On Mon, Sep 24, 2012 at 4:06 PM, Jacob Appelbaum <[email protected]> wrote: > r? Not k? What happens if k repeats?
Ed25519 is a Schnorr signature based system and so the variable names are slightly different. It has the same RNG problem as (EC)DSA however and Ed25519 solves it with deterministic signatures. Since (EC)DSA generally has non-deterministic signatures, I'd recommend maintaining that property in any generic implementation: i.e. hash in the private key, message and entropy to generate k. That's what we do in Google systems. > But what is the right way to ensure that k has some safety without being > weaker by being predictable? I imagine a lot of OTR conversations start > with pretty well known plaintext such as "hi" or "hello" or some > variant. In OTR the data that is signed includes the two, ephemeral, DH public keys, not any user message. Therefore a deterministic signature shouldn't be problem because the signed data is random. Cheers AGL -- Adam Langley [email protected] http://www.imperialviolet.org _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
