crypto/ed25519: doc of Sign should warn not to prehash messages
#36,761 opened on Jan 25, 2020
Repository metrics
- Stars
- (133,883 stars)
- PR merge metrics
- (No merged PRs in 30d)
Description
Typically, digital signature schemas require the user to first hash the payload and then sign it. Correct me if I am wrong, but this should be true for RSA, DSA and ECDSA.
If my understanding is right, ED25519 seems to be different: it already hashes the message in a way that the collision resistant property is guaranteed even when it becomes feasible to find a collision for SHA512. Thus, prehashing the input messages basically nullifies this collision resistant property of ED25519 itself. In fact, if a possible attacker can efficiently find a collision for the prehashed message, they would be able to carry out a forgery attack.
Also, according to RFC8032 section 8.7 , it would be better to mention to avoid signing large messages.
/cc @FiloSottile @katiehockman