[curves] Sig nonce generation

Mike Hamburg mike at shiftleft.org
Sun Jul 27 21:59:40 PDT 2014


On 7/27/2014 7:39 PM, Jon Callas wrote:
>> The reason to include the message is that if the nonce repeats and the message does not, then you leak the secret key.  This only matters if you’re worried about the RNG repeating, but it seems like a valid concern.
> Then there must be something I don't understand. This may very well be my underlying point -- if you throw lots of stuff together so that it's hard to understand, then you don't necessarily get something secure, you just get something hard to understand.
Point taken.
> I've been re-reading and it sounds like you're trying to design crypto that works even when the crypto is broken. I'm not sure that even makes sense.
>
> 	Jon
Well, sort of.  My main concern is that you don't reveal the secret key 
if the RNG is weak, or repeats, or nearly repeats.  Since the RNG is 
pretty much the weakest point in the system, the easiest to screw up, 
the hardest to test, one the most valuable to backdoor etc, I think this 
is a valid concern.

This suggests that PRF(message) should be there, because if the nonce 
repeats and the message doesn't, you lose.

Most of the rest is bike shed design: discussing some problem mostly 
because it's not actually important, so there are many 
almost-equally-valid ways to do it.  It'd be nice not to rely on 
collision resistance, it'd be nice to be [deterministic/random] for blah 
reasons, etc.

Cheers,
-- Mike


More information about the Curves mailing list