You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I have posted this question on decred support, re-positing it here for additional visibility since
bcduses decred`s implementation.I have a question about the nonce generation (k-value) during the secp256k1 ecdsa signing process. The dcrd implementation implements RFC6979 for deterministic nonce gneration. The spec mentions that the implementations shall take defensive measures to deter side channel attacks to leak private key (section 4, last para):
https://datatracker.ietf.org/doc/html/rfc6979#page-15:~:text=Side%2Dchannel%20attacks%20are%20an%20important%20consideration
The dcrd nonce implementation appears to account for that by using the extra and version fields (https://github.com/decred/dcrd/blob/master/dcrec/secp256k1/nonce.go#L117). However, the signing operation passes
nilfor both the values(https://github.com/decred/dcrd/blob/master/dcrec/secp256k1/ecdsa/signature.go#L713).Bitcion's libsecp256k1 uses
secp256k1_context_randomizefunciton to deter against the side channel attacks:https://github.com/bitcoin-core/secp256k1/blob/master/include/secp256k1.h#L849
My questions are:
extraandversionfields insecp256k1.NonceRFC6979function call?secp256k1.NonceRFC6979call? If not, why?Beta Was this translation helpful? Give feedback.
All reactions