tQsW
commented
4 years ago Sorry for looping back late. No, I don't plan to include these variants. My rationale is as follows and let me know if it makes sense. The prehash could be done via user-provided digest, and webcrypto currently also provides SHA-512, though the composition is not exactly the same as Ed25519ph if I understand correctly. For Ed25519ctx, the comment in RFC 8032 Section 8.3 on the context being an extra input, makes me wonder how useful to support Ed25519ctx in webcrypto, if the primitive is used in a high-level protocol on the web, which expects the pure version.
I wanted to get this on the record, but I think that the answer is "no".
Do you want to define 'Ed25519ph' or 'Ed25519ctx'?