[curves] Optimizing a pair of EdDSA signatures on the same message
Mike Hamburg
mike at shiftleft.org
Sun Nov 8 19:33:15 PST 2015
You should be able to even better than this. If you have keys
A = G^a
B = G^b
You can choose an ephemeral
r = PRF(a,b,m)
R = G^r
and set
c = H1(R,A,B,m)
d = H2(R,A,B,m)
and output R, s = r + ca + db.
This can be verified because G^s = R * A^c * B^d
... right?
Cheers,
-- Mike
On 11/08/2015 05:42 PM, Jeff Burdges wrote:
> Appears I failed to CC the list, but Ben resolved this.
>
> On Mon, 2015-11-09 at 11:17 +1100, Ben Harris wrote:
>> On 9 Nov 2015 10:46 am, "Jeff Burdges" <burdges at gnunet.org> wrote:
>>> My friend Joe asked me about optimizing a pair of Ed25519
>> signatures on
>>> the same message with both a long-term session key x and a short
>> -term
>>> session key y.
>>> (R_y,S_y,S_x) that takes only 96 bytes instead of the 128 bytes of
>>> doing two separate signatures.
>>>
>> Could you just send the short term key as an implicit (EQCV) issued
>> by the long term which is only 32 bytes? Then the message signed by
>> the session key is an additional 64 bytes giving your 96 byte total.
> Yes, I believe that works well for his use case. Actually it's simpler
> than ECQV since Alice controls both keys.
>
> Thank you!
> Jeff
>
>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151108/727eb5a9/attachment.html>
More information about the Curves
mailing list