Re: ECDSA attack

gnunet-developers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ECDSA attack

From:	Martin Schanzenbach
Subject:	Re: ECDSA attack
Date:	Wed, 08 Mar 2023 14:13:00 +0100

No it is not because as they note in the paper:

" Deterministic variants (e.g. deterministic ECDSA
and EdDSA [25]) make use of cryptographic hash functions to generate the
nonces and are thus inherently resistant to the attacks described here."

We use deterministic ECDSA exclusively (afaik). So unless the hash algo is 
broken, we are
fine.
For some reason (my guess is ignorance), bitcoin uses the
non-deterministic ECDSA variant.
Why is that a bad idea? Well because of this (and the simpler attack
where you re-use the nonce).

BR
Martin

Bernd Fix <brf@hoi-polloi.org> writes:

> Hi,
>
> reading a recent paper (https://eprint.iacr.org/2023/305) I wonder if 
> this has any impact on GNUnet - especially GNS, which uses ECDSA 
> signatures for PKEY-signed payloads. Do we need to phase out PKEYs and 
> replace them with EDKEYs in the future?
>
> Cheers, Bernd.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

ECDSA attack, Bernd Fix, 2023/03/07
- Re: ECDSA attack, Christian Grothoff, 2023/03/07
  - Re: ECDSA attack, Jeff Burdges, 2023/03/07
- Re: ECDSA attack, Martin Schanzenbach <=
- Re: ECDSA attack, Martin Schanzenbach, 2023/03/08

Prev by Date: Re: ECDSA attack
Next by Date: gnunet
Previous by thread: Re: ECDSA attack
Next by thread: Re: ECDSA attack
Index(es):
- Date
- Thread