[OTR-dev] DSA, RSA, ECDSA, etc
Jacob Appelbaum
jacob at appelbaum.net
Mon Sep 24 16:06:41 EDT 2012
Gregory Maxwell:
> On Mon, Sep 24, 2012 at 2:49 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> [snip]
>> But what is the right way to ensure that k has some safety without being
>> weaker by being predictable? I imagine a lot of OTR conversations start
>> with pretty well known plaintext such as "hi" or "hello" or some
>> variant. So a hash or a MAC over that message as part of k isn't really
>> well, unpredictable
>
> ed25519 (a ECDSA like algorithm for signing over a particular curve)
> solves this elegantly
> by using r=SHA512(data_being_signed || secret_stored_with_dsa_privkey).
>
r? Not k? What happens if k repeats?
> If the same privkey signs the same message twice you just get the same
> signature, and
> obviously don't leak anything by having two copies of the same thing.
> if SHA512 is a good
> pseudo-random oracle then the random number is good. (And putting the
> secret at the end
> probably reduces some concerns with extension attacks against
> Merkle-Damgard hash
> functions like sha512).
>
If you have two copies of the same thing where the signature uses a
repeating k then all hope is lost.
All the best,
Jake
More information about the OTR-dev
mailing list