-
Hi @jedisct1! As you saw, I'm implementing a set of bindings to While sha256 & sha512 can be replaced by Blake2b,
Moreover, the crypto state of Ed25519ph is based on sha512, which is also marked with a warning:
Is it trying to tell me that signature algorithms should be sourced from another C backend? Am I missing anything? Thanks again for |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
It's perfectly fine to use. You can also pre-hash yourself with The only critical thing here is to use a collision-resistant hash function. And there's no sign that SHA-2 is going to be broken anytime soon. |
Beta Was this translation helpful? Give feedback.
Ed25519ph
uses SHA-512 internally, but length extensions attacks are not relevant in this context.It's perfectly fine to use. You can also pre-hash yourself with
generichash()
and sign the result with regular Ed25519.The only critical thing here is to use a collision-resistant hash function. And there's no sign that SHA-2 is going to be broken anytime soon.