yet another tiny feature: deterministic ECDSA

Christian Grothoff christian at
Fri Apr 12 15:18:25 CEST 2013

On 04/12/2013 01:58 PM, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>> No, that's insufficient as the encrypted message must be verifiable for
>> intermediaries that do
>> not have access to the key, so public key crypto is required.
> Then sign in top of it. Thing is any non-randomness in DSA parameters,
> no matter how small, is exploitable
I believe a 'k' value derived via cryptographic hash (of data that the 
does not have) function will be sufficiently random. After all, the 
*secret* 'd'
is derived by the same method in our application.

Signing on top of it doesn't help, as I want identical binary output --- 
if two
users share the same file (or file meta data in this case), the 
resulting data
in the database should also be identical so that I can detect duplicates.


More information about the Gcrypt-devel mailing list