[Cryptography] Why prefer symmetric crypto over public key crypto?

[Jerry Leichter]

On Sep 11, 2013, at 1:53 AM, zooko <zooko at zooko.com> wrote:
> DJB's Ed25519 takes [using message context as part of random number generation one step further, and makes the nonce determined *solely* by the message and the secret key, avoiding the PRNG part altogether:
This is not *necessarily* safe.  In another thread, we discussed whether choosing the IV for CBC mode by encrypting 0 with the session key was sufficient to meet the randomness requirements.  It turns out it does not.  I won't repeat the link to Rogoway's paper on the subject, where he shows that using this technique is strictly weaker than using a true random IV.

That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot generically assume that computing a random value from existing private information is safe.
                                                        -- Jerry