|
|
|
|
|
|
by Joker_vD
2082 days ago
|
|
|
> it was never a design goal of Ed25519 to begin with to strictly define the set of valid (and invalid) signatures For a popular enough protocol, if there is an underspecified thing then there will be two implementations that implement that thing differently, and if possible, incompatibly. And I am talking about correctly programmed and compliant implementations, never mind the buggy and/or deliberately non-compliant implementations (cf. Microsoft's "No standard or clause in a standard has a divine right of existence" stance). That's why the designer should not leave the implementers any rope whatsoever to strangle themselves, especially in cryptography. |
|
|
5 bits of choice is a lot of rope to auto-asphyxiate oneself in cryptography.