BIP 340: Recommend synthetic nonces and verifying signing output #886

pull jonasnick wants to merge 2 commits into bitcoin:master from jonasnick:synth-nonce changing 1 files +3 −1
  1. jonasnick commented at 10:07 PM on January 28, 2020: contributor

    In some practical scenarios it may be easy to glitch-attack the signature challenge hash to change an output bit, which would result in nonce reuse (and an invalid signature) if no additional randomness is provided in the nonce derivation function (as mentioned by @gmaxwell in #secp256k1).

    Therefore, I suggest to recommend using synthetic nonces when these attacks are a concern. In particular, because signers usually have access to some RNG, this is almost for free.

    Similarly, this attack could be prevented by verifying the output of the signing algorithm. This PR adds a recommendation to do this if the additional computation costs are not an issue.

    CC @sipa @real-or-random @gmaxwell

  2. BIP 340: Recommend synthetic nonces 2874f1ffe7
  3. BIP 340: Recommend verifying the signing output b4255dc83b
  4. in bip-0340.mediawiki:171 in b4255dc83b 
     165 | @@ -166,7 +166,9 @@ The algorithm ''Sign(sk, m)'' is defined as:
 166 |  
 167 |  It should be noted that various alternative signing algorithms can be used to produce equally valid signatures. The algorithm in the previous section is deterministic, i.e., it will always produce the same signature for a given message and secret key. This method does not need a random number generator (RNG) at signing time and is thus trivially robust against failures of RNGs. Alternatively the 32-byte ''rand'' value may be generated in other ways, producing a different but still valid signature (in other words, this is not a ''unique'' signature scheme). '''No matter which method is used to generate the ''rand'' value, the value must be a fresh uniformly random 32-byte string which is not even partially predictable for the attacker.'''
 168 |  
 169 | -'''Synthetic nonces''' For instance when a RNG is available, 32 bytes of RNG output can be appended to the input to ''hash<sub>BIPSchnorrDerive</sub>''. This will change the corresponding line in the signing algorithm to ''rand = hash<sub>BIPSchnorrDerive</sub>(bytes(d) || m || get_32_bytes_from_rng())'', where ''get_32_bytes_from_rng()'' is the call to the RNG. Adding RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks], and it is safe to add the output of a low-entropy RNG.
 170 | +'''Synthetic nonces''' For instance when a RNG is available, 32 bytes of RNG output can be appended to the input to ''hash<sub>BIPSchnorrDerive</sub>''. This will change the corresponding line in the signing algorithm to ''rand = hash<sub>BIPSchnorrDerive</sub>(bytes(d) || m || get_32_bytes_from_rng())'', where ''get_32_bytes_from_rng()'' is the call to the RNG. It is safe to add the output of a low-entropy RNG. Adding high-entropy RNG output may improve protection against [https://moderncrypto.org/mail-archive/curves/2017/000925.html fault injection attacks and side-channel attacks]. Therefore, '''synthetic nonces are recommended in settings where these attacks are a concern''' - in particular on offline signing devices.
 171 | +
 172 | +'''Verifying the signing output''' To prevent random or attacker provoked computation errors, the signature can be verified with the verification algorithm defined below before leaving the signer. This prevents pubslishing invalid signatures which may leak information about the secret key. '''If the additional computational cost is not a concern, it is recommended to verify newly created signatures and reject them in case of failure.'''
    real-or-random commented at 11:01 PM on January 28, 2020:

    Maybe we can make clearer what we mean by "reject". I think any reasonable implementation should just error out/die when this happens (aka error_callback, assert).

  5. real-or-random commented at 11:06 PM on January 28, 2020: contributor

    I'm very much in favor of synthetic nonces. If we want to recommend them, we should actually make the default signing algorithm use them, and mention the deterministic variant instead as an alternative (or can simply make the entropy all zeros, also useful for test vectors).

    Or do we want to recommend them only for cases where fault-injection attacks etc are a big concern?

  6. gmaxwell commented at 1:25 AM on January 29, 2020: contributor

    One way to recommend them is to make the default signing algorithm use mutable aux data and keep a counter. Just running with time+counter does a lot to undermine for these attacks.

    As far as verify after, we could do it internally, unless disabled via a flag... esp since we have the pubkey.

    FWIW, I support this too: The idea that implementations would be validated by comparing outputs has not materialized in practice for the most part, and that doesn't defend against kleptography in any case (since it can leak only rarely or only one the Nth usage).

  7. jonasnick cross-referenced this on Jan 30, 2020 from issue Stress that secret key should be fresh and if not then RFC6979 shouldn't be used by jonasnick
  8. jonasnick cross-referenced this on Feb 2, 2020 from issue Update reference code and test vectors by jonasnick
  9. sipa cross-referenced this on Feb 19, 2020 from issue Nonce generation updates by sipa
  10. luke-jr merged this on Feb 19, 2020
  11. luke-jr closed this on Feb 19, 2020
Contributors
jonasnickreal-or-randomgmaxwell
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-19 11:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me