I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were stolen by exploiting this, for example:
http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/ However, it is quite straightforward to make yourself safe from re-used nonces in (EC)DSA, like this: https://github.com/trezor/python-ecdsa/commit/8efb52fad5025ae87b649ff78faa9f8076768065 Whenever the public-key crypto spec says that you have to come up with a random number, don't do it! Instead of just pulling a random number from your PRNG, mix the message into your PRNG to generate a random number which will therefore be unique to this message. Note that you don't have to get anyone else's cooperation in order to do this -- interoperating implementations can't tell how you chose your "random" number, so they can't complain if you do it this way. Wei Dai's Crypto++ library has done this for ages, for *all* nonces generated in the course of public-key operations. DJB's Ed25519 takes this one step further, and makes the nonce determined *solely* by the message and the secret key, avoiding the PRNG part altogether: http://ed25519.cr.yp.to/papers.html In my opinion, that's the way to go. It applies equally well to (EC)DSA, and still enjoys the above-mentioned interoperability. There is now a standard for this fully-deterministic approach in the works, edited by Thomas Pornin: https://tools.ietf.org/html/rfc6979 . Therefore, Ed25519 or RFC-6979-enhanced (EC)DSA is actually safer than RSA-PSS is with regard to this issue. Regards, Zooko _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
