questions on using ed25519

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 22 05:01:43 UTC 2020


On Wed, Apr 22, 2020 at 11:46:16AM +0800, yang berlin wrote:

> Wow, thanks for the detailed reply!
> Actually I am a master student and my teacher wants me to figure out the
> use of ed25519. So I went to see openssl.
> I thought ed25519 can sign messages so I tried the dgst command. Now I know
> that I was wrong.

Well, actually it *does* sign messages, but not via "openssl dgst",
because typically ed25519 is used to sign short messages without first
running them through a digest function.  This makes it resistant to hash
function collion attacks.

There is actually more than one flavour of the ed25519 signature
algorithm, see RFC8032:

    https://tools.ietf.org/html/rfc8032#section-4
    https://tools.ietf.org/html/rfc8032#section-5

You can use "pkeyutl" to directly sign (short messages) with (pure)
ed25519, or, for longer messages, you can use the "prehash" variant
which signs a SHA2-512 hash.

--
    Viktor.


More information about the openssl-users mailing list