Score:1

Collision-resistant single-pass EdDSA?

ph flag

Is there any reason why collision resistant variants of ed25519 that use a single-pass aren't used instead? For example:

$n = h(noncekey \| m)$

$h(R \| pub \| n)$ instead of $h(R \| pub \| m)$

or alternatively if we want to not change the EdDSA algorithm itself and instead implement collision resistance on top of it:

Let $n'$ be a 256-bit number randomly generated by the signer:

$sig = n' \| S_{priv}(h(n' \| m))$

In both of these schemes (if I am not mistaken) an attacker that requests for a message $m$ to be signed by the signer (such as in the case of certificate signing) should not be able to trick the signer into generating a signature that can be used with a message $m'$ where $m \neq m'$ if $h$ is not collision resistant.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.