bunnie
commented
7 months ago Also, fwiw, I heartily agree with the code comments in the ed25519 crate, ranting about the implementation of the ph scheme and not being able to specify your own nonce, but for my own reason: splitting the hash op is terrible for hardware hashers:
Included in full here because links to other repos don't inline:
// This is the dumbest, ten-years-late, non-admission of fucking up the
// domain separation I have ever seen. Why am I still required to put
// the upper half "prefix" of the hashed "secret key" in here? Why
// can't the user just supply their own nonce and decide for themselves
// whether or not they want a deterministic signature scheme? Why does
// the message go into what's ostensibly the signature domain separation
// hash? Why wasn't there always a way to provide a context string?
//
// ...
//
// This is a really fucking stupid bandaid, and the damned scheme is
// still bleeding from malleability, for fuck's sake.Glad I'm not alone in writing cathartic rants in code comments.
This is a note mainly for @bunnie when implementing the next-gen hardware.
We should switch the loader verification to the ed25519-ph scheme. It is now standardized and using the pre-hash mechanism gives us the flexibility we need to parcel out the loader for fast hardware computation without having to re-implement tricky crypto APIs.
This is not done on the 1st-gen Precursor devices because it would involve a SoC update and a tricky re-factor of the extremely tiny, highly optimized ROM bootloader, which itself involves plenty of dangerous tricks to get it to fit into such a small space.
Basically, "don't fix it if it ain't broke", but "do it better next time".
And, the issue will hopefully help me remember to do it better next time, since I revisit the issue board regularly for old reminders like this.