You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -462,9 +462,9 @@ For Ed25519ph, Ed25519ctx, and Ed25519: In deployments where side-channel and fa
2. Compute SHA-512(0x00 || Z || dom2(F, C) || 000... || prefix ||
000... || PH(M)), where M is the message to be signed, Z is 32
octets of random data, the number of zeroes 000... is chosen so
that the lengths of (dom2(F, C) || Z || 000...) and (prefix ||
000...) are multiples of 128 octets. Interpret the 64-octet
digest as a little-endian integer r.
that the lengths of (0x00 || Z || dom2(F, C) || 000...) and
(prefix || 000...) are multiples of 128 octets. Interpret the
64-octet digest as a little-endian integer r.
~~~~~~~~~~~~~~~~~~~~~~~
For Ed448ph and Ed448: In deployments where side-channel and fault injection attacks are a concern, the following step is RECOMMENDED instead of step (2) in Section 5.2.6 of {{RFC8032}}:
Expand All
@@ -473,8 +473,8 @@ For Ed448ph and Ed448: In deployments where side-channel and fault injection att
2. Compute SHAKE256(0x00 || Z || dom4(F, C) || 000... || prefix ||
000... || PH(M), 114), where M is the message to be signed, and Z
is 57 octets of random data, the number of zeroes 000... is
chosen so that the length of (dom4(F, C) || Z || 000...) and
(prefix || 000...) are multiples of 136 octets. F is 1 for
chosen so that the length of (0x00 || Z || dom4(F, C) || 000...)
and (prefix || 000...) are multiples of 136 octets. F is 1 for
Ed448ph, 0 for Ed448, and C is the context to use. Interpret the
