Open question: Should we use BLAKE3 instead of SHA-512 for signature message digests?

ed25519 uses SHA-512 in its signature algorithm. Since we already use BLAKE3 to hash files, we could use BLAKE3 as the digest in our signature algorithm instead. ed25519 requires a 512 bit digest, and BLAKE3 is 256 bits by default, but BLAKE3 is an XOF, so it's trivial to produce 512 bits of output.

Pros:
- Remove dependency on SHA-512
- Only depend on the security of one hash function

Cons:
- Our signatures would no longer be standard ed25519 signatures

The con is a major one. We would lose compatibility with other ed25519 implementations, like libraries and hardware devices. This is probably not worth doing, but I wanted to create this issue to allow for some discussion.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Open question: Should we use BLAKE3 instead of SHA-512 for signature message digests? #50

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Open question: Should we use BLAKE3 instead of SHA-512 for signature message digests? #50

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions