On 9 Nov 2015 10:46 am, "Jeff Burdges" <burd...@gnunet.org> wrote: > > > My friend Joe asked me about optimizing a pair of Ed25519 signatures on > the same message with both a long-term session key x and a short-term > session key y. > > > I warned him against dong this with x and y reversed, as then the r has > less entropy, so repeating messages would give an attack on the second > signature's private key.
>From memory, doesn't this leak (x - y) mod N? So if one of x or y is compromised they both are?
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves