Clef: improve signature security by using extra entropy #30773
Comments
|
cc @fjl @kevaundray @asanso any thoughts about this? |
may you be more specific about this ? I do not see many things that can go wrong with |
|
@asanso many things can go wrong, especially in javascript. Private key may be wrongfully serialized. Message may be wrongfully modulo-reduced or not reduced. The modreduce routine itself may crash or emit garbage on some inputs. You will see a new CVE in one of popular libraries soon. It's bad, keys can be recovered. The nonce was reused while signatures remained the same. Which disadvantage is there in adding some extra entropy? |
|
I know this is not a javascript repo, but it would be great if Geth set a standard for everyone else. Maybe I can create EIP after that. BIP340 included "default" extraEntropy for a reason. |
|
as a rules of thumbs I am all for security. I wonder how big a problem would be "Signatures (r, s) would become non-deterministic". If this determinism is used somewhere so far. |
|
Way back, it was not deterministic. We changed that some years ago, and it was a huge gain in "dev ergonomics". Deterministic testcases, transactions, blocks etc. It made a big difference. So it is not a change without cost. |
|
Dev ergonomics was not the reason of the change. The reason was added security. After PS3 hack, it was decided that the community can't rely on randomness as sole source of
You can keep dev ergonomics and pass any value you want in Also keep in mind you can't really verify determinism anyhow besides the test cases. Because to verify determinism you will need knowledge of the private key. |
to
Where making passing nil for randomness gives the old behaviour
Asking to understand the impact of this change, if any, on existing users. |
|
@kevaundray well, seems to me a better course would be to not change it, rather deprecate Here's the old discussion, btw: #2190 |
We have no knowledge of how people use it. The old method would still be in place. I would say it doesn't matter as long as they can use prev behavior. |
Problem
Transaction signatures use "nonce" / "k" during their construction. The nonce should never be equal between two different messages. Reusing them would allow attacker to recover private key.
Many years ago,
kwas generated using system randomness. On some systems with bad quality of randomness, that lead to breakages:k = random()Today, the nonce is generated from private key and message hash using RFC 6979:
k = hash_6979(private_key, message)However, if some issue would be found in serialization / parsing of those, and during generation of nonce, it would still be possible to recover private keys. The technique is described here: https://github.com/pcaversaccio/ecdsa-nonce-reuse-attack.
Impact
Private key leakage, hackers stealing money from users.
This is not some theoretical issue. This happened in the past. Soon there would be announcement of a new hack related to this.
Solution
Use RFC6979 3.6: additional k'
extraEntropyto mix-in 32 byte of random data on every signature. It is standard way of doing this. It has been extensively used by Bitcoin for non-taproot transactions, to decrease signature size. In taproot (schnorr) signatures, extraEntropy is used by default and specified in BIP340 spec.k = hash_6979(private_key, message, extraEntropy)Disadvantages
randomextraData in tests.There is no risk for security. If passed-through random is bad, the signature security would be just like today, not worse
The text was updated successfully, but these errors were encountered: