> On 13 Jul 2018, at 22:37, Bernd Fix <[email protected]> wrote: > And maybe even a third one: I stumbled across an approach to use > Curve25519 keypairs for both ECDH and Ed25519 signatures > [https://moderncrypto.org/mail-archive/curves/2014/000293.html]. I don’t think it breaks Taler per se, but it’s needlessly complex.. and it damages the deterministic signatures property of Ed25519. Also, I’m not 100% sure that NaCL based libraries lack a suitable Edwards scalar multiplication. They may not expose it, but Ed25519 signature verification involves a variable-time double scalar multiplication. This variable-time operation suffices, except that it enables javascript side channel attacks. You could prevent those using key splitting. Ain’t pretty obviously. :) Jeff
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
