Add anti nonce-sidechannel protocol to schnorrsigs #572
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonasnick
force-pushed
the
schnorrsig-s2c
branch
from
d8837e5 to
03300d5
Compare
|
rebased on #558 |
instagibbs
reviewed
Dec 11, 2018
…ning, verification and batch verification. [0] https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
…eaks of public keys. The functionality is not exposed.
…chnorr do sign-to-contract commitments if an s2c context is provided as nonce data
jonasnick
force-pushed
the
schnorrsig-s2c
branch
from
a757656 to
bcfc256
Compare
jonasnick
changed the title
|
The sign-to-contract functionality is not split off into new PR #588. |
|
Closing in favor of #590 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on #588.
Adding anti nonce-sidechannel functionality was a request in the schnorrsig module PR. The use case is to prevent a signing device from exfiltrating the secret signing keys through biased signature nonces, for example after a bad firmware update. It uses sign-to-contract commitments to host supplied randomness which forces the signer to randomize the nonce.
In order to add more sign-to-contract commitments the host can create a merkle tree of data to be committed and randomness and send that to the signing device as "host randomness".
See https://github.com/bitcoin-core/secp256k1/pull/572/files#diff-b19c5ee427283d4d82bc5beb4e2f4777R59 for the workflow.