[Cryptech Tech] why not deterministic ecdsa?

[Bernd Paysan]

Am Montag, 7. September 2015, 10:27:46 schrieb Simon Josefsson:
> Leif Johansson <leifj at sunet.se> writes:
> >> 3) Generality and separation of components (someone who uses your
> >> ecdsa might not necessarily trust your rng).
> > 
> > afaiu this is the usual argument for 6979 but haven't we failed if folks
> > don't trust our rng?
> 
> Not necessarily.  Maybe they trust cryptech to protect private keys and
> perform ecdsa signing, but wants to generate keys elsewhere.
> 
> Trusting a rng is different from trusting a device carrying out
> verifiable computations.  I wouldn't trust a rng without proof or at
> least a convincing argument that quantify the amount of entropy it can
> generate.

IMHO the last is crucial.  Key generation may not be a very frequent operation 
(unless you use it for ephemeral key exchange on a server with high load; and 
then, you still benefit from the good randomness of the other side), but bulk 
signing of data is a common operation, e.g. zone signing in DNSSEC.  If the 
signature is computed fast, and there's not much entropy available, the TRNG 
is reduced to a pure PRNG.

You may trust the avalanche noise, but you may not trust the PRNG.  At least 
not for something like a signature, which can reveal your secret key if 
something goes wrong.  The deterministic signature means you only depend on 
the hash and the elliptic curve cryptography, nothing more.  You don't have to 
trust the PRNG, you don't have to trust the entropy sources.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/