[OTR-dev] DSA, RSA, ECDSA, etc
gmaxwell at gmail.com
Mon Sep 24 14:59:38 EDT 2012
On Mon, Sep 24, 2012 at 2:49 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> But what is the right way to ensure that k has some safety without being
> weaker by being predictable? I imagine a lot of OTR conversations start
> with pretty well known plaintext such as "hi" or "hello" or some
> variant. So a hash or a MAC over that message as part of k isn't really
> well, unpredictable
ed25519 (a ECDSA like algorithm for signing over a particular curve)
solves this elegantly
by using r=SHA512(data_being_signed || secret_stored_with_dsa_privkey).
If the same privkey signs the same message twice you just get the same
obviously don't leak anything by having two copies of the same thing.
if SHA512 is a good
pseudo-random oracle then the random number is good. (And putting the
secret at the end
probably reduces some concerns with extension attacks against
functions like sha512).
More information about the OTR-dev