[147015] in cryptography@c2.net mail archive
Re: [Cryptography] Why prefer symmetric crypto over public key
daemon@ATHENA.MIT.EDU (zooko)
Wed Sep 11 13:08:41 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Sep 2013 09:53:01 +0400
From: zooko <zooko@zooko.com>
To: "Jeffrey I. Schiller" <jis@mit.edu>
In-Reply-To: <20130907140522.GA4132@jis.tzo.com>
Cc: cryptography@metzdowd.com, ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
I agree that randomness-reuse is a major issue. Recently about 55 Bitcoin were
stolen by exploiting this, for example:
http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
However, it is quite straightforward to make yourself safe from re-used nonces
in (EC)DSA, like this:
https://github.com/trezor/python-ecdsa/commit/8efb52fad5025ae87b649ff78faa9f8076768065
Whenever the public-key crypto spec says that you have to come up with a random
number, don't do it! Instead of just pulling a random number from your PRNG,
mix the message into your PRNG to generate a random number which will therefore
be unique to this message.
Note that you don't have to get anyone else's cooperation in order to do this
-- interoperating implementations can't tell how you chose your "random"
number, so they can't complain if you do it this way.
Wei Dai's Crypto++ library has done this for ages, for *all* nonces generated
in the course of public-key operations.
DJB's Ed25519 takes this one step further, and makes the nonce determined
*solely* by the message and the secret key, avoiding the PRNG part altogether:
http://ed25519.cr.yp.to/papers.html
In my opinion, that's the way to go. It applies equally well to (EC)DSA, and
still enjoys the above-mentioned interoperability.
There is now a standard for this fully-deterministic approach in the works,
edited by Thomas Pornin: https://tools.ietf.org/html/rfc6979 .
Therefore, Ed25519 or RFC-6979-enhanced (EC)DSA is actually safer than RSA-PSS
is with regard to this issue.
Regards,
Zooko
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography