yet another tiny feature: deterministic ECDSA
Vladimir 'φ-coder/phcoder' Serbinenko
phcoder at gmail.com
Thu Apr 11 21:54:19 CEST 2013
On 11.04.2013 21:37, Christian Grothoff wrote:
> Hi!
>
> I don't know if I mentioned this one yet. When I call 'gcry_pk_sign' for ECDSA signing,
> libgcrypt generates (as per ECDSA requirements) a random 'k' value each time. 'k' must
> be random as an adversary must not be able to determine 'k', and two signatures must not
> share the same 'k' to avoid exposing the private key.
>
> However, in our use, it happens that the same private key is used to sign the same
> private data more than once. Thus, it would be great if we could in that case generate
> exactly the same signature over the same data by using the same 'k' value.
>
> I can (safely) construct a pseudo-random seed/k-value that will be unique (and only
> known to those that know the private key anyway), but the current gcry_pk_sign API
> does not yet allow me to pass it.
>
This is something which is very tricky to get right and exposes the
whole system if it isn't. I think the library shouldn't export such
primitives at all. Why isn't storing the signature appropriate for your
case?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 294 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130411/3eb5fe50/attachment.sig>
More information about the Gcrypt-devel
mailing list