You wrote: > I just became aware of RFC 6979 "Deterministic Usage of the Digital > Signature Algorithm (DSA) and Elliptic Curve Digital Signature > Algorithm (ECDSA)" (Informational). > > I think determinstic signatures are a good thing, and using the secret > key also as a HMAC key to generate the random input is a natural idea.
I agree. > But then one could arrange the details in many different ways. Is the > method in RFC 6979 a good way? I suspect it is "good" in the way that it is used in a couple of places, and nobody has proven it to be a bad way yet. Those are weak arguments. It seems RFC 6979 uses HMAC_DRBG? You could use HKDF (RFC 5869) instead to derive the key, I think, but it is also based on HMAC. > After a quick reading, the steps c. and d. (Sec. 3.2) seems > questionable; HMAC with a known constant key just seems more > complicated than a simple hashing operation, and no more secure. I know it is generally the wrong question to ask, but anyway: Could it be less secure? HMAC has some properties that goes beyond the underlying hash functions. For example, HMAC-MD5 is still considered secure (I believe) even though MD5 is broken. However, I also suspect a time will come to find weaknesses in HMAC: it is so ubiquitiously used (nice target for a crypto paper), there are modern alternatives with a more scientific design (= suggests weaknesses in earlier design), and generally the HMAC design is rather 1980ish with hard coded magic numbers, so there is bound to be weaknesses -- side channel leakage or weak keys or whatever? I've been surprised that there has been so little results/studies on HMAC in recent years. That could also mean HMAC is perfect, of course. :-) /Simon _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
