Improve security of signature generation #4885
Comments
paulmillr
added
investigate
|
Viem is on board and implemented the changes today. |
|
This is something I would prefer being opt-in, as many applications already in use depend on deterministic signatures. Is there a way to specify the random source? I would prefer to supply the random source, as some platforms do not have a global source (or the existing source) is not cryptographically secure. |
|
(I otherwise fully endorse adding additional entropy to the signing k) |
|
|
|
|
I know CLR uses it when computing their semi-ephemeral voting keys. I also use it for many of my CLI scripts and simple web interfaces. For example, when computing a salt for registering ENS names. The salt only needs to remain “secret” for about 4 blocks, at which time it is revealed. In general, for blinding operations it is a useful technique since the salt can be recovered (by signing a specific message), without the need for a database or any other complex system on the event of a website refresh or a CLI which has no storage in the first place. I have also seen it used before with generating short-lived shared secrets. I am absolutely game for making it opt-out after a major version change, but would also prefer to follow suit with whatever Geth/Clef is doing. Have you tried convincing them yet? |
ricmoo
added
on-deck
|
The cases seem useful! However, you’re advanced user. Most users aren’t. Advanced users can disable it. If we’ll manage to improve security for all non advanced users that would be a huge jump. I will ask their thoughts on it soon. |
|
Oh, I am in no way disagreeing that it is a good idea to add additional entropy. I just want to make sure we behave like the existing ecosystem (as best as possible) and don’t want to introduce breaking changes in a non-major version. |
agree 100% |
Problem
Transaction signatures use "nonce" / "k" during their construction. The nonce should never be equal between two different messages. Reusing them would allow attacker to recover private key.
Many years ago,
noncewas generated using system randomness. On some systems with bad quality of randomness, that lead to breakages.Today, the nonce is generated from private key and message hash using RFC 6979. Basically
hash(private_key, message). However, if some issue would be found in serialization / parsing of those, and during generation of nonce, it would still be possible to recover private keys. The technique is described here: https://github.com/pcaversaccio/ecdsa-nonce-reuse-attack.Impact
Private key leakage, hackers stealing money from users.
This is not some theoretical issue. This happened in the past. Soon there would be announcement of a new hack related to this.
Solution
Use RFC6979 3.6: additional k'
extraEntropyto mix-in 32 byte of random data on every signature. It is standard way of doing this. It has been extensively used by Bitcoin for non-taproot transactions, to decrease signature size.ethers.js/src.ts/crypto/signing-key.ts
Lines 64 to 66 in 9e7e7f3
secp256k1.sign(msgHash, privateKey)becomessecp256k1.sign(msgHash, privateKey, { extraEntropy: true })Disadvantages
randomextraData in tests.There is no risk for security. If passed-through random is bad, the signature security would be just like today, not worse
The text was updated successfully, but these errors were encountered: