My friend Joe asked me about optimizing a pair of Ed25519 signatures on the same message with both a long-term session key x and a short-term session key y.
I told him I though it'd be ok to do a normal Ed25519 signature (R_y,S_y) and then merely set r_x = r_y and R_x = R_y when creating the S_x part of the signature. In this way, he'd have a double signature (R_y,S_y,S_x) that takes only 96 bytes instead of the 128 bytes of doing two separate signatures. If I understand correctly, the only thing that he sacrifices in doing a signature this way is that his signature with x now depends upon the random number generator producing y, yes? As x and y are produced by the same random number generator, this should be no problem. I warned him against dong this with x and y reversed, as then the r has less entropy, so repeating messages would give an attack on the second signature's private key. Does this sound correct? Thanks, Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves