By now, everybody involved in implementing algorithms using the DSA or the ECDSA signature schemes should really understand the importance of a proper secret nonce as one of the inputs for a signature.
This is easy to get wrong, both because PRNGs are really, really, really hard to get right, and because not everybody implementing/using (EC)DSA expected to be needing randomness just for signing stuff (as opposed to creating key pairs).
Fortunately, there is a way out. Poncho on Stackexchange Crypto has notified me about an interesting RFC in the comments on a nice answer to a related question.
The really clever idea is that there is another way to (probabilistically) ensure that a secret nonce is used for every signature than just using a PRNG and hoping for the best.
Since reusing the same nonce for the same message signed by the same key will always give the same signature as an output (there are no other inputs to the signature algorithm), we just have to guarantee that the nonce is different and unpredictable for different messages.
By using a hash of the message and the private key as the nonce, these conditions can be satisfied even without a proper PRNG. Even better, it's possible to hash them together with some random data to provide backwards compatibility to implementations that react badly to deterministic (EC)DSA signatures. (Maybe some regression tests might interpret the lack of randomness as a fatal design flaw.)
An (informal) RFC is nice, but actual code is even nicer, so I'm very happy that a patch implementing this method and making it the default in OpenSSL has already been accepted to the development version.
If you're interested in the details, there's a blog post by the author that has some more details.
I'm really looking forward to this patch shipping in a lot of OpenSSL binaries, whether as a part of a distribution or embedded in some other software – there have been more than enough fatal PRNG(EC)DSA failures in the past for my liking.
Comments !