Peter Lebbing peter at
Mon Nov 10 13:16:06 CET 2014

I can give two significant differences between ECDSA and EdDSA:

1) Signature creation is deterministic in EdDSA; ECDSA requires high
quality randomness for each and every signature to be safe (just as
regular ol' DSA). If low-quality randomness  is used an attacker can
compute the private key. Using XKCD's get_random()[1] function as in the
Playstation 3 (as exposed by Fail0verflow) makes it trivial to compute
the private key. More specifically, using the same random number for two
different signatures is enough to trivially compute it.

Werner has mentioned that deterministic operation is a prerequisite for
him to consider an OpenPGP Card smartcard implementation due to lack of
trust in on-card generated entropy.

2) The process by which the actual parameters of Ed25519 have been
chosen is completely open. It is possible to create a backdoor by very
careful choice of the parameters; this means that there exists a chance
that the NIST and (I believe also) the Brainpool curves have been chosen
in a way that there is a secret backdoor only known to the organisation
that selected the parameters.

The parameters I'm talking about are the ones shared by all keys on a
specific curve; the actual private key is still chosen by the creator of
the key and is not what I mean.

Point 1) turns my thoughts to a related issue. Is there still any reason
to include deterministic classic DSA in OpenPGP or is that a bit late to
the party?



int get_random()
	return 4; // Chosen by fair dice roll; guaranteed to be random

That's from memory, it might not be fully literal. Also, that XKCD comic
was actually one of the presentation slides of Fail0verflow; I was there
at the 27C3 when they revealed their hack, so cool!

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list