From 2874f1ffe7401750d5a7e74537fce43ddc0e4655 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Tue, 28 Jan 2020 21:04:42 +0000 Subject: BIP 340: Recommend synthetic nonces --- bip-0340.mediawiki | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index 9e0a73e..861b054 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -166,7 +166,7 @@ The algorithm ''Sign(sk, m)'' is defined as: It should be noted that various alternative signing algorithms can be used to produce equally valid signatures. The algorithm in the previous section is deterministic, i.e., it will always produce the same signature for a given message and secret key. This method does not need a random number generator (RNG) at signing time and is thus trivially robust against failures of RNGs. Alternatively the 32-byte ''rand'' value may be generated in other ways, producing a different but still valid signature (in other words, this is not a ''unique'' signature scheme). '''No matter which method is used to generate the ''rand'' value, the value must be a fresh uniformly random 32-byte string which is not even partially predictable for the attacker.''' -'''Synthetic nonces''' For instance when a RNG is available, 32 bytes of RNG output can be appended to the input to ''hashBIPSchnorrDerive''. This will change the corresponding line in the signing algorithm to ''rand = hashBIPSchnorrDerive(bytes(d) || m || get_32_bytes_from_rng())'', where ''get_32_bytes_from_rng()'' is the call to the RNG. Adding RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks], and it is safe to add the output of a low-entropy RNG. +'''Synthetic nonces''' For instance when a RNG is available, 32 bytes of RNG output can be appended to the input to ''hashBIPSchnorrDerive''. This will change the corresponding line in the signing algorithm to ''rand = hashBIPSchnorrDerive(bytes(d) || m || get_32_bytes_from_rng())'', where ''get_32_bytes_from_rng()'' is the call to the RNG. It is safe to add the output of a low-entropy RNG. Adding high-entropy RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks]. Therefore, '''synthetic nonces are recommended in settings where these attacks are a concern''' - in particular on offline signing devices. '''Nonce exfiltration protection''' It is possible to strengthen the nonce generation algorithm using a second device. In this case, the second device contributes randomness which the actual signer provably incorporates into its nonce. This prevents certain attacks where the signer device is compromised and intentionally tries to leak the secret key through its nonce selection. -- cgit v1.2.3 From b4255dc83b2b8fde0c8e11152370c4df2da42c3e Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Tue, 28 Jan 2020 22:03:35 +0000 Subject: BIP 340: Recommend verifying the signing output --- bip-0340.mediawiki | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bip-0340.mediawiki b/bip-0340.mediawiki index 861b054..2e05ef4 100644 --- a/bip-0340.mediawiki +++ b/bip-0340.mediawiki @@ -168,6 +168,8 @@ It should be noted that various alternative signing algorithms can be used to pr '''Synthetic nonces''' For instance when a RNG is available, 32 bytes of RNG output can be appended to the input to ''hashBIPSchnorrDerive''. This will change the corresponding line in the signing algorithm to ''rand = hashBIPSchnorrDerive(bytes(d) || m || get_32_bytes_from_rng())'', where ''get_32_bytes_from_rng()'' is the call to the RNG. It is safe to add the output of a low-entropy RNG. Adding high-entropy RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks]. Therefore, '''synthetic nonces are recommended in settings where these attacks are a concern''' - in particular on offline signing devices. +'''Verifying the signing output''' To prevent random or attacker provoked computation errors, the signature can be verified with the verification algorithm defined below before leaving the signer. This prevents pubslishing invalid signatures which may leak information about the secret key. '''If the additional computational cost is not a concern, it is recommended to verify newly created signatures and reject them in case of failure.''' + '''Nonce exfiltration protection''' It is possible to strengthen the nonce generation algorithm using a second device. In this case, the second device contributes randomness which the actual signer provably incorporates into its nonce. This prevents certain attacks where the signer device is compromised and intentionally tries to leak the secret key through its nonce selection. '''Multisignatures''' This signature scheme is compatible with various types of multisignature and threshold schemes such as [https://eprint.iacr.org/2018/068 MuSig], where a single public key requires holders of multiple secret keys to participate in signing (see Applications below). -- cgit v1.2.3