[Cryptography] Why prefer symmetric crypto over public key crypto?
zooko
zooko at zooko.com
Wed Sep 11 01:53:01 EDT 2013
I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were
stolen by exploiting this, for example:
http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
However, it is quite straightforward to make yourself safe from re-used nonces
in (EC)DSA, like this:
https://github.com/trezor/python-ecdsa/commit/8efb52fad5025ae87b649ff78faa9f8076768065
Whenever the public-key crypto spec says that you have to come up with a random
number, don't do it! Instead of just pulling a random number from your PRNG,
mix the message into your PRNG to generate a random number which will therefore
be unique to this message.
Note that you don't have to get anyone else's cooperation in order to do this
-- interoperating implementations can't tell how you chose your "random"
number, so they can't complain if you do it this way.
Wei Dai's Crypto++ library has done this for ages, for *all* nonces generated
in the course of public-key operations.
DJB's Ed25519 takes this one step further, and makes the nonce determined
*solely* by the message and the secret key, avoiding the PRNG part altogether:
http://ed25519.cr.yp.to/papers.html
In my opinion, that's the way to go. It applies equally well to (EC)DSA, and
still enjoys the above-mentioned interoperability.
There is now a standard for this fully-deterministic approach in the works,
edited by Thomas Pornin: https://tools.ietf.org/html/rfc6979 .
Therefore, Ed25519 or RFC-6979-enhanced (EC)DSA is actually safer than RSA-PSS
is with regard to this issue.
Regards,
Zooko
More information about the cryptography
mailing list