golang/go

crypto/ed25519: doc of Sign should warn not to prehash messages

Open

#36,761 opened on 2020年1月25日

GitHub で見る
 (1 comment) (2 reactions) (0 assignees)Go (19,008 forks)batch import
DocumentationNeedsFixhelp wanted

Repository metrics

Stars
 (133,883 stars)
PR merge metrics
 (30d に merged PR はありません)

説明

Typically, digital signature schemas require the user to first hash the payload and then sign it. Correct me if I am wrong, but this should be true for RSA, DSA and ECDSA.

If my understanding is right, ED25519 seems to be different: it already hashes the message in a way that the collision resistant property is guaranteed even when it becomes feasible to find a collision for SHA512. Thus, prehashing the input messages basically nullifies this collision resistant property of ED25519 itself. In fact, if a possible attacker can efficiently find a collision for the prehashed message, they would be able to carry out a forgery attack.

Also, according to RFC8032 section 8.7 , it would be better to mention to avoid signing large messages.

/cc @FiloSottile @katiehockman

コントリビューターガイド