On 7/27/2014 7:39 PM, Jon Callas wrote:
The reason to include the message is that if the nonce repeats and the message
does not, then you leak the secret key. This only matters if you’re worried
about the RNG repeating, but it seems like a valid concern.
Then there must be something I don't understand. This may very well be my
underlying point -- if you throw lots of stuff together so that it's hard to
understand, then you don't necessarily get something secure, you just get
something hard to understand.
Point taken.
I've been re-reading and it sounds like you're trying to design crypto that
works even when the crypto is broken. I'm not sure that even makes sense.
Jon
Well, sort of. My main concern is that you don't reveal the secret key
if the RNG is weak, or repeats, or nearly repeats. Since the RNG is
pretty much the weakest point in the system, the easiest to screw up,
the hardest to test, one the most valuable to backdoor etc, I think this
is a valid concern.
This suggests that PRF(message) should be there, because if the nonce
repeats and the message doesn't, you lose.
Most of the rest is bike shed design: discussing some problem mostly
because it's not actually important, so there are many
almost-equally-valid ways to do it. It'd be nice not to rely on
collision resistance, it'd be nice to be [deterministic/random] for blah
reasons, etc.
Cheers,
-- Mike
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
