>> Right, that I agree with. Packets should be deterministically created by >> the sender, and they should be verifiable by the recipient. > > Then you lose the better theoretical foundations of probabilistic signature > schemes ...
If you drop receiver verification as a requirement, you can derive the salt deterministically from the private key and the message hash. Such a salt offers most of the advantages of a random salt, without needing actual randomness. For DSA/Schnorr we already have some schemes that work this way. In principle we could apply this technique to RSA-PSS as well. Personally I avoid randomness whereever possible. Not because of worries about backdoors, but because it's easier to use and test. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
