[cryptography] Design Strategies for Defending against Backdoors
codesinchaos at gmail.com
Thu Nov 21 10:43:35 EST 2013
>> Right, that I agree with. Packets should be deterministically created by
>> the sender, and they should be verifiable by the recipient.
> Then you lose the better theoretical foundations of probabilistic signature
> schemes ...
If you drop receiver verification as a requirement, you can derive the
from the private key and the message hash. Such a salt offers most of
the advantages of
a random salt, without needing actual randomness.
For DSA/Schnorr we already have some schemes that work this way. In
principle we could
apply this technique to RSA-PSS as well.
Personally I avoid randomness whereever possible. Not because of
worries about backdoors,
but because it's easier to use and test.
More information about the cryptography