[Cryptech Tech] why not deterministic ecdsa?

[Bernd Paysan]

Am Sonntag, 6. September 2015, 16:28:53 schrieb Rob Austein:
> At Sun, 06 Sep 2015 22:17:25 +0200, Simon Josefsson wrote:
> > Am I reading this right that your ECDSA code generated a fresh k
> > from your TRNG?
> 
> Yes.  Given that we think the TRNG is fairly solid, this is not
> particularly expensive.
> 
> > You want to read and consider RFC 6979.
> 
> Read it a while back.  Haven't seen anything suggesting serious
> uptake, but will defer to the usual suspects if they have advice.

Well, everybody seriously concerned with elliptic curves and really secure 
signing uses Ed25519 instead of the FIPS curves, and that one uses the 
approach in RFC 6979.

k=hash(hash_value, secret_part_2)

is a pretty straight forward function, and pretty fast, too. secret_part_1 is 
the secret used for your elliptic curve, both generated by hashing a primary 
secret (you don't need that step, just generate and store twice as many bits 
for the secret, there's no need for secret_part_1 and secret_part_2 to be 
related in any way).  AFAIK, the secret partitioning is only for possible 
weaknesses in the hash, but when you have a weak hash function, you are 
screwed anyways, because anybody can forge signatures by attacking the hash 
instead of the elliptic curve.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20150906/d9fc4b78/attachment.sig>