Open question: Should we use BLAKE3 instead of SHA-512 for signature message digests?

[casey]

ed25519 uses SHA-512 in its signature algorithm. Since we already use BLAKE3 to hash files, we could use BLAKE3 as the digest in our signature algorithm instead. ed25519 requires a 512 bit digest, and BLAKE3 is 256 bits by default, but BLAKE3 is an XOF, so it's trivial to produce 512 bits of output.

Pros:

• Remove dependency on SHA-512
• Only depend on the security of one hash function

Cons:

• Our signatures would no longer be standard ed25519 signatures

The con is a major one. We would lose compatibility with other ed25519 implementations, like libraries and hardware devices. This is probably not worth doing, but I wanted to create this issue to allow for some discussion.