[OTR-dev] DSA, RSA, ECDSA, etc
Jacob Appelbaum
jacob at appelbaum.net
Mon Sep 24 16:50:27 EDT 2012
Adam Langley:
> On Mon, Sep 24, 2012 at 4:06 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> r? Not k? What happens if k repeats?
>
> Ed25519 is a Schnorr signature based system and so the variable names
> are slightly different.
Ah, OK. Confusing. Thanks for clarifying.
> It has the same RNG problem as (EC)DSA however
> and Ed25519 solves it with deterministic signatures. Since (EC)DSA
> generally has non-deterministic signatures, I'd recommend maintaining
> that property in any generic implementation: i.e. hash in the private
> key, message and entropy to generate k. That's what we do in Google
> systems.
>
Has any of that code been published? :)
>> But what is the right way to ensure that k has some safety without being
>> weaker by being predictable? I imagine a lot of OTR conversations start
>> with pretty well known plaintext such as "hi" or "hello" or some
>> variant.
>
> In OTR the data that is signed includes the two, ephemeral, DH public
> keys, not any user message. Therefore a deterministic signature
> shouldn't be problem because the signed data is random.
>
Ah, yes - sorry, I meant to merely suggest that basically _everything_
is known to an attacker if the RNG is broken. For example if Alice has a
broken RNG and Bob colludes - Alice is signing two things Bob knows, one
of which Bob constructs. With a bad RNG the DH components will be busted
and so the only secret that remains is the private key which I think
will be easy to recover. With an RSA signature, only the conversation
would be busted but the identity key would be fine...
I don't really know if it is thus fine to use a deterministic signature
with DSA and the above situation...
All the best,
Jake
More information about the OTR-dev
mailing list