Skip to content

Stricter ecdsa RFC 6979 adherence #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 25, 2014
Merged

Stricter ecdsa RFC 6979 adherence #226

merged 6 commits into from
Jun 25, 2014

Conversation

@dcousens
Copy link
Contributor

@dcousens dcousens commented Jun 25, 2014

This pull request changes deterministicGenerateK to strictly adhere to the RFC rather than just step around the edge cases.

Namely it avoids the following flaw in the current implementation (we were not looping):

Please note that when k is generated from T, the result of bits2int is compared to q, not reduced modulo q. If the value is not between 1 and q-1, the process loops.
Performing a simple modular reduction would induce biases that would be detrimental to signature security.

This is not a critical security update, no security advisory is necessary.
Probability of bias is close to 1 in 2^128 and was known previously.

@dcousens
Copy link
Contributor Author

dcousens commented Jun 25, 2014

Waiting on @jprichardson to release ecurve 0.10.0.

@dcousens dcousens changed the title ecdsa RFC 6979 amendments Stricter ecdsa RFC 6979 adherence Jun 25, 2014
@dcousens
ecdsa: adhere strictly to RFC6979
776656d 
The previous impl. was in breach of the following section:

> Please note that when k is generated from T, the result of bits2int is
> compared to q, not reduced modulo q. If the value is not between 1 and
> q-1, the process loops.
> Performing a simple modular reduction would induce biases that would be
> detrimental to signature security.
@jprichardson
Copy link
Member

jprichardson commented Jun 25, 2014

Should be good now :p

@dcousens
Copy link
Contributor Author

dcousens commented Jun 25, 2014

Cheers

@jprichardson
Copy link
Member

jprichardson commented Jun 25, 2014

I reviewed the RFC 6979 changes. Looks good to me.

@dcousens
Copy link
Contributor Author

dcousens commented Jun 25, 2014

Thanks @jprichardson for the comments in IRC, included in above commits.

@coveralls
Copy link

coveralls commented Jun 25, 2014

Coverage Status

Coverage decreased (-0.0%) when pulling bdb0fe8 on dcousens:rfc6979fix into d93623e on bitcoinjs:master.

@kyledrake
Copy link
Contributor

kyledrake commented Jun 25, 2014

+1

kyledrake added a commit that referenced this pull request Jun 25, 2014
@kyledrake
Merge pull request #226 from dcousens/rfc6979fix
0198477 
Stricter ecdsa RFC 6979 adherence
@kyledrake kyledrake merged commit 0198477 into bitcoinjs:master Jun 25, 2014
@dcousens dcousens deleted the rfc6979fix branch June 27, 2014 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dcousens @jprichardson @coveralls @kyledrake