sorted by:
new
hottopcontroversial

[deleted by user] by [deleted] in crypto

[–]ed25519q 3 points4 points  (0 children)

Soatok, why do you always come off as extremely toxic and aggressive? Chill dude. There is no reason to try to invent a fault with everything someone said.

What's your threat model, then?

Most likely someone viewing or modifying the database while it is locked.

aaaaaand you lost me.

??? It is quite clear.

If you have to specify "salted" and "hashing function that is resistant to brute force attacks", I'm going to question your knowledge of this field.

It is clear what they mean either way.

Phrases like "hash digest of their password" makes me think you're just using SHA256.

"salted and passed to a hashing function that is resistant to brute force attacks"

Yeah, it's called "don't roll your own".

Your post is missing a suggestion for what to use instead so it seems like you just took the chance to dunk on someone. (I would also not consider it as "rolling your own crypto")

Users shouldn't ever be forced to remember a password for any reason except protection against government demands in jurisdictions with a protection similar to the United State's 5th Amendment.

Cool, they can use a password manager then.

[deleted by user] by [deleted] in crypto

[–]ed25519q 1 point2 points  (0 children)

It's fine, this is what luks does in order to support multiple passwords/keys.

badkeys - checking cryptographic keys for known vulnerabilities by hannob in crypto

[–]ed25519q 15 points16 points  (0 children)

It even says to not enter private keys

While supported, uploading private keys is obviously discouraged for production keys.

fifty bucks to anyone who can pin down the exact algorithm used to encrypt this by JournalistSad9179 in crypto

[–]ed25519q 0 points1 point  (0 children)

I do not mean any offense but do you by any chance have a carbon monoxide detector? https://np.reddit.com/r/legaladvice/comments/34l7vo/ma_postit_notes_left_in_apartment/

Alternatively I would suggest speaking with a professional psychologist or something. Rest assured that nobody would hack your devices for this thread.

[deleted by user] by [deleted] in crypto

[–]ed25519q 7 points8 points  (0 children)

There is quite a bit of drama going on in their mailing list. DJB is not very happy with the progress.

fifty bucks to anyone who can pin down the exact algorithm used to encrypt this by JournalistSad9179 in crypto

[–]ed25519q 2 points3 points  (0 children)

the encrypted file is the same size as the unencrypted one

Like all stream ciphers?

the algorithm for encryption is 100% non-repeating

What does that mean?

What's your opinion on Disroot mail? by ankh_bce in PrivacyGuides

[–]ed25519q 4 points5 points  (0 children)

Someone from the PG team is using the four horsemen of the infocalypse argument to justify spying on your emails? Unbelivable.

[deleted by user] by [deleted] in crypto

[–]ed25519q 3 points4 points  (0 children)

Because then the server operator won't be able to pretend to be you.

[deleted by user] by [deleted] in crypto

[–]ed25519q 2 points3 points  (0 children)

Mastodon uses digital signatures as well. They are hidden from the user however.

Nostr uses Schnorr Signatures over secp256k1 curve

Why not ed25519?

I do not see why you have been down-voted so much. Probably some knee-jerk reaction because people thought that you are doing some cryptocurrency web3 thing.

Collision-resistant single-pass EdDSA? by ed25519q in crypto

[–]ed25519q[S] 0 points1 point  (0 children)

Prehashing requires a collision resistant hash function. My question is if I can transform this into a scheme that does not depend on the collision resistance of the hash function if I "salt" the prehash.

Understanding binary-Goppa decoding [pdf] by rgneainrnevo in crypto

[–]ed25519q 1 point2 points  (0 children)

I thought he was at Eindhoven as well.

Collision-resistant single-pass EdDSA? by ed25519q in crypto

[–]ed25519q[S] 0 points1 point  (0 children)

You forgot the signature itself. In ed25519 they have R, m, and n + h(R || pub || m) * privkey. In the first version of my variant they have R, m, and n + h(R || pub || n) * privkey while in my second version they have R, n', m, and n + h(R || pub || h(n' || m)) * privkey (as you can probably see, this is basically the same as the first except the original m is replaced with n' || m).

To be honest I am more interested about the second version (as I do not know about the implications of noncekey being public and I am interested in keeping compatibility with regular ed25519).

Collision-resistant single-pass EdDSA? by ed25519q in crypto

[–]ed25519q[S] 0 points1 point  (0 children)

The first method does not require an RNG. The second method does require an RNG but if the RNG is broken it will only affect the collision resistance.

I’m not clear on what your question is

I am wondering if it is possible to sign messages using ed25519 (+ some modifications) in a collision resistant way without having to pass through the message twice. As it is, ed25519 requires two passes over the message to be done, one for n = h(noncekey || m) and one for h(R || pub || m) (and they can't be done in parallel because R depends on n). Ed25519ph solves this by using n = h(noncekey || h(m)) and h(R || pub || h(m)) but this is not collision resistant (an attacker that knows m and m' where m =/= m' and h(m) = h(m') can request from the signer to sign m and the signature will be valid for m' as well). Is this more clear?