Mailing List Archive: ed25519 and sha256

ed25519 and sha256

Sep 25, 2019, 3:44 AM

Post #1 of 3 (237 views)

Hello,

I have a question regarding ed25519 as implemented in gnupg 2.2.17, libgcrypt 1.8.4.

Let’s say I sign a file. When checking the signature with verbose output, I can see that sha256 was used

gpg: binary signature, digest algorithm SHA256, key algorithm ed25519

According to Wikipedia "Ed25519 is the EdDSA signature scheme using SHA-512 and Curve25519”. Granted, I have sha256 in my preferences, but the standard should override that, correct? I wonder, because in a different application (iPGMail) using the same key with the same embedded preferences, sha512 is used.

Curious,
RH
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ed25519 and sha256 [ In reply to ]

rjh at sixdemonbag

Sep 25, 2019, 1:35 PM

Post #2 of 3 (237 views)

Permalink

> According to Wikipedia "Ed25519 is the EdDSA signature scheme using
> SHA-512 and Curve25519”. Granted, I have sha256 in my preferences,
> but the standard should override that, correct?

Wikipedia is not a very good reference for low-level technical details.
Ed25519 is shorthand for "EdDSA on a specific curve": it is silent on
the subject of hash algorithms, although you can specify one as
"Ed25519-SHA-512" or what-have-you.

Many other applications, such as DNSSEC, call for SHA-256 to be used
with Ed25519.

From the original paper defining Ed25519:

"Our recommended curve for EdDSA is a twisted Edwards curve birationally
equivalent to the curve Curve25519 from [12]. ... We use the name
Ed25519 for EdDSA with this particular choice of curve.

Specifically, Ed25519-SHA-512 is EdDSA with ... SHA-512."

https://ed25519.cr.yp.to/ed25519-20110926.pdf

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: ed25519 and sha256 [ In reply to ]

gnupg-users at gnupg

Sep 26, 2019, 12:59 AM

Post #3 of 3 (236 views)

Permalink

On Wed, 25 Sep 2019 16:35, rjh@sixdemonbag.org said:

> Wikipedia is not a very good reference for low-level technical details.
> Ed25519 is shorthand for "EdDSA on a specific curve": it is silent on
> the subject of hash algorithms, although you can specify one as
> "Ed25519-SHA-512" or what-have-you.

Not quite true. We use ed25519 with SHA-512. However, what we sign is
a hash value which often commonly happens to be a SHA-256 hash.

The reasons for this is that this model better fits into the OpenPGP
framework and - more important - this indirection allows us to implement
ed25519/sha512 in a smartcard. Consider the case that you want to sign
a large data blob with a smartcard: With the direct ed25519 method it
would be required to send the entire data to the smartcard which would
take way to long for any practical application. Smardcards communicate
in the 300 kBit/sec range and even USB tokens or not much faster.
Further they employ small 16 bit CPUs where taking a SHA-512 hash on a
lot of data will take ages.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Mailing List Archive

Mailing List Archive

Attached Files: