Ed25519 rainstorms and donkeys

Tony Finch dot at dotat.at
Mon Jun 5 17:58:33 UTC 2017


So I have been fiddling with Ed25519 as a background project because I
have wanted Ed25519 in the DNS for like YEARS. It isn't quite rainbows
and unicorns.

## context

RFC 8080 says "The Ed25519 signature algorithm and verification of the
Ed25519 signature are described in Sections 5.1.6 and 5.1.7 of [RFC8032],
respectively."

RFC 8032 section 4 final paragraph says "This document specifies
parameters resulting in the HashEdDSA variants Ed25519ph and Ed448ph and
the PureEdDSA variants Ed25519 and Ed448." It also says, "PureEdDSA
requires two passes over the input.  Many existing APIs, protocols, and
environments assume digital signature algorithms only need one pass over
the input and may have API or bandwidth concerns supporting anything
else." This is not entirely happy news.

OpenSSL git master branch at long last has Ed25519, yay!
https://github.com/openssl/openssl/blob/master/doc/man7/Ed25519.pod

This doc says "The Ed25519 EVP_PKEY implementation supports key
generation, one shot digest sign and digest verify using PureEdDSA and
Ed25519 (see RFC8032). [...] The PureEdDSA algorithm does not support the
the streaming mechanism of other signature algorithms using, for example,
EVP_DigestUpdate(). The message to sign or verify must be passed using the
one shot EVP_DigestSign() asn EVP_DigestVerify() functions."

## BIND

This PureEdDSA two-pass signature generation is a significant pain,
because BIND pervasively assumes a one-pass API built around various
_adddata() functions which are wrappers around EVP_DigestUpdate().

So I'm wondering how to deal with this impedance mismatch.

Unless I have overlooked something, I think it makes sense to put an
isc_buffer in the dst_context, turn on autoreallocation, and stash the
data in there until _sign() or _verify() are called? This would use the
mctx which is already in the dctx. (Or should it use the
dst__memory_pool?)

Should I embed the isc_buffer in the dst_context (which would be a waste
for existing algorithms) or make a new eddsa context structure to contain
the buffer and the OpenSSL EVP_MD_CTX, and put a pointer to that in the
dst_context.ctxdata union (slightly fiddly but nbd)?

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Sole, Lundy, Fastnet, Irish Sea: Cyclonic, becoming northwest, 6 to gale 8.
Moderate or rough in Irish Sea, otherwise rough or very rough. Rain then
squally showers. Moderate or good, occasionally poor.


More information about the bind-workers mailing list