[curves] Optimizing a pair of EdDSA signatures on the same message
mail at bharr.is
Sun Nov 8 15:59:01 PST 2015
On 9 Nov 2015 10:46 am, "Jeff Burdges" <burdges at gnunet.org> wrote:
> My friend Joe asked me about optimizing a pair of Ed25519 signatures on
> the same message with both a long-term session key x and a short-term
> session key y.
> I warned him against dong this with x and y reversed, as then the r has
> less entropy, so repeating messages would give an attack on the second
> signature's private key.
>From memory, doesn't this leak (x - y) mod N? So if one of x or y is
compromised they both are?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves