EdDSA, Edwards-curve Digital Signature Algorithm (EdDSA), is a digital signature scheme using a variant of Schnorr signature based on Twisted Edwards curves (source).
Schnorr signatures have a remarkable property: linearity. This allows multiple parties to collaborate to produce a valid signature for the sum of their public keys.
- Does EdDSA provide the same security guarantees when aggregating signatures or deriving a new signature?
- Can we apply the same blind signature schema of Schnorr for EdDSA?
- If yes, what are the secure EdDSA aggregation constructions?
I found the following constructions for EdDSA, but I'm not sure if they have been analysed enough:
