[noise] Thoughts on semi-deterministic encryption
bascule at gmail.com
Wed Aug 27 15:18:10 PDT 2014
On Wed, Aug 27, 2014 at 3:12 PM, Jonathan Moore <moore at eds.org> wrote:
> Two things the errors in the bitcoin cases were do to nonce reuse. What
> the research actually did is look for reused r, where r is derived from the
> nonce and private key, values in the dsa signatures. I know that some of
> the reuse was explicitly due to bad counter implementation. Others are
> knows to be due to the bad android RNG.
This could be easily solved by doing deterministic ECDSA like EdDSA does.
> Why would you refer to my scheme as counting?
I wasn't referring to your scheme. Using time or a counter as part of the
nonce is much cheaper than your scheme, which requires a content hash.
Deriving keys or IVs from a content hash is great if you're building a
convergent / content addressable encryption scheme, but if you're not it's
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noise