[curves] Sig nonce generation
Michael Hamburg
mike at shiftleft.org
Fri Jul 25 10:56:20 PDT 2014
I was conveying the results of our signature nonce generation discussion to CFRG, and I realized a problem with PRF(message) xor random().
If your random number generator is broken, it might have near-collisions. Near-collisions lead to near-colliding nonces, which leaks the key. Specifically, it gives the attacker
r1 = k + c1 x, r2 = k+epsilon + c2 x,
where k is the unknown nonce, epsilon is unknown but sparse and thus guessable, c1 and c2 are the known challenges and x is the secret. So the attacker can solve for x as (c2-c1) x = r2-r1-epsilon.
Likewise if you multiply the challenges by the nonce, then the attacker solves (1/c2 - 1/c1) = r2/c2 - r1/c1 - epsilon.
Maybe it’s OK if you somehow munge the random number, like with AES with a secret key?
Cheers,
— Mike
More information about the Curves
mailing list