[Cryptech Tech] why not deterministic ecdsa?

Simon Josefsson simon at josefsson.org
Mon Sep 7 07:25:14 UTC 2015

Previous message (by thread): [Cryptech Tech] why not deterministic ecdsa?
Next message (by thread): [Cryptech Tech] why not deterministic ecdsa?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Randy Bush <randy at psg.com> writes:

>> Am I reading this right that your ECDSA code generated a fresh k from
>> your TRNG?
>> 
>> You want to read and consider RFC 6979.
>
> hi simon.  considering the rate js is getting out of the trng, what
> other motivation is there to do 6979?

Normally you would ask the reverse question (why use something if it
isn't needed), but answers include:

1) Be able to self test the functions against expected input/output
vectors.

2) Avoid catastrophic failures if the rng stops working or produce poor
quality.

3) Generality and separation of components (someone who uses your ecdsa
might not necessarily trust your rng).

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20150907/27391faf/attachment.sig>

Previous message (by thread): [Cryptech Tech] why not deterministic ecdsa?
Next message (by thread): [Cryptech Tech] why not deterministic ecdsa?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list