RNG requirements (was: Environment variable GNUPGHOME with Windows + MSYS2)

[Jacob Bachmeyer]

On 3/4/25 08:59, Thomas Schweikle via Gnupg-users wrote:
> Am 04.03.2025 um 10:12 schrieb Werner Koch via Gnupg-users:
> [...]
>> Further, and more important: We have never done an analysis of such a
>> build regarding the random number generator.
> This shouldn't be a point here, since in all cases gpg is used to sign
> binaries build before packaging for Windows. [...]

Some signature schemes require random numbers and, if I remember 
correctly, can *leak* *the* *private* *key* if the RNG has insufficient 
entropy.  This is one of the more severe weaknesses in Schnorr-type 
signatures, which include DSA.

Newer implementations avoid the problem by using deterministic nonces, 
computed using a hash of the message and private key or similar.  EdDSA 
specifies this approach and some ECDSA implementations also use it.  
(DSA was thoroughly obsolete due to its fixed 1024-bit key size before 
deterministic nonces were introduced.)

>> Take care not to run into something like the OpenSSL RNG problem
>> Debian once had.
> As long as you generate your keys only with one of them, this should not
> matter.

It would matter very much if the one you happened to pick for key 
generation happened to be the one with the bad RNG!  (And see above for 
the possibility of leaking private keys by using a bad RNG while making 
a signature.)

The only operation that is definitely safe is signature verification.  
Decryption is safe against a bad RNG, but PGP message encryption needs a 
good RNG for the session key---a weak RNG could make the session key 
guessable and completely bypass the public key algorithm for an attacker.


-- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250304/33020e9b/attachment.html>