[noise] XEdDSA and Noise

Rhys Weatherley rhys.weatherley at gmail.com
Tue Oct 25 15:50:49 PDT 2016

On Wed, Oct 26, 2016 at 6:50 AM, Trevor Perrin <trevp at trevp.net> wrote:

> Also, XEdDSA is defined for 512-bit hash functions, so
> we'd have to decide if/how it works if someone chooses a Noise 256-bit
> hash.

I see the 512-bit hash that is used in XEdDSA as an internal implementation
detail of the signature algorithm.  It is used to hash the message (the
short "h" in our case) and to safely generate the random nonce r used
during signing.  It doesn't need to be the same hash as the one used to
generate the message "h".  IMHO.

It isn't clear to me on a casual read of the linked specification as to why
plain Ed25519 isn't suitable.  Problems with sharing static keys with
Diffie-Hellman?  Deterministic signatures?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20161026/f3fc3759/attachment.html>

More information about the Noise mailing list