|
|
|
|
|
|
by loup-vaillant
2345 days ago
|
|
|
EdDSA can have something close. Long story short, an EdDSA signature has two parts, often called "R" and "s". Verification works by producing a number using the public key and "s", then checking that this number is the same as "R". There are basically 3 steps: 1. h_ram <- HASH(R || public_key || message)
2. R_check <- obscure_computation(public_key, s, h_ram)
3. if R_check == R, accept, else reject
Steps 1 and 3 are straightforward (the hash and the constant time comparison are almost always implemented in dedicated routines, tested separately). Step 2 is the most dangerous (that's where the elliptic curve magic happens).EdDSA Implementations would be easier to check against one another if they all exposed step 2 as part of the public API. Bonus points if step 2 can handle invalid inputs (low order point, point on the twist...) in a standard manner. I haven't seen such a thing though, probably because end users never need a separate step 2. Still, I can already envision the benefits. I'll probably use it myself. |
|
|