[curves] Optimizing a pair of EdDSA signatures on the same message

[Jeff Burdges]

My friend Joe asked me about optimizing a pair of Ed25519 signatures on
the same message with both a long-term session key x and a short-term
session key y. 

I told him I though it'd be ok to do a normal Ed25519 signature
(R_y,S_y) and then merely set r_x = r_y and R_x = R_y when creating the
S_x part of the signature.  In this way, he'd have a double signature
(R_y,S_y,S_x) that takes only 96 bytes instead of the 128 bytes of
doing two separate signatures. 

If I understand correctly, the only thing that he sacrifices in doing a
signature this way is that his signature with x now depends upon the
random number generator producing y, yes?  As x and y are produced by
the same random number generator, this should be no problem.  

I warned him against dong this with x and y reversed, as then the r has
less entropy, so repeating messages would give an attack on the second
signature's private key.

Does this sound correct?

Thanks,
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151109/eceafd50/attachment.sig>