#20 closed enhancement (duplicate)
deterministic randomness in signing function
| Reported by: | zooko | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | 0.6.0 |
| Version: | 0.5.1 | Keywords: | |
| Cc: | Launchpad Bug: |
Description
ECDSA is a randomized signing algorithm, which means there is an implicit RNG argument along with the key and message arguments to the sign operation. Currently that RNG parameter is not in the API, but is provided implicitly at the Crypto++ layer. To fix this ticket, add an optional "rng" parameter to the .sign() method. The default value (i.e. not specifying any "rng" argument) has the current behavior -- use the default RNG provided by Crypto++. The other alternative is to specify a random seed (a string of bytes of the right size) which will be used as the determiner of the random bits used in the ECDSA signature computation.
I prefer the explicit approach, when it isn't too inconvenient, because it allows for reproducible behavior, such as testing digital signatures against fixed test vectors or reproducing and analyzing data-dependent bugs, and because it makes all the security requirements explicit. (The security of your digital signatures relies not only on the security of the key but also on the (implicit) RNG.)
Change History (2)
comment:1 Changed at 2012-02-12T22:58:57Z by zooko
- Resolution set to duplicate
- Status changed from new to closed
comment:2 Changed at 2012-03-13T07:57:06Z by zooko
- Milestone set to 0.6.0
I think Ed25519 always works like this, so this ticket will be effectively "fixed" by #75.