BIP 340: Recommend synthetic nonces and verifying signing output
In some practical scenarios it may be easy to glitch-attack the signature challenge hash to change an output bit, which would result in nonce reuse (and an invalid signature) if no additional randomness is provided in the nonce derivation function (as mentioned by @gmaxwell in `#secp256k1`). Therefore, I suggest to recommend using synthetic nonces when these attacks are a concern. In particular, because signers usually have access to some RNG, this is almost for free. Similarly, this attack co
No reviewsSpecification
In some practical scenarios it may be easy to glitch-attack the signature challenge hash to change an output bit, which would result in nonce reuse (and an invalid signature) if no additional randomness is provided in the nonce derivation function (as mentioned by @gmaxwell in #secp256k1).
Therefore, I suggest to recommend using synthetic nonces when these attacks are a concern. In particular, because signers usually have access to some RNG, this is almost for free.
Similarly, this attack could be prevented by verifying the output of the signing algorithm. This PR adds a recommendation to do this if the additional computation costs are not an issue.
CC @sipa @real-or-random @gmaxwell
Discussion (0 threads)
Loading discussions...