Posts  / #POST-228243
REDDIT

A Different 'H' in Ed25519

S
May 26, 2026 · 13:57

I understand that the Ed25519 variety of EdDSA uses SHA-512 for the random oracle H.

Would replacing H with Keccak be provably secure?

I'm in a situation where the systems are constrained in ROM and RAM. Using Keccak in Ed25519 saves a lot because Keccak is already used for the stream cipher and payload authentication (AEAD - Keccak in duplex mode).

I see that you can no longer technically call this Ed25519.