Adam Langley: > On Mon, Sep 24, 2012 at 4:06 PM, Jacob Appelbaum <ja...@appelbaum.net> wrote: >> r? Not k? What happens if k repeats? > > Ed25519 is a Schnorr signature based system and so the variable names > are slightly different.
Ah, OK. Confusing. Thanks for clarifying. > It has the same RNG problem as (EC)DSA however > and Ed25519 solves it with deterministic signatures. Since (EC)DSA > generally has non-deterministic signatures, I'd recommend maintaining > that property in any generic implementation: i.e. hash in the private > key, message and entropy to generate k. That's what we do in Google > systems. > Has any of that code been published? :) >> But what is the right way to ensure that k has some safety without being >> weaker by being predictable? I imagine a lot of OTR conversations start >> with pretty well known plaintext such as "hi" or "hello" or some >> variant. > > In OTR the data that is signed includes the two, ephemeral, DH public > keys, not any user message. Therefore a deterministic signature > shouldn't be problem because the signed data is random. > Ah, yes - sorry, I meant to merely suggest that basically _everything_ is known to an attacker if the RNG is broken. For example if Alice has a broken RNG and Bob colludes - Alice is signing two things Bob knows, one of which Bob constructs. With a bad RNG the DH components will be busted and so the only secret that remains is the private key which I think will be easy to recover. With an RSA signature, only the conversation would be busted but the identity key would be fine... I don't really know if it is thus fine to use a deterministic signature with DSA and the above situation... All the best, Jake _______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
