|
|
|
|
|
|
by pbsd
4473 days ago
|
|
|
In contrast with his previous posts, this one does not seem to contain much in the way of novelty, as nearly everything is already contained in the ed25519 paper [1]. To summarize, ECDSA is bad because (in order of gravity): - It requires cryptographic randomness for each individual signature; - As a NIST standard, it is defined over the NIST elliptic curves, which are not particularly implementation-friendly; - The standards give little to no guidance on implementation issues; - It is slower than necessary, requiring inversions during signing. DSA was a step backwards from the Schnorr scheme, which was the superior option at the time. The blog post (but not the ed25519 paper) seems to forget that Schnorr was never practically adopted due to patent issues, similarly to IDEA, OCB, and many other schemes left on the patented algorithm wasteland. Legend goes that the DSA was designed with the express purpose of avoiding Schnorr's patent, while still resulting in a similar scheme. Since the patent expired in 2008, this is no longer a concern, and certainly not for a signature scheme designed in 2011. [1] http://ed25519.cr.yp.to/ed25519-20110926.pdf |
|
|
This is false. Although the default algorithm does work that way, RFC6979 lets you do ECDSA entirely with pseudorandom numbers seeded by the message and key.
http://tools.ietf.org/html/rfc6979 https://bitcointalk.org/index.php?topic=285142.0