On Wed 2015-04-01 10:58:44 -0400, Russ Housley wrote:
> * using non-deterministic ECDSA with a predictable source of randomness
> means that each signature can potentially leak the secret material of the
> signing key.
>
> My understanding is that the first step in generating an ECDSA
> signature is to generate a random value K. The private key is
> disclosed if the same K is used to produce more than one signature.
This is true. AIUI, the private key is also disclosed if an attacker
can learn/predict/guess any single K used for a specific signature.
> The chances of generating the same K is vanishingly small if there is
> a reasonable pseudorandom source. I would hope that the servers
> running the logs have a reasonable source of pseudorandom values.
I'd hope so too, but there's no reason to rely on that being the case.
The approach outlined in RFC 6979 avoids this risk entirely.
--dkg
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
