[curves] Sig nonce generation
mike at shiftleft.org
Sun Jul 27 21:59:40 PDT 2014
On 7/27/2014 7:39 PM, Jon Callas wrote:
>> The reason to include the message is that if the nonce repeats and the message does not, then you leak the secret key. This only matters if you’re worried about the RNG repeating, but it seems like a valid concern.
> Then there must be something I don't understand. This may very well be my underlying point -- if you throw lots of stuff together so that it's hard to understand, then you don't necessarily get something secure, you just get something hard to understand.
> I've been re-reading and it sounds like you're trying to design crypto that works even when the crypto is broken. I'm not sure that even makes sense.
Well, sort of. My main concern is that you don't reveal the secret key
if the RNG is weak, or repeats, or nearly repeats. Since the RNG is
pretty much the weakest point in the system, the easiest to screw up,
the hardest to test, one the most valuable to backdoor etc, I think this
is a valid concern.
This suggests that PRF(message) should be there, because if the nonce
repeats and the message doesn't, you lose.
Most of the rest is bike shed design: discussing some problem mostly
because it's not actually important, so there are many
almost-equally-valid ways to do it. It'd be nice not to rely on
collision resistance, it'd be nice to be [deterministic/random] for blah
More information about the Curves