Page MenuHomePhabricator

Add an algorithm identifier to the nonce generation for ECDSA signatures
ClosedPublic

Authored by Fabien on Dec 15 2018, 13:21.

Details

Summary

Adding an algorithm dependent identifier to the nonce seed ensures that
no information can be retrieved when signing with the same key and
different algorithms.

Test Plan
make check

Diff Detail

Repository
rABC Bitcoin ABC
Branch
secp256k1_nonce_seed
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 4342
Build 6749: Bitcoin ABC Buildbot (legacy)
Build 6748: arc lint + arc unit

Event Timeline

deadalnix requested changes to this revision.Dec 20 2018, 10:29
deadalnix added inline comments.
src/secp256k1/src/ecdsa.h
16 ↗(On Diff #6344)

Move to main_impl.h

There are also no reason to use the same for different algorithms. Using different values for k is never a problem, but reusing values for k can reveal the private key.

src/secp256k1/src/modules/recovery/main_impl.h
145 ↗(On Diff #6344)
ECDSA+DER
src/secp256k1/src/secp256k1.c
369 ↗(On Diff #6344)
ECDSA+Recovery
This revision now requires changes to proceed.Dec 20 2018, 10:29

Use a separate algo16 for ECDSA and ECDSA recoverable

This revision is now accepted and ready to land.Dec 21 2018, 19:06
This revision was automatically updated to reflect the committed changes.