[curves] Sig nonce generation
Watson Ladd
watsonbladd at gmail.com
Sun Jul 27 20:24:38 PDT 2014
On Sun, Jul 27, 2014 at 7:39 PM, Jon Callas <jon at callas.org> wrote:
>> The reason to include the message is that if the nonce repeats and the message does not, then you leak the secret key. This only matters if you’re worried about the RNG repeating, but it seems like a valid concern.
>
> Then there must be something I don't understand. This may very well be my underlying point -- if you throw lots of stuff together so that it's hard to understand, then you don't necessarily get something secure, you just get something hard to understand.
>
> I've been re-reading and it sounds like you're trying to design crypto that works even when the crypto is broken. I'm not sure that even makes sense.
What's wrong with deterministic signatures ala Ed25519 and RFC 6979?
All these questions about untrusted RNGs are easily solved for
signatures.
Sincerely,
Watson Ladd
>
> Jon
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
--
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
More information about the Curves
mailing list