Please review EdDSA API

Adam Petcher adam.petcher at oracle.com
Thu Jul 26 22:10:05 UTC 2018


On 7/26/2018 5:05 PM, Michael StJohns wrote:

> The test vectors will not pass, because they are calling the byte 
> array from which the private key and the signing value are derived as 
> the private key.
>
> However, each and every signature generated by the above approach 
> (e.g. using a *real* private key and a signing value downstream 
> derived from that private key) *will* verify, and each and every 
> signature by that private key over the same data using the above 
> approach will produce identical signatures.
>

I've stated in the JEP[1] that the goal of this effort is an 
implementation of EdDSA as described in the RFC. What you are proposing 
is a slightly different key generation and signing procedure. The fact 
that the signatures will still verify is not sufficient to convince me 
that the procedures that you are proposing offer the same security as 
the ones in the RFC.

I understand that you don't like the fact that I am representing the 
private key value as a byte array instead of an integer. If you can come 
up with an alternative representation that still allows the same 
functions that are specified in the RFC, then I will consider it.


[1] https://bugs.openjdk.java.net/browse/JDK-8199231



More information about the security-dev mailing list