[curves] Ed25519 / EdDSA key leakage due to fragility in recommended nonce procedure

Conrado P. L. GouvĂȘa conradoplg at gmail.com
Thu Jan 30 05:16:33 PST 2020

On Wed, Jan 29, 2020 at 7:35 AM Trevor Perrin <trevp at trevp.net> wrote:
> Some time I'll write a sequel to the "Generalizing EdDSA" post that
> generalizes further and tries to fold in more of these emerging "best
> practices".

I'm very interested in that! I also wonder about Ed448 / Ed25519ph /
Ed25519ctx which have some constant inputs when generating the nonce.
Does that interfere when trying to protect against DPA attacks? (I've
asked about this in
, maybe I should ask here?)


More information about the Curves mailing list