Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding deterministic signatures (RFC6979)? #2190

Closed
coder5876 opened this issue Feb 9, 2016 · 6 comments
Closed

Adding deterministic signatures (RFC6979)? #2190

coder5876 opened this issue Feb 9, 2016 · 6 comments
Assignees
@fjl

Comments

@coder5876
Copy link

It seems that currently we are using a random k-value in the ECDSA algorithm:

https://github.com/ethereum/go-ethereum/blob/develop/crypto/secp256k1/secp256.go#L138

Is there interest in moving to a deterministic k-value using RFC6979?

Quick googling found this go library:

https://github.com/codahale/rfc6979
@obscuren
Copy link
Contributor

obscuren commented Feb 9, 2016

Not at the moment. Is there a reason why you're asking? Are you working with a device which does not contain proper random number generators?

@obscuren
Copy link
Contributor

obscuren commented Feb 9, 2016

Reference http://tools.ietf.org/html/rfc6979

@coder5876
Copy link
Author

Deterministic signatures are nice in that you can confine your reliance of random numbers to only the generation of your private key(s). If you use dice to generate your private keys and have a deterministic signature algorithm then you can be sure that you are not exposed to potentially bad RNGs.

It's common to boot from a live CD or virtual machine when doing cold storage and those environments can suffer from low entropy in some cases.

Lastly it's nice to be able to do regression testing of your signature code (i.e. same signature every time), and/or comparing your signatures with signatures from other implementations.

@fjl
Copy link
Contributor

fjl commented Feb 9, 2016

Gotta agree with the last point about testing. Some of the network tests could be simpler if signatures where deterministic.

A potential downside is that tx resubmission would be harder. Right now you can force rebroadcasting of a transaction by signing it multiple times. Since the signature is random, you'll get a different tx hash every time.

@obscuren
Copy link
Contributor

obscuren commented Feb 9, 2016

I can see deterministic k to be nice for 1 (and therefor 2), worth investigating further.

@mperklin
Copy link

I agree for 2 reasons:

  1. RFC6979-compliant k values for digital signatures are more provably-unguessable than values retrieved from a CSPRNG. Problems with the CSPRNG call (like a library issue) could cause it to return 0 or 1 all the time, or return sequences of values across multiple calls that can be guessed (if it's always seeded with the same value). Calculating the value deterministically based on hashes of the data itself can be proven to be unguessable by ensuring the returned value conforms to the expected hash of the contents
  2. It will allow all systems built on go-ethereum to reach the L3 requirement for 1.04 Key Usage in the CryptoCurrency Security Standard

@fjl fjl mentioned this issue Jan 13, 2017
Merged
@fjl fjl self-assigned this Jan 13, 2017
@fjl fjl closed this as completed in #3561 Jan 22, 2017
@fjl fjl removed the in progress label Jan 22, 2017
whilei added a commit to ethereumproject/go-ethereum that referenced this issue Apr 14, 2018
@whilei
problem: nondeterministic K-value in ECDSA algo
876296f 
solution: move to a deterministic k-value using RFC6979

rel ethereum/go-ethereum#2190
rel ethereum/go-ethereum#3561
rel #245
@whilei whilei mentioned this issue Apr 14, 2018
Merged
@pedro-nonfree pedro-nonfree mentioned this issue Apr 20, 2023
Closed
MatusKysel pushed a commit to MatusKysel/go-ethereum that referenced this issue Feb 5, 2024
@weiihann
fix(legacypool): deprecate already known error (ethereum#2190)
3761bf0
@holiman holiman mentioned this issue Nov 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fjl fjl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fjl @obscuren @coder5876 @mperklin