Page MenuHomePhabricator

Add an algorithm identifier to the nonce generation for ECDSA signatures
ClosedPublic

Authored by Fabien on Dec 15 2018, 13:21.

Details

Summary

Adding an algorithm dependent identifier to the nonce seed ensures that
no information can be retrieved when signing with the same key and
different algorithms.

Test Plan
make check

Diff Detail

Repository
rABC Bitcoin ABC
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Fabien created this revision.Dec 15 2018, 13:21
Herald added a reviewer: Restricted Project. · View Herald TranscriptDec 15 2018, 13:21
Herald added a subscriber: schancel. · View Herald Transcript
deadalnix requested changes to this revision.Dec 20 2018, 10:29
deadalnix added inline comments.
src/secp256k1/src/ecdsa.h
16 ↗(On Diff #6344)

Move to main_impl.h

There are also no reason to use the same for different algorithms. Using different values for k is never a problem, but reusing values for k can reveal the private key.

src/secp256k1/src/modules/recovery/main_impl.h
145 ↗(On Diff #6344)
ECDSA+DER
src/secp256k1/src/secp256k1.c
369 ↗(On Diff #6344)
ECDSA+Recovery
This revision now requires changes to proceed.Dec 20 2018, 10:29
Fabien updated this revision to Diff 6392.Dec 21 2018, 15:49

Use a separate algo16 for ECDSA and ECDSA recoverable

deadalnix accepted this revision.Dec 21 2018, 19:06
This revision is now accepted and ready to land.Dec 21 2018, 19:06
This revision was automatically updated to reflect the committed changes.