[openpgp] EdDSA/Ed25519 I-D for OpenPGP
David Leon Gil
coruus at gmail.com
Thu Aug 21 00:24:18 CEST 2014
On Tue, Aug 19, 2014 at 4:04 PM, Werner Koch <wk at gnupg.org> wrote:
> I just submitted an I-D for use of Ed25519 in OpenPGP:
This is terrific!
> 2. Supported Curves
> Other curves may be used by using a specific OID for the curve and
> its EdDSA parameters.
See infra. You should list EdDSA parameters that need to be encoded
into the OID.
> 3. Point Format
Are MPIs -- and the 0x40 prefix -- necessary? The curve OID already
determines the length the octet string.
Similarly for encoding the signature; it poses significant
interoperability concerns to deviate from the existing encoding used
by Ed25519 implementations.
> Although that algorithm allows arbitrary data as input, its use with
> OpenPGP requires that a digest of the message is used as input. See
> section 5.2.4 of [RFC4880], "Computing Signatures" for details.
> Truncation of the resulting digest is never applied; the resulting
> digest value is used verbatim as input to the EdDSA algorithm.
This is confusing. EdDSA is defined to operate on messages of
arbitrary length; hashing the message is part of the EdDSA algorithm.
EdDSA has seven parameters:
- an integer _b_ ≥ 10;
- a cryptographic hash function _H_ producing **2b-bit output**;
- a prime power _q_ congruent to 1 modulo 4;
- a (_b_−1)-bit encoding of elements of the finite field _Fq_;
- a non-square element _d_ of _Fq_;
- a prime _L_ between 2^_b_−4 and 2^_b_−3 satisfying an extra
constraint [. . .];
- [and a point _B_]
Ed25519-SHA2-512 is widely implemented. No other hash functions
currently specified for use with OpenPGP provide long enough output to
be used with Curve25519.
> 10. Normative References
> [ED25519] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
> Yang, "High-speed high-security signatures", Journal of
> Cryptographic Engineering Volume 2, Issue 2, pp. 77-89,
> September 2011,
More information about the Gnupg-devel