[OTR-dev] DSA, RSA, ECDSA, etc

Adam Langley agl at imperialviolet.org
Mon Sep 24 16:31:10 EDT 2012

On Mon, Sep 24, 2012 at 4:06 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> r? Not k? What happens if k repeats?

Ed25519 is a Schnorr signature based system and so the variable names
are slightly different. It has the same RNG problem as (EC)DSA however
and Ed25519 solves it with deterministic signatures. Since (EC)DSA
generally has non-deterministic signatures, I'd recommend maintaining
that property in any generic implementation: i.e. hash in the private
key, message and entropy to generate k. That's what we do in Google

> But what is the right way to ensure that k has some safety without being
> weaker by being predictable? I imagine a lot of OTR conversations start
> with pretty well known plaintext such as "hi" or "hello" or some
> variant.

In OTR the data that is signed includes the two, ephemeral, DH public
keys, not any user message. Therefore a deterministic signature
shouldn't be problem because the signed data is random.



Adam Langley agl at imperialviolet.org http://www.imperialviolet.org

More information about the OTR-dev mailing list