crypto/ed25519: doc of Sign should warn not to prehash messages
#36.761 aperta il 25 gen 2020
Metriche repository
- Star
- (133.883 star)
- Metriche merge PR
- (Nessuna PR mergiata in 30 g)
Descrizione
Typically, digital signature schemas require the user to first hash the payload and then sign it. Correct me if I am wrong, but this should be true for RSA, DSA and ECDSA.
If my understanding is right, ED25519 seems to be different: it already hashes the message in a way that the collision resistant property is guaranteed even when it becomes feasible to find a collision for SHA512. Thus, prehashing the input messages basically nullifies this collision resistant property of ED25519 itself. In fact, if a possible attacker can efficiently find a collision for the prehashed message, they would be able to carry out a forgery attack.
Also, according to RFC8032 section 8.7 , it would be better to mention to avoid signing large messages.
/cc @FiloSottile @katiehockman