Security notes on prehashing. PureEdDSA is resilient to collisions in the underlying hash
function H. HashEdDSA is not resilient to collisions in H : if the attacker finds messages M1 and
M2 with H (M1 ) = H (M2 ), and convinces the legitimate H -EdDSA signer to sign M1 , then the
attacker can forge the same signature as a signature of M2 . Modern hash functions are designed to
resist collisions, and in principle it should be safe to design signature systems to rely on this, but
it is more conservative to design signature systems so that collisions serve merely as early-warning
signals. PureEdDSA is therefore recommended by default.