2021.06.14 01:46:07 (1404223588123648004) from Daniel J. Bernstein, replying to "Steven Galbraith (@EllipticKiwi)" (1404217529363402759):
Pohlig-Hellman immediately reveals the bottom 3 bits, so setting them to be nonzero wouldn't gain security, while zero gives slight simplifications+speedups in optimized software. The multi-user security questions you mention are tied to the top bits, not the bottom bits.
2021.06.14 01:49:16 (1404224380641579008) from Daniel J. Bernstein:
If you're thinking that Pohlig-Hellman won't apply to a protocol that applies the secret only to the standard prime-order base point: Sure, but basic ECDH doesn't work that way, and being able to share as much as possible with basic ECDH is a general win for the ecosystem.
2021.06.12 06:54:11 (1403576340465426434) from "Steven Galbraith (@EllipticKiwi)":
In my review I argue that "strong existential forgery" security is irrelevant, I review the security proofs of EdDSA (including by Brendel, Cremers, Jackson and Zhao), and I argue that "key clamping" seems to cause more difficulties than it provides benefits.
2021.06.12 06:58:02 (1403577308456243204) from "Steven Galbraith (@EllipticKiwi)", replying to "Steven Galbraith (@EllipticKiwi)" (1403576340465426434):
My main conclusions are that EdDSA is a good signature scheme and that Curve 25519 provides a high level of security for the next 10-20 years
2021.06.14 01:11:17 (1404214823961780229) from Daniel J. Bernstein, replying to "Steven Galbraith (@EllipticKiwi)" (1403577308456243204):
To answer your question re key clamping: variable position of leading 1 + textbook ladder → timing leak. So X25519 and Ed25519 specs both require fixed position. Section 5.3 of https://cr.yp.to/papers.html#multischnorr suggests setting the position (compatibly!) for a tight multi-user reduction.
2021.06.14 01:22:02 (1404217529363402759) from "Steven Galbraith (@EllipticKiwi)":
I dont mind the leading 1. It's the zero LSB that seems unnecessary