[cryptography] Design Strategies for Defending against Backdoors

CodesInChaos codesinchaos at gmail.com
Thu Nov 21 10:43:35 EST 2013


>> Right, that I agree with.  Packets should be deterministically created by
>> the sender, and they should be verifiable by the recipient.
>
> Then you lose the better theoretical foundations of probabilistic signature
> schemes ...

If you drop receiver verification as a requirement, you can derive the
salt deterministically
from the private key and the message hash. Such a salt offers most of
the advantages of
a random salt, without needing actual randomness.
For DSA/Schnorr we already have some schemes that work this way. In
principle we could
apply this technique to RSA-PSS as well.

Personally I avoid randomness whereever possible. Not because of
worries about backdoors,
but because it's easier to use and test.


More information about the cryptography mailing list