[tahoe-dev] [pycryptopp] #20: deterministic randomness in signing function
pycryptopp
trac at allmydata.org
Thu May 21 09:05:43 PDT 2009
#20: deterministic randomness in signing function
------------------------+---------------------------------------------------
Reporter: zooko | Owner:
Type: enhancement | Status: new
Priority: major | Version: 0.5.1
Keywords: | Launchpad_bug:
------------------------+---------------------------------------------------
ECDSA is a randomized signing algorithm, which means there is an implicit
RNG argument along with the key and message arguments to the sign
operation. Currently that RNG parameter is not in the API, but is
provided implicitly at the Crypto++ layer. To fix this ticket, add an
optional "rng" parameter to the {{{.sign()}}} method. The default value
(i.e. not specifying any "rng" argument) has the current behavior -- use
the default RNG provided by Crypto++. The other alternative is to specify
a random seed (a string of bytes of the right size) which will be used as
the determiner of the random bits used in the ECDSA signature computation.
I prefer the explicit approach, when it isn't too inconvenient, because it
allows for reproducible behavior, such as testing digital signatures
against fixed test vectors or reproducing and analyzing data-dependent
bugs, and because it makes all the security requirements explicit. (The
security of your digital signatures relies not only on the security of the
key but also on the (implicit) RNG.)
--
Ticket URL: <http://allmydata.org/trac/pycryptopp/ticket/20>
pycryptopp <http://allmydata.org/trac/pycryptopp>
Python bindings for the Crypto++ library
More information about the tahoe-dev
mailing list