Nikos Mavrogiannopoulos nmav@gnutls.org writes:
That is indeed quite different from any other signature scheme. I don't know whether eddsa is going to be standardized or not, but it is certainly being discussed in irtf. Maybe raising that issue there would make more sense.
Where, more precisely, do you suggest I ask about this? cfrg@irtf.org ?
M would most probably be protocol related and at least for TLS it is often something short, but other protocols may differ.
For a start, I think it makes sense to have sign and verify functions that take the complete arbitrary-length message as an argument, and no attempt at any _update function. With the expecation that short messages are what people will be using (and then a flexible input size is nice), and that applications for signing large messages with eddsa will likely do their own message digest before invoking the eddsa functions.
Regards, /Niels