[OTR-dev] DSA, RSA, ECDSA, etc

Gregory Maxwell gmaxwell at gmail.com
Mon Sep 24 14:59:38 EDT 2012

On Mon, Sep 24, 2012 at 2:49 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> But what is the right way to ensure that k has some safety without being
> weaker by being predictable? I imagine a lot of OTR conversations start
> with pretty well known plaintext such as "hi" or "hello" or some
> variant. So a hash or a MAC over that message as part of k isn't really
> well, unpredictable

ed25519 (a ECDSA like algorithm for signing over a particular curve)
solves this elegantly
by using r=SHA512(data_being_signed || secret_stored_with_dsa_privkey).

If the same privkey signs the same message twice you just get the same
signature, and
obviously don't leak anything by having two copies of the same thing.
if SHA512 is a good
pseudo-random oracle then the random number is good. (And putting the
secret at the end
probably reduces some concerns with extension attacks against
Merkle-Damgard hash
functions like sha512).

More information about the OTR-dev mailing list