[curves] XEdDSA specification
brian at briansmith.org
Sat Oct 29 23:49:43 PDT 2016
Trevor Perrin <trevp at trevp.net> wrote:
> On Fri, Oct 28, 2016 at 12:47 PM, Trevor Perrin <trevp at trevp.net> wrote:
> > On Fri, Oct 28, 2016 at 2:40 AM, Brian Smith <brian at briansmith.org>
> > [...]
> >> Consider this "best of both worlds" scheme:
> >> r = hash1(a || [first half of Z] || M || [second half of Z])
> Samuel Neves mentioned (off-list) that with SHA512's 128-byte block
> size, a and M would still be mingled together in the first block.
> So I'm thinking about this:
> a || Z || pad || M
> where "pad" adds zero bytes to fill the hash block (so 32 bytes with
> 25519 and SHA512, since |a|=32 and |Z|=64).
This also makes sense to me, and also partially addresses my question about
whether |Z| should be a function of the block size of the hash function.
> (4) The prior rationale for hashing Z at the end was weak: It might
> help protect a very weak hash where the attacker was able to choose M
> to force biases or collisions, even with unknown and randomized
> prefix. But I think the sidechannel threat is more plausible.
- We could consider a || Z1 || pad || M || Z2, but the risk of (4) is
> low enough that I doubt that's worth the complexity
I would like to read more about attacks of the form of #4, if people have
references. Up to now I've always lived a life of luxury wherein I have
been allowed to assume there is no such attack, but I've not searched hard
for research on that matter either.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves