Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Helmut Grohne writes ("Re: RSA vs ECDSA (Was: Bits from keyring-maint: Pushing keyring updates. Let us bury your old 1024D key!)"):
> ECDSA is a DSA algorithm and therefore relies on the creation of secure
> random numbers. It has this problem, that if you happen to choose the
> same number for two signatures, your private key is broken. With RSA it
> is harder to accidentally disclose your private key by using bad random
> numbers for signatures. As far as I can tell a malicious random number
> generator is part of our threat model now. Bernstein addresses this
> issue in EdDSA.

I don't understand why everyone isn't using deterministic signatures
for DSA.  Instead of trying to use a fresh random number for the
random input into the signature scheme, you (speaking loosely) hash
the message and the private key together.  Done right, this completely
eliminates this potential weakness.

See RFC6979 for a detailed specification.  I think all DSA and ECDSA
signature generation code in Debian should be altered to use a
deterministic DSA variant.  (Unless we have something that relies on
the covert channel or randomness of signatures, which seems unlikely.)

We should use the procedure in RFC6979 exactly unless there is a
compelling reason to use something else.

Ian.