[noise] Thoughts on semi-deterministic encryption
Jonathan Moore
moore at eds.org
Wed Aug 27 15:12:11 PDT 2014
On Wed, Aug 27, 2014 at 11:05 AM, Tony Arcieri <bascule at gmail.com> wrote:
> On Tue, Aug 26, 2014 at 9:43 PM, Jonathan Moore <moore at eds.org> wrote:
>
>> I can imagine a few, but in practice the our down fall often due to the
>> ones we don't imagine. After this paper:
>>
>> https://factorable.net/weakkeys12.extended.pdf
>>
>> and this paper:
>>
>> http://eprint.iacr.org/2013/734
>>
>
> These papers are both about bad random numbers being used for key
> generation. There's little to be done if you have a bad entropy source for
> generating keys.
>
Two things the errors in the bitcoin cases were do to nonce reuse. What the
research actually did is look for reused r, where r is derived from the
nonce and private key, values in the dsa signatures. I know that some of
the reuse was explicitly due to bad counter implementation. Others are
knows to be due to the bad android RNG.
> Why not protect against these possible flaws? And even more so why not at
>> least discuss mitigation possibilities?
>>
>
> Combining the time and some random data or a counter and some random data
> should prevent nonce reuse, at least within the granularity of your
> counting scheme, in the event that the data coming out of the RNG repeats.
>
Why would you refer to my scheme as counting?
-Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/1dd9a484/attachment.html>
More information about the Noise
mailing list