search

dalek-cryptography / curve25519-dalek

A pure-Rust implementation of group operations on Ristretto and Curve25519
Other
867 stars 439 forks source link

Hard to use API for raw_sign_prehashed, I want to pass a 64 byte message hash #673

Open benma opened 1 month ago

benma commented 1 month ago

https://docs.rs/ed25519-dalek/latest/ed25519_dalek/hazmat/fn.raw_sign_prehashed.html

pub fn raw_sign_prehashed<CtxDigest, MsgDigest>(
    esk: &ExpandedSecretKey,
    prehashed_message: MsgDigest,
    verifying_key: &VerifyingKey,
    context: Option<&[u8]>
) -> Result<Signature, SignatureError>
where
    MsgDigest: Digest<OutputSize = U64>,
    CtxDigest: Digest<OutputSize = U64>,

I want to simply pass my pre-hashed message that is a [u8; 64]. I had to open the source code to realize currently, .finalize() is called on the MsgDigest to exctract it, making this function needlessly hard to use if I don't have Digest implementation.

Could you consider simply changing the prehashed_message to be of type [u8; 64]?

Or use the more narrow trait FixedOutput instead of Digest: https://docs.rs/digest/latest/digest/trait.FixedOutput.html

tarcieri commented 1 month ago

The FixedOutput change might be possible.

It's somewhat complicated by the nature of Ed25519, which does two passes over the input message rather than one, as a mechanism for preventing collisions in the underlying hash function from breaking the construction.

If you're looking for an API similar to signature algorithms like RSASSA or ECDSA which simply accept a message hash to compute a signature over, Ed25519 simply doesn't work that way. There's a related construction, Ed25519ph, which does, however it's a separate construction and you can't verify an Ed25519ph signature using Ed25519.

See: https://cryptologie.net/article/497/eddsa-ed25519-ed25519-ietf-ed25519ph-ed25519ctx-hasheddsa-pureeddsa-wtf/