diff options
author | Jack Lloyd <[email protected]> | 2019-06-29 04:21:37 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2019-06-29 04:47:17 -0400 |
commit | 099d7d6b053d1b68fed55e778397abd9dbaa279f (patch) | |
tree | 60f57bf40f771f95e2423c685caa82d8165e0f5d /doc/api_ref | |
parent | 50f3a247881a1fc5293ddf2357594d1461e476b4 (diff) |
Document how to use Ed25519ph
Closes #1699
Diffstat (limited to 'doc/api_ref')
-rw-r--r-- | doc/api_ref/pubkey.rst | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/doc/api_ref/pubkey.rst b/doc/api_ref/pubkey.rst index 6f867103f..c35421fa5 100644 --- a/doc/api_ref/pubkey.rst +++ b/doc/api_ref/pubkey.rst @@ -673,6 +673,28 @@ and a ECDSA signature using EMSA1 with SHA-256. Subsequently the computed signat } +Ed25519 Variants +^^^^^^^^^^^^^^^^^^ + +Most signature schemes in Botan follow a hash-then-sign paradigm. That is, the +entire message is digested to a fixed length representative using a collision +resistant hash function, and then the digest is signed. Ed25519 instead signs +the message directly. This is beneficial, in that the Ed25519 design should +remain secure even in the (extremely unlikely) event that a collision attack on +SHA-512 is found. However it means the entire message must be buffered in +memory, which can be a problem for many applications which might need to sign +large inputs. To use this variety of Ed25519, use a padding name of "Pure". + +Ed25519ph (pre-hashed) instead hashes the message with SHA-512 and then signs +the digest plus a special prefix specified in RFC 8032. To use it, specify +padding name "Ed25519ph". + +Another variant of pre-hashing is used by GnuPG. There the message is digested +with any hash function, then the digest is signed. To use it, specify any valid +hash function. Even if SHA-512 is used, this variant is not compatible with +Ed25519ph. + +For best interop with other systems, prefer "Ed25519ph". Key Agreement --------------------------------- |