FIDO Registry v2.3: Naming inconsistency in ALG_SIGN_ED448_EDDSA_SHA512_RAW (0x0013)
18 views
Skip to first unread message
yno...@ynojima.net
May 29, 2026, 1:28:31 PM (18 hours ago) May 29
to FIDO Dev (fido-dev)
Hi,
I'd like to report a potential naming inconsistency in the FIDO Registry of Predefined Values v2.3 (fido-registry-v2.3-ps-20260105).
The newly added ALG_SIGN_ED448_EDDSA_SHA512_RAW (0x0013) has "sha512" in its identifier, but RFC 8032 defines Ed448 as using SHAKE256, not SHA-512:
- Section 5.2 (Table 2): H(x) = SHAKE256(dom4(phflag,context)||x, 114)
- Section 8.9: "Ed448 uses SHAKE256 as a hash function"
This contrasts with ALG_SIGN_ED25519_EDDSA_SHA512_RAW (0x0012), where "sha512" is accurate — Ed25519 does use SHA-512 per RFC 8032 Section 5.1.
There is a precedent for this type of correction: in Registry v2.0 (2018), the Ed25519 entry was named ALG_SIGN_ED25519_EDDSA_SHA256_RAW, which was later corrected to ALG_SIGN_ED25519_EDDSA_SHA512_RAW in v2.1 (2019) — see also
https://github.com/fido-alliance/conformance-test-tools-resources/issues/307.
Would it be worth considering a similar correction for the Ed448 entry (e.g., to "ed448_eddsa_shake256_raw")? Since no authenticator entries in the MDS3 BLOB appear to reference this algorithm yet, the impact of a rename should be minimal at this
point.
If anyone on this list knows the relevant spec members, I'd appreciate it if you could forward this to them.
Best regards,
Yoshikazu Nojima
I'd like to report a potential naming inconsistency in the FIDO Registry of Predefined Values v2.3 (fido-registry-v2.3-ps-20260105).
The newly added ALG_SIGN_ED448_EDDSA_SHA512_RAW (0x0013) has "sha512" in its identifier, but RFC 8032 defines Ed448 as using SHAKE256, not SHA-512:
- Section 5.2 (Table 2): H(x) = SHAKE256(dom4(phflag,context)||x, 114)
- Section 8.9: "Ed448 uses SHAKE256 as a hash function"
This contrasts with ALG_SIGN_ED25519_EDDSA_SHA512_RAW (0x0012), where "sha512" is accurate — Ed25519 does use SHA-512 per RFC 8032 Section 5.1.
There is a precedent for this type of correction: in Registry v2.0 (2018), the Ed25519 entry was named ALG_SIGN_ED25519_EDDSA_SHA256_RAW, which was later corrected to ALG_SIGN_ED25519_EDDSA_SHA512_RAW in v2.1 (2019) — see also
https://github.com/fido-alliance/conformance-test-tools-resources/issues/307.
Would it be worth considering a similar correction for the Ed448 entry (e.g., to "ed448_eddsa_shake256_raw")? Since no authenticator entries in the MDS3 BLOB appear to reference this algorithm yet, the impact of a rename should be minimal at this
point.
If anyone on this list knows the relevant spec members, I'd appreciate it if you could forward this to them.
Best regards,
Yoshikazu Nojima
Reply all
Reply to author
Forward
0 new messages