision resistance. It is
a more conservative design. You might conjecture it to be too
conservative, but that's no excuse for arguing that there's no
added robustness from defending against as yet impractical attacks.
--
Viktor.
More information about the cryptography
mailing list