[openpgp] EdDSA/Ed25519 I-D for OpenPGP

David Leon Gil coruus at gmail.com
Thu Aug 21 00:24:18 CEST 2014

On Tue, Aug 19, 2014 at 4:04 PM, Werner Koch <wk at gnupg.org> wrote:
> I just submitted an I-D for use of Ed25519 in OpenPGP:

This is terrific!

> 2.  Supported Curves
>    Other curves may be used by using a specific OID for the curve and
>    its EdDSA parameters.

See infra. You should list EdDSA parameters that need to be encoded
into the OID.

> 3.  Point Format

Are MPIs -- and the 0x40 prefix -- necessary? The curve OID already
determines the length the octet string.

Similarly for encoding the signature; it poses significant
interoperability concerns to deviate from the existing encoding used
by Ed25519 implementations.

>    Although that algorithm allows arbitrary data as input, its use with
>    OpenPGP requires that a digest of the message is used as input.  See
>    section 5.2.4 of [RFC4880], "Computing Signatures" for details.
>    Truncation of the resulting digest is never applied; the resulting
>    digest value is used verbatim as input to the EdDSA algorithm.

This is confusing. EdDSA is defined to operate on messages of
arbitrary length; hashing the message is part of the EdDSA algorithm.

To quote:

  EdDSA has seven parameters:
    - an integer _b_ ≥ 10;
    - a cryptographic hash function _H_ producing **2b-bit output**;
    - a prime power _q_ congruent to 1 modulo 4;
    - a (_b_−1)-bit encoding of elements of the finite field _Fq_;
    - a non-square element _d_ of _Fq_;
    - a prime _L_ between 2^_b_−4 and 2^_b_−3 satisfying an extra
constraint [. . .];
    - [and a point _B_]

Ed25519-SHA2-512 is widely implemented. No other hash functions
currently specified for use with OpenPGP provide long enough output to
be used with Curve25519.

> 10.  Normative References
>    [ED25519]  Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
>               Yang, "High-speed high-security signatures", Journal of
>               Cryptographic Engineering Volume 2, Issue 2, pp. 77-89,
>               September 2011,


More information about the Gnupg-devel mailing list