yet another tiny feature: deterministic ECDSA

Werner Koch wk at gnupg.org
Thu May 16 11:12:38 CEST 2013


On Fri, 12 Apr 2013 15:24, christian at grothoff.org said:

> On 04/12/2013 03:16 PM, Tom Ritter wrote:
>>
>> There is a method to do deterministic DSA safely (as far as anyone
>> knows), that's been looked at some:
>> http://tools.ietf.org/html/draft-pornin-deterministic-dsa-01

I read the I-D and discussion at cfrg again and agree that it makes
sense to have support in Libgcrypt for this scheme.  There is no RFC
yet, but despite that -01 expired it seems to be moving on.

> Using this method would be fine by me as well; I can supply 'h1' (the
> H(m)) instead of
> the exact 'k' value.  What I care about is having an option to achieve
> determinism. Also,

Good that we can avoid a special GNUnet case here.

> as in our case 'm' itself is encrypted before being signed, I'd like
> to do the hashing myself
> as using h1 = H(E(m)) will give the adversary (who doesn't know 'm')

Sure, that is how we do it in Libgcrypt anyway.

I'll ask Thomas Porrin whether it is okay to implement this draft or
whether he intends any update.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gcrypt-devel mailing list