Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/ed25519: Implement Ed25519ph #31804

titanous opened this issue May 2, 2019 · 4 comments


Copy link

commented May 2, 2019

The Ed25519ph variant specified in RFC 8032 allows signing/verifying a message that has already been hashed with SHA-512 without risking the collision-resistant properties of "PureEdDSA" when using the same keys for messages signed using both schemes.

This is useful in at least two scenarios:

  1. When the private key is isolated to another piece of hardware and passing the entire message to be signed is not possible, for example when using a HSM and signing messages larger than a few KB.
  2. When working with large messages that are too large to be reasonably buffered for the current one-shot API.

This variant can be implemented minimally using the existing crypto.Signer API plus an additional verification function, without encouraging unsafe use by providing easy access to an API that takes an io.Reader or io.Writer.

Due to the additional internal hash initialization, there is no way to implement this without forking the package or upstreaming an implementation patch.

I will send a CL with a proposed implementation.

Relevant: #31727

/cc @zx2c4 @FiloSottile

@titanous titanous added this to the Unreleased milestone May 2, 2019


This comment has been minimized.

Copy link

commented May 2, 2019

Change mentions this issue: ed25519: Implement Ed25519ph


This comment has been minimized.

Copy link

commented Jul 22, 2019



This comment has been minimized.

Copy link

commented Jul 26, 2019

Thanks @titanous , this is just what we needed. Confirmed to behave as the reference implementation (libsodium). 👍

Not sure if this is still in time for 1.13... @FiloSottile

@FiloSottile FiloSottile modified the milestones: Unreleased, Go1.14 Jul 26, 2019

@FiloSottile FiloSottile changed the title x/crypto/ed25519: Implement Ed25519ph crypto/ed25519: Implement Ed25519ph Jul 26, 2019


This comment has been minimized.

Copy link

commented Jul 26, 2019

Too late for Go 1.13, targeting Go 1.14. (crypto/ed25519 is not in the standard library.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
5 participants
You can’t perform that action at this time.