I understand that the Ed25519 variety of EdDSA uses SHA-512 for the random oracle H. Would replacing H with Keccak be provably secure? I'm in a situation where the systems are constrained in ROM and RAM. Using Keccak in Ed25519 saves a lot because Keccak is already used for the stream cipher and payload authentication (AEAD - Keccak in duplex mode). I see that you can no longer technically call this Ed25519. submitted by /u/sciencekm [link] [comments]