On Mon, Oct 31, 2016 at 7:12 PM Trevor Perrin <[email protected]> wrote: > > https://whispersystems.org/docs/specifications/xeddsa/ > > Thanks for feedback everyone, > > I plan to make the following tweaks, then freeze the design (at least > for 25519): > (...) > > (2) Replace hash_i(a || ... || Z) with hash_i(a || Z || pad || ...) > for reasons here [2] - mainly a bit more sidechannel resistance, and > slightly cleaner use of the hash. >
Sorry for resurrecting this, but I've been studying this issue and I'm wondering: is there any reason why this was not incorporated into the specification? It still uses hash_i(a || ... || Z). In this paper https://eprint.iacr.org/2017/985.pdf it is explicitly mentioned that XEdDSA is vulnerable for this reason. Best regards, Conrado _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
