[OTR-dev] DSA, RSA, ECDSA, etc

Jacob Appelbaum jacob at appelbaum.net
Mon Sep 24 16:06:41 EDT 2012

Gregory Maxwell:
> On Mon, Sep 24, 2012 at 2:49 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> [snip]
>> But what is the right way to ensure that k has some safety without being
>> weaker by being predictable? I imagine a lot of OTR conversations start
>> with pretty well known plaintext such as "hi" or "hello" or some
>> variant. So a hash or a MAC over that message as part of k isn't really
>> well, unpredictable
> ed25519 (a ECDSA like algorithm for signing over a particular curve)
> solves this elegantly
> by using r=SHA512(data_being_signed || secret_stored_with_dsa_privkey).

r? Not k? What happens if k repeats?

> If the same privkey signs the same message twice you just get the same
> signature, and
> obviously don't leak anything by having two copies of the same thing.
> if SHA512 is a good
> pseudo-random oracle then the random number is good. (And putting the
> secret at the end
> probably reduces some concerns with extension attacks against
> Merkle-Damgard hash
> functions like sha512).

If you have two copies of the same thing where the signature uses a
repeating k then all hope is lost.

All the best,

More information about the OTR-dev mailing list