[curves] EdDSA specification

Benedikt Schmidt beschmi at gmail.com
Thu Oct 27 06:09:36 PDT 2016

On 27/10/16 08:08, Brian Smith wrote:
 > Trevor Perrin <trevp at trevp.net <mailto:trevp at trevp.net>> wrote:
 >     The document also generalizes this signature algorithm to the 448
 >     curve, and extends it to include VRF functionality, which Signal 
 >     use in the future.  These extensions are somewhat new, and should
 >     probably get more public review before people rush to implement.
 > In the motivation for the randomized scheme, the document says "However,
 > if the same message is signed repeatedly, a glitch that affects the
 > calculation of h could cause this to happen (an observation due to
 > Benedikt Schmidt)." Could you provide a reference to a paper/message
 > that explains what is being referred to here, and/or add a description
 > of the issue to the paper?

The issue I mentioned to Trevor is just that for the deterministic 
version with

     r = hash1(a||M) (mod q)  // no random Z
     R = rB
     h = hash(R||A||M) (mod q)
     s = r + ha (mod q)

getting a valid signature R||s and a faulty signature R||s' where

     h' = (hash(R||A||M) (mod q)) ^ delta  // error or fault attack
     s' = r + h'a (mod q)

allows for the same attack as reusing the same randomness for distinct 
messages. For small messages or with pre-hashing 
(M=Hash(large_message)), this is probably not important. For scenarios 
where pre-hashing is not used, the same message might be signed more 
than once, and where the time required for hashing is significant, it 
might be preferable to add randomness.


More information about the Curves mailing list