[curves] Ed25519 / EdDSA key leakage due to fragility in recommended nonce procedure

Conrado P. L. GouvĂȘa conradoplg at gmail.com
Thu Jan 30 05:16:33 PST 2020


On Wed, Jan 29, 2020 at 7:35 AM Trevor Perrin <trevp at trevp.net> wrote:
> Some time I'll write a sequel to the "Generalizing EdDSA" post that
> generalizes further and tries to fold in more of these emerging "best
> practices".
>

I'm very interested in that! I also wonder about Ed448 / Ed25519ph /
Ed25519ctx which have some constant inputs when generating the nonce.
Does that interfere when trying to protect against DPA attacks? (I've
asked about this in
https://crypto.stackexchange.com/questions/77260/protecting-ed448-against-dpa-and-fault-attacks
, maybe I should ask here?)

Conrado


More information about the Curves mailing list