Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/ed25519: Implement Ed25519ph #31804

Open
titanous opened this issue May 2, 2019 · 4 comments

Comments

@titanous
Copy link
Member

commented May 2, 2019

The Ed25519ph variant specified in RFC 8032 allows signing/verifying a message that has already been hashed with SHA-512 without risking the collision-resistant properties of "PureEdDSA" when using the same keys for messages signed using both schemes.

This is useful in at least two scenarios:

  1. When the private key is isolated to another piece of hardware and passing the entire message to be signed is not possible, for example when using a HSM and signing messages larger than a few KB.
  2. When working with large messages that are too large to be reasonably buffered for the current one-shot API.

This variant can be implemented minimally using the existing crypto.Signer API plus an additional verification function, without encouraging unsafe use by providing easy access to an API that takes an io.Reader or io.Writer.

Due to the additional internal hash initialization, there is no way to implement this without forking the package or upstreaming an implementation patch.

I will send a CL with a proposed implementation.

Relevant: #31727

/cc @zx2c4 @FiloSottile

@titanous titanous added this to the Unreleased milestone May 2, 2019

@gopherbot

This comment has been minimized.

Copy link

commented May 2, 2019

Change https://golang.org/cl/174941 mentions this issue: ed25519: Implement Ed25519ph

@x30n

This comment has been minimized.

Copy link

commented Jul 22, 2019

+1

@Hades32

This comment has been minimized.

Copy link

commented Jul 26, 2019

Thanks @titanous , this is just what we needed. Confirmed to behave as the reference implementation (libsodium). 👍

Not sure if this is still in time for 1.13... @FiloSottile

@FiloSottile FiloSottile modified the milestones: Unreleased, Go1.14 Jul 26, 2019

@FiloSottile FiloSottile changed the title x/crypto/ed25519: Implement Ed25519ph crypto/ed25519: Implement Ed25519ph Jul 26, 2019

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Jul 26, 2019

Too late for Go 1.13, targeting Go 1.14. (crypto/ed25519 is not in the standard library.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.