[noise] Thoughts on semi-deterministic encryption
Tony Arcieri
bascule at gmail.com
Wed Aug 27 15:18:10 PDT 2014
On Wed, Aug 27, 2014 at 3:12 PM, Jonathan Moore <moore at eds.org> wrote:
>
> Two things the errors in the bitcoin cases were do to nonce reuse. What
> the research actually did is look for reused r, where r is derived from the
> nonce and private key, values in the dsa signatures. I know that some of
> the reuse was explicitly due to bad counter implementation. Others are
> knows to be due to the bad android RNG.
>
This could be easily solved by doing deterministic ECDSA like EdDSA does.
> Why would you refer to my scheme as counting?
>
I wasn't referring to your scheme. Using time or a counter as part of the
nonce is much cheaper than your scheme, which requires a content hash.
Deriving keys or IVs from a content hash is great if you're building a
convergent / content addressable encryption scheme, but if you're not it's
a waste.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/f8dfb0b6/attachment.html>
More information about the Noise
mailing list