[146788] in cryptography@c2.net mail archive
Re: [Cryptography] ElGamal,
daemon@ATHENA.MIT.EDU (Jon Callas)
Sat Sep 7 20:20:33 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <20130907200924.64c0c58d@heidi.cb.piermont.com>
Date: Sat, 7 Sep 2013 17:14:32 -0700
To: "Perry E. Metzger" <perry@piermont.com>
Cc: "Jeffrey I. Schiller" <jis@mit.edu>, cryptography@metzdowd.com,
Jon Callas <jon@callas.org>, ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 7, 2013, at 5:09 PM, "Perry E. Metzger" <perry@piermont.com> wrote:
> Note that such systems should at this point be using deterministic
> methods (hashes of text + other data) to create the needed nonces. I
> believe several such methods have been published and are considered
> good, but are not well standardized. Certainly this eliminates a *very*
> important source of fragility in such systems and should be universally
> implemented.
>
> References to such methods are solicited -- I'm operating without my
> usual machine at the moment while its hard drive restores from backup.
For as long as PGP has done DSA, it protected the signature nonce by hashing it with the DSA private key. These days, we'd do an HMAC, most likely.
There's now an RFC 6979 on "Deterministic DSA" now, as well. Phil Z, David Kravitz, and I started on something equivalent and then stopped when we saw what Thomas Pornin was doing. It's good stuff.
https://datatracker.ietf.org/doc/rfc6979/
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSK8FpsTedWZOD3gYRAs2DAKCA8Di/fH9ZYvAb4y5Byb2bN6MudQCgkXZO
80uY0/A7zZ3CBe6C0/1ALfU=
=eqWE
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
