The cr.yp.to microblog: 2021.06.14 01:11:17

2021.06.14 01:11:17 (1404214823961780229) from Daniel J. Bernstein, replying to "Steven Galbraith (@EllipticKiwi)" (1403577308456243204):

To answer your question re key clamping: variable position of leading 1 + textbook ladder → timing leak. So X25519 and Ed25519 specs both require fixed position. Section 5.3 of https://cr.yp.to/papers.html#multischnorr suggests setting the position (compatibly!) for a tight multi-user reduction.

Context

2021.06.12 06:54:11 (1403576340465426434) from "Steven Galbraith (@EllipticKiwi)":

In my review I argue that "strong existential forgery" security is irrelevant, I review the security proofs of EdDSA (including by Brendel, Cremers, Jackson and Zhao), and I argue that "key clamping" seems to cause more difficulties than it provides benefits.

2021.06.12 06:58:02 (1403577308456243204) from "Steven Galbraith (@EllipticKiwi)", replying to "Steven Galbraith (@EllipticKiwi)" (1403576340465426434):

My main conclusions are that EdDSA is a good signature scheme and that Curve 25519 provides a high level of security for the next 10-20 years