[tahoe-dev] Windwos installation problems
Zooko O'Whielacronx
zookog at gmail.com
Tue Jun 16 15:29:47 PDT 2009
On Mon, Jun 15, 2009 at 4:14 PM, Wei Dai<weidai at weidai.com> wrote:
>
>> How bad is that? I can't figure out if ECDSA breaks
>> horribly if you re-use your random integer "k".
>
> It's really bad. If you re-use your random integer "k" just once, an
> attacker can get your entire private key.
Thanks. By the way, I remembered that we're currently using
RSA-PSS-SHA256 instead of ECDSA. (We intend to switch to ECDSA
because key generation is much faster and because public keys are
smaller.) I know that RSA-PSS-SHA256 doesn't break if you re-use the
random seed. That's nice!
> Yes, I'm doing that also. See line 1036 in pubkey.h. So the time() call in
> RandomPool is for defense in depth, and also other protocols where it's not
> convenient to hash the message into the random number.
Very cool. So, for the purposes of Tahoe-LAFS (and other users of
pycryptopp, which currently does *not* support ECDSA), it won't hurt
to strip out the defense against vm rollback in order to make it
easier to build on Windows using MinGW. People who build pycryptopp
against the official Crypto++ lib will get that defense. For future
versions we intend to add ECDSA, and also I would like to have fully
repeatable ECDSA (i.e., that the seed is passed as an explicit
argument to the sign() method), but we can worry about that later.
Thanks a lot!
Regards,
Zooko
More information about the tahoe-dev
mailing list