On Sep 11, 2013, at 1:53 AM, zooko <[email protected]> wrote:
> DJB's Ed25519 takes [using message context as part of random number
> generation one step further, and makes the nonce determined *solely* by the
> message and the secret key, avoiding the PRNG part altogether:
This is not *necessarily* safe. In another thread, we discussed whether
choosing the IV for CBC mode by encrypting 0 with the session key was
sufficient to meet the randomness requirements. It turns out it does not. I
won't repeat the link to Rogoway's paper on the subject, where he shows that
using this technique is strictly weaker than using a true random IV.
That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot
generically assume that computing a random value from existing private
information is safe.
-- Jerry
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
