On Sun, 2014-08-31 at 21:12 +0200, Niels Möller wrote:
I'm looking into EdDSA. According to the paper, signing of a message M, using private key (a, k), corresponding to public key A, is essentially
r = H(k | M), with k the second half of the private key R = rB, with B the specified generator of the curve, S = ((r + H(R | A | M) a) mod l, l is the curve order with some rules to encode R, A, S as strings. H is typically sha-512. If M is the original, arbitrarily long, message to be signed, this breaks the common structure that you can first compute a message digest, and then apply the secret key to produce a signature.
That is indeed quite different from any other signature scheme. I don't know whether eddsa is going to be standardized or not, but it is certainly being discussed in irtf. Maybe raising that issue there would make more sense.
Or should M itself be a digest of the message to be signed? That will enable a more main-stream signature interface, where the inputs to the signature function are the private key and the short message digest.
M would most probably be protocol related and at least for TLS it is often something short, but other protocols may differ.
regards, Nikos