Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448

Taylor R Campbell <> Mon, 14 November 2016 23:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 58F53128874 for <>; Mon, 14 Nov 2016 15:39:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q5oPdyWFSk50 for <>; Mon, 14 Nov 2016 15:39:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 770421293F9 for <>; Mon, 14 Nov 2016 15:39:18 -0800 (PST)
Received: by (Postfix, from userid 1014) id 5486660380; Mon, 14 Nov 2016 23:39:07 +0000 (UTC)
From: Taylor R Campbell <>
To: "Salz, Rich" <>
In-reply-to: <> (
Date: Mon, 14 Nov 2016 23:39:17 +0000
Sender: Taylor R Campbell <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Cc: Russ Housley <>, Jim Schaad <>, "Scott Fluhrer (sfluhrer)" <>, IRTF CFRG <>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2016 23:39:19 -0000

   Date: Mon, 14 Nov 2016 23:15:56 +0000
   From: "Salz, Rich" <>

   For this document, we are not defining a new signing technique, we
   are defining how to use the existing techniques with current
   crypto.  Make sense?

Not sure what you mean here.  H(r, m) is an exising technique with
current crypto -- the plethora of applications using Ed25519 out of
libsodium or whatever do exactly this, picking r = H(sk, m) where sk
is the long-term secret key.  This doesn't require extra inputs to the
signature on the part of the user -- the user still just feeds in a
long-term secret signing key sk and a message m, and gets out a
signature or signed message.

A prehash is needed only for legacy protocols that foolishly insist on
incorporating the message m only via a single fixed public hash
function H(m) of it, which renders them vulnerable to collisions in H,
or forces them to pay the additional cost of collision resistance.