[curves] Optimizing a pair of EdDSA signatures on the same message

Ben Harris mail at bharr.is
Sun Nov 8 15:59:01 PST 2015

On 9 Nov 2015 10:46 am, "Jeff Burdges" <burdges at gnunet.org> wrote:
> My friend Joe asked me about optimizing a pair of Ed25519 signatures on
> the same message with both a long-term session key x and a short-term
> session key y.
> I warned him against dong this with x and y reversed, as then the r has
> less entropy, so repeating messages would give an attack on the second
> signature's private key.

>From memory, doesn't this leak (x - y) mod N? So if one of x or y is
compromised they both are?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151109/af00883c/attachment.html>

More information about the Curves mailing list