2021.06.14 01:11:17 (1404214823961780229) from Daniel J. Bernstein, replying to "Steven Galbraith (@EllipticKiwi)" (1403577308456243204):
To answer your question re key clamping: variable position of leading 1 + textbook ladder → timing leak. So X25519 and Ed25519 specs both require fixed position. Section 5.3 of https://cr.yp.to/papers.html#multischnorr suggests setting the position (compatibly!) for a tight multi-user reduction.
2021.06.12 06:54:11 (1403576340465426434) from "Steven Galbraith (@EllipticKiwi)":
In my review I argue that "strong existential forgery" security is irrelevant, I review the security proofs of EdDSA (including by Brendel, Cremers, Jackson and Zhao), and I argue that "key clamping" seems to cause more difficulties than it provides benefits.
2021.06.12 06:58:02 (1403577308456243204) from "Steven Galbraith (@EllipticKiwi)", replying to "Steven Galbraith (@EllipticKiwi)" (1403576340465426434):
My main conclusions are that EdDSA is a good signature scheme and that Curve 25519 provides a high level of security for the next 10-20 years