[curves] Optimizing a pair of EdDSA signatures on the same message
burdges at gnunet.org
Sun Nov 8 15:47:43 PST 2015
My friend Joe asked me about optimizing a pair of Ed25519 signatures on
the same message with both a long-term session key x and a short-term
session key y.
I told him I though it'd be ok to do a normal Ed25519 signature
(R_y,S_y) and then merely set r_x = r_y and R_x = R_y when creating the
S_x part of the signature. In this way, he'd have a double signature
(R_y,S_y,S_x) that takes only 96 bytes instead of the 128 bytes of
doing two separate signatures.
If I understand correctly, the only thing that he sacrifices in doing a
signature this way is that his signature with x now depends upon the
random number generator producing y, yes? As x and y are produced by
the same random number generator, this should be no problem.
I warned him against dong this with x and y reversed, as then the r has
less entropy, so repeating messages would give an attack on the second
signature's private key.
Does this sound correct?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the Curves