Please review EdDSA API
Adam Petcher
adam.petcher at oracle.com
Thu Jul 26 22:10:05 UTC 2018
On 7/26/2018 5:05 PM, Michael StJohns wrote:
> The test vectors will not pass, because they are calling the byte
> array from which the private key and the signing value are derived as
> the private key.
>
> However, each and every signature generated by the above approach
> (e.g. using a *real* private key and a signing value downstream
> derived from that private key) *will* verify, and each and every
> signature by that private key over the same data using the above
> approach will produce identical signatures.
>
I've stated in the JEP[1] that the goal of this effort is an
implementation of EdDSA as described in the RFC. What you are proposing
is a slightly different key generation and signing procedure. The fact
that the signatures will still verify is not sufficient to convince me
that the procedures that you are proposing offer the same security as
the ones in the RFC.
I understand that you don't like the fact that I am representing the
private key value as a byte array instead of an integer. If you can come
up with an alternative representation that still allows the same
functions that are specified in the RFC, then I will consider it.
[1] https://bugs.openjdk.java.net/browse/JDK-8199231
More information about the security-dev
mailing list