On Mon, Jun 15, 2009 at 4:14 PM, Wei Dai<[email protected]> wrote: > >> How bad is that? I can't figure out if ECDSA breaks >> horribly if you re-use your random integer "k". > > It's really bad. If you re-use your random integer "k" just once, an > attacker can get your entire private key.
Thanks. By the way, I remembered that we're currently using RSA-PSS-SHA256 instead of ECDSA. (We intend to switch to ECDSA because key generation is much faster and because public keys are smaller.) I know that RSA-PSS-SHA256 doesn't break if you re-use the random seed. That's nice! > Yes, I'm doing that also. See line 1036 in pubkey.h. So the time() call in > RandomPool is for defense in depth, and also other protocols where it's not > convenient to hash the message into the random number. Very cool. So, for the purposes of Tahoe-LAFS (and other users of pycryptopp, which currently does *not* support ECDSA), it won't hurt to strip out the defense against vm rollback in order to make it easier to build on Windows using MinGW. People who build pycryptopp against the official Crypto++ lib will get that defense. For future versions we intend to add ECDSA, and also I would like to have fully repeatable ECDSA (i.e., that the seed is passed as an explicit argument to the sign() method), but we can worry about that later. Thanks a lot! Regards, Zooko --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
