[noise] Thoughts on semi-deterministic encryption

Jonathan Moore moore at eds.org
Wed Aug 27 15:12:11 PDT 2014

On Wed, Aug 27, 2014 at 11:05 AM, Tony Arcieri <bascule at gmail.com> wrote:

> On Tue, Aug 26, 2014 at 9:43 PM, Jonathan Moore <moore at eds.org> wrote:
>> I can imagine a few, but in practice the our down fall often due to the
>> ones we don't imagine. After this paper:
>>    https://factorable.net/weakkeys12.extended.pdf
>> and this paper:
>>    http://eprint.iacr.org/2013/734
> These papers are both about bad random numbers being used for key
> generation. There's little to be done if you have a bad entropy source for
> generating keys.

Two things the errors in the bitcoin cases were do to nonce reuse. What the
research actually did is look for reused r, where r is derived from the
nonce and private key, values in the dsa signatures. I know that some of
the reuse was explicitly due to bad counter implementation. Others are
knows to be due to the bad android RNG.

> Why not protect against these possible flaws? And even more so why not at
>> least discuss mitigation possibilities?
> Combining the time and some random data or a counter and some random data
> should prevent nonce reuse, at least within the granularity of your
> counting scheme, in the event that the data coming out of the RNG repeats.

Why would you refer to my scheme as counting?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/1dd9a484/attachment.html>

More information about the Noise mailing list