[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ECDSA attack
From: |
Martin Schanzenbach |
Subject: |
Re: ECDSA attack |
Date: |
Wed, 08 Mar 2023 12:52:41 +0000 |
No it is not because as they note in the paper:
" Deterministic variants (e.g. deterministic ECDSA
and EdDSA [25]) make use of cryptographic hash functions to generate the
nonces and are thus inherently resistant to the attacks described here."
We use deterministic ECDSA exclusively (afaik). So unless the hash algo is
broken, we are
fine.
For some reason (my guess is ignorance), bitcoin uses the
non-deterministic ECDSA variant.
Why is that a bad idea? Well because of this (and the simpler attack
where you re-use the nonce).
BR
Martin
Bernd Fix <brf@hoi-polloi.org> writes:
> Hi,
>
> reading a recent paper (https://eprint.iacr.org/2023/305) I wonder if
> this has any impact on GNUnet - especially GNS, which uses ECDSA
> signatures for PKEY-signed payloads. Do we need to phase out PKEYs and
> replace them with EDKEYs in the future?
>
> Cheers, Bernd.
signature.asc
Description: PGP signature