You should be able to even better than this. If you have keys
A = G^a
B = G^b
You can choose an ephemeral
r = PRF(a,b,m)
R = G^r
and set
c = H1(R,A,B,m)
d = H2(R,A,B,m)
and output R, s = r + ca + db.
This can be verified because G^s = R * A^c * B^d
... right?
Cheers,
-- Mike
On 11/08/2015 05:42 PM, Jeff Burdges wrote:
Appears I failed to CC the list, but Ben resolved this.
On Mon, 2015-11-09 at 11:17 +1100, Ben Harris wrote:
On 9 Nov 2015 10:46 am, "Jeff Burdges" <burd...@gnunet.org> wrote:
My friend Joe asked me about optimizing a pair of Ed25519
signatures on
the same message with both a long-term session key x and a short
-term
session key y.
(R_y,S_y,S_x) that takes only 96 bytes instead of the 128 bytes of
doing two separate signatures.
Could you just send the short term key as an implicit (EQCV) issued
by the long term which is only 32 bytes? Then the message signed by
the session key is an additional 64 bytes giving your 96 byte total.
Yes, I believe that works well for his use case. Actually it's simpler
than ECQV since Alice controls both keys.
Thank you!
Jeff
_______________________________________________
Curves mailing list
Curves@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/curves
_______________________________________________
Curves mailing list
Curves@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/curves
