[openpgp] EdDSA/Ed25519 I-D for OpenPGP

Werner Koch wk at gnupg.org
Thu Aug 21 09:22:52 CEST 2014

On Thu, 21 Aug 2014 00:24, coruus at gmail.com said:

> See infra. You should list EdDSA parameters that need to be encoded
> into the OID.

Not required.  That is specified in the Ed25519 paper.

> This is confusing. EdDSA is defined to operate on messages of
> arbitrary length; hashing the message is part of the EdDSA algorithm.

Right but that can't be used in OpenPGP.  Recall that there is a
preference system which goes along with encrypted messages and that we
have specific requirements of what needs to be hashed.  Messing up the
well established OpenPGP layered structure won't do any good.

Further, to implement EdDSA on a smartcard it is required that the card
does the hashing.  Now imagine what happens if you try to sign a 100 MB
message:  You can go out for lunch and come back to realize that it will
take another hour to finish.

> Ed25519-SHA2-512 is widely implemented. No other hash functions
> currently specified for use with OpenPGP provide long enough output to
> be used with Curve25519.

We are talking about the EdDSA algorithm which required the Edwards form
of Curve25519.  The internal use of a 64 byte digest is required by the
way EdDSA works.  Using a SHA-256 hash as data to be signed matches this
nicely but if you don't like it you may sign any other hash.

> http://ed25519.cr.yp.to/ed25519-20110926.pdf

Web pages are not suitable as a normative reference.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list