ed25519 and sha256

Werner Koch wk at gnupg.org
Thu Sep 26 09:59:15 CEST 2019

On Wed, 25 Sep 2019 16:35, rjh at sixdemonbag.org said:

> Wikipedia is not a very good reference for low-level technical details.
>  Ed25519 is shorthand for "EdDSA on a specific curve": it is silent on
> the subject of hash algorithms, although you can specify one as
> "Ed25519-SHA-512" or what-have-you.

Not quite true.  We use ed25519 with SHA-512.  However, what we sign is
a hash value which often commonly happens to be a SHA-256 hash.

The reasons for this is that this model better fits into the OpenPGP
framework and - more important - this indirection allows us to implement
ed25519/sha512 in a smartcard.  Consider the case that you want to sign
a large data blob with a smartcard: With the direct ed25519 method it
would be required to send the entire data to the smartcard which would
take way to long for any practical application.  Smardcards communicate
in the 300 kBit/sec range and even USB tokens or not much faster.
Further they employ small 16 bit CPUs where taking a SHA-512 hash on a
lot of data will take ages.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190926/ab92eeca/attachment.sig>

More information about the Gnupg-users mailing list