On Sep 11, 2013, at 1:53 AM, zooko <zo...@zooko.com> wrote: > DJB's Ed25519 takes [using message context as part of random number > generation one step further, and makes the nonce determined *solely* by the > message and the secret key, avoiding the PRNG part altogether: This is not *necessarily* safe. In another thread, we discussed whether choosing the IV for CBC mode by encrypting 0 with the session key was sufficient to meet the randomness requirements. It turns out it does not. I won't repeat the link to Rogoway's paper on the subject, where he shows that using this technique is strictly weaker than using a true random IV.
That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot generically assume that computing a random value from existing private information is safe. -- Jerry _______________________________________________ The cryptography mailing list email@example.com http://www.metzdowd.com/mailman/listinfo/cryptography