crypto/ed25519: doc of Sign should warn not to prehash messages #36761
Typically, digital signature schemas require the user to first hash the payload and then sign it. Correct me if I am wrong, but this should be true for RSA, DSA and ECDSA.
If my understanding is right, ED25519 seems to be different: it already hashes the message in a way that the collision resistant property is guaranteed even when it becomes feasible to find a collision for SHA512. Thus, prehashing the input messages basically nullifies this collision resistant property of ED25519 itself. In fact, if a possible attacker can efficiently find a collision for the prehashed message, they would be able to carry out a forgery attack.
Also, according to RFC8032 section 8.7 , it would be better to mention to avoid signing large messages.
The text was updated successfully, but these errors were encountered: