[147048] in cryptography@c2.net mail archive
Re: [Cryptography] Why prefer symmetric crypto over public key
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Wed Sep 11 18:08:17 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <20130911055301.GI28803@zooko.com>
Date: Wed, 11 Sep 2013 18:02:33 -0400
To: zooko <zooko@zooko.com>
Cc: "Jeffrey I. Schiller" <jis@mit.edu>, cryptography@metzdowd.com,
ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 11, 2013, at 1:53 AM, zooko <zooko@zooko.com> wrote:
> DJB's Ed25519 takes [using message context as part of random number generation one step further, and makes the nonce determined *solely* by the message and the secret key, avoiding the PRNG part altogether:
This is not *necessarily* safe. In another thread, we discussed whether choosing the IV for CBC mode by encrypting 0 with the session key was sufficient to meet the randomness requirements. It turns out it does not. I won't repeat the link to Rogoway's paper on the subject, where he shows that using this technique is strictly weaker than using a true random IV.
That doesn't mean the way it's done in Ed25519 is unsafe, just that you cannot generically assume that computing a random value from existing private information is safe.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
