[Cryptography] ElGamal, DSA randomness (was Re: Why prefer symmetric crypto over public key crypto?)
Jon Callas
jon at callas.org
Sat Sep 7 20:14:32 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 7, 2013, at 5:09 PM, "Perry E. Metzger" <perry at piermont.com> wrote:
> Note that such systems should at this point be using deterministic
> methods (hashes of text + other data) to create the needed nonces. I
> believe several such methods have been published and are considered
> good, but are not well standardized. Certainly this eliminates a *very*
> important source of fragility in such systems and should be universally
> implemented.
>
> References to such methods are solicited -- I'm operating without my
> usual machine at the moment while its hard drive restores from backup.
For as long as PGP has done DSA, it protected the signature nonce by hashing it with the DSA private key. These days, we'd do an HMAC, most likely.
There's now an RFC 6979 on "Deterministic DSA" now, as well. Phil Z, David Kravitz, and I started on something equivalent and then stopped when we saw what Thomas Pornin was doing. It's good stuff.
https://datatracker.ietf.org/doc/rfc6979/
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSK8FpsTedWZOD3gYRAs2DAKCA8Di/fH9ZYvAb4y5Byb2bN6MudQCgkXZO
80uY0/A7zZ3CBe6C0/1ALfU=
=eqWE
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list