[curves] EdDSA specification

[Benedikt Schmidt]

On 27/10/16 08:08, Brian Smith wrote:
 > Trevor Perrin <trevp at trevp.net <mailto:trevp at trevp.net>> wrote:
 >
 >     The document also generalizes this signature algorithm to the 448
 >     curve, and extends it to include VRF functionality, which Signal 
might
 >     use in the future.  These extensions are somewhat new, and should
 >     probably get more public review before people rush to implement.
 >
 >
 > In the motivation for the randomized scheme, the document says "However,
 > if the same message is signed repeatedly, a glitch that affects the
 > calculation of h could cause this to happen (an observation due to
 > Benedikt Schmidt)." Could you provide a reference to a paper/message
 > that explains what is being referred to here, and/or add a description
 > of the issue to the paper?

The issue I mentioned to Trevor is just that for the deterministic 
version with

     r = hash1(a||M) (mod q)  // no random Z
     R = rB
     h = hash(R||A||M) (mod q)
     s = r + ha (mod q)

getting a valid signature R||s and a faulty signature R||s' where

     h' = (hash(R||A||M) (mod q)) ^ delta  // error or fault attack
     s' = r + h'a (mod q)

allows for the same attack as reusing the same randomness for distinct 
messages. For small messages or with pre-hashing 
(M=Hash(large_message)), this is probably not important. For scenarios 
where pre-hashing is not used, the same message might be signed more 
than once, and where the time required for hashing is significant, it 
might be preferable to add randomness.

Best,
Benedikt