On Sep 11, 2013, at 1:53 AM, zooko <zo...@zooko.com> wrote:
> DJB's Ed25519 takes [using message context as part of random number 
> generation one step further, and makes the nonce determined *solely* by the 
> message and the secret key, avoiding the PRNG part altogether:
This is not *necessarily* safe.  In another thread, we discussed whether 
choosing the IV for CBC mode by encrypting 0 with the session key was 
sufficient to meet the randomness requirements.  It turns out it does not.  I 
won't repeat the link to Rogoway's paper on the subject, where he shows that 
using this technique is strictly weaker than using a true random IV.

That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot 
generically assume that computing a random value from existing private 
information is safe.
                                                        -- Jerry

The cryptography mailing list

Reply via email to