I understand that the Ed25519 variety of EdDSA uses SHA-512 for the random oracle H.
Would replacing H with Keccak be provably secure?
I'm in a situation where the systems are constrained in ROM and RAM. Using Keccak in Ed25519 saves a lot because Keccak is already used for the stream cipher and payload authentication (AEAD - Keccak in duplex mode).
I see that you can no longer technically call this Ed25519.