On 1/24/2016 5:15 AM, Yoav Nir wrote:
>Correct me if I'm wrong but:
>
>1) A receiver of an deterministic ECDSA signature verifies it EXACTLY like
they would a non-deterministic signature.
>2) A receiver of an ECDSA signature cannot determine whether or not the signer
did a deterministic signature.
>3) A TLS implementation has no way (absent repeating signatures over identical
data) of telling whether or not a given signature using the client or server
private key is deterministic.
I might be missing something, but if k is deterministic, do we really need to
send it? Can’t the receiver figure it out the same way that the sender did?
I know that makes it break compatibility, but since this is TLS 1.3 anyway,
that’s not an issue, I think.
Yoav
Hi Yoav
If K is known and the signature is known then the private key is known.
The particular method the RFC uses to create the signature is to
incorporate the signing private key as part of the input to the
pseudo-random generation of K (along with the message). The receiver
doesn't have the private key and so can't derive K (which is a *GOOD*
thing - see the point above. :-) )
Mike.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
