Gregory Maxwell: > On Mon, Sep 24, 2012 at 2:49 PM, Jacob Appelbaum <[email protected]> wrote: > [snip] >> But what is the right way to ensure that k has some safety without being >> weaker by being predictable? I imagine a lot of OTR conversations start >> with pretty well known plaintext such as "hi" or "hello" or some >> variant. So a hash or a MAC over that message as part of k isn't really >> well, unpredictable > > ed25519 (a ECDSA like algorithm for signing over a particular curve) > solves this elegantly > by using r=SHA512(data_being_signed || secret_stored_with_dsa_privkey). >
r? Not k? What happens if k repeats? > If the same privkey signs the same message twice you just get the same > signature, and > obviously don't leak anything by having two copies of the same thing. > if SHA512 is a good > pseudo-random oracle then the random number is good. (And putting the > secret at the end > probably reduces some concerns with extension attacks against > Merkle-Damgard hash > functions like sha512). > If you have two copies of the same thing where the signature uses a repeating k then all hope is lost. All the best, Jake _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
