[Cryptography] Why prefer symmetric crypto over public key crypto?
leichter at lrw.com
Wed Sep 11 18:02:33 EDT 2013
On Sep 11, 2013, at 1:53 AM, zooko <zooko at zooko.com> wrote:
> DJB's Ed25519 takes [using message context as part of random number generation one step further, and makes the nonce determined *solely* by the message and the secret key, avoiding the PRNG part altogether:
This is not *necessarily* safe. In another thread, we discussed whether choosing the IV for CBC mode by encrypting 0 with the session key was sufficient to meet the randomness requirements. It turns out it does not. I won't repeat the link to Rogoway's paper on the subject, where he shows that using this technique is strictly weaker than using a true random IV.
That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot generically assume that computing a random value from existing private information is safe.
More information about the cryptography