On 25 March 2014 07:03, Jonathan Schleifer <js-haiku-commits@xxxxxxxxxxx>wrote: > Am 24.03.2014 um 17:24 schrieb Ingo Weinhold <ingo_weinhold@xxxxxx>: > > > On 03/23/2014 01:01 AM, midar-github.package_signing wrote: > >> f5e4c70: Import ed25519 from openssh-6.6p1 > > Importing and having to maintain third-party code (particularly code of > that complexity and sensitivity) is something we should really try to avoid. > > It's a 1:1 import of the reference implementations with minor changes by > me. > > What I changed is to use SHA-512 from OpenSSL instead of the integrated > one, as that is streamable. That allows to not having to copy the message > just to create sha512(r,a,m) and sha512(extsk[32..63],m). > > The next change I'm thinking about will be incompatible, though: > sha512(r,a,m) and sha512(extsk[32..63],m) are both generated when signing, > but have the unfortunate property that they require hashing the message > twice, and r is generated with the result of sha512(extsk[32..63],m). > Therefore I want to change it to sha512(m,r,a) and sha512(m,extsk[32..63]). > This should not matter, as the strength of the SHA512 should be unchanged > by that, but this allows creating an SHA512 context, hashing the message, > NOT finalizing the hash, copying it and then just adding extsk[32..63] / > r,a to the unfinalized hash. Thus we avoid double-hashing and are > streaming-capable, thus we don't need to have the full uncompressed heap in > memory. > > Before doing that change, I'd like to discuss it with others, though > (cryptographers, that is). Does anybody know a mailing list where I could > ask about this? > Hit up Daeken on Freenode. He hangs out in #stackoverflow, and is well respected in security circles.