crypto/ed25519: doc of Sign should warn not to prehash messages #36761

gmichelo · 2020-01-25T13:33:13Z

Typically, digital signature schemas require the user to first hash the payload and then sign it. Correct me if I am wrong, but this should be true for RSA, DSA and ECDSA.

If my understanding is right, ED25519 seems to be different: it already hashes the message in a way that the collision resistant property is guaranteed even when it becomes feasible to find a collision for SHA512. Thus, prehashing the input messages basically nullifies this collision resistant property of ED25519 itself. In fact, if a possible attacker can efficiently find a collision for the prehashed message, they would be able to carry out a forgery attack.

Also, according to RFC8032 section 8.7 , it would be better to mention to avoid signing large messages.

/cc @FiloSottile @katiehockman

gopherbot · 2020-01-26T13:03:15Z

Change https://golang.org/cl/216458 mentions this issue: crypto/ed25519: clarify doc of Sign and added package example

FiloSottile added the Documentation label Jan 25, 2020

FiloSottile added this to the Backlog milestone Jan 25, 2020

FiloSottile added the help wanted label Jan 25, 2020

cagedmantis added the NeedsFix The path to resolution is known, but the work has not been done. label Feb 3, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/ed25519: doc of Sign should warn not to prehash messages #36761

crypto/ed25519: doc of Sign should warn not to prehash messages #36761

gmichelo commented Jan 25, 2020

gopherbot commented Jan 26, 2020

crypto/ed25519: doc of Sign should warn not to prehash messages #36761

crypto/ed25519: doc of Sign should warn not to prehash messages #36761

Comments

gmichelo commented Jan 25, 2020

gopherbot commented Jan 26, 2020