-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECDSA does not conform to RFC6979 for messages > curve_order #1063
Comments
Yes and no.
So the behavior here is to reject nonces >= order, rather than to reduce them. This isn't an observable difference though, given how close the order is to 2^256. |
@sipa Ah, this isn't about nonces > curve_order, this is about |
In that case there is no problem, I think. |
The library reduces Line 473 in a1102b1
But! it forgets to pass it 2 lines below: Line 476 in a1102b1
RFC6979 3.2.d says it should be reduced before being passed to |
Oh, now I finally understand why you were linking to the nonce generation line. I agree, it technically deviates from the spec, but not in an observable way. |
Here's a test case where it'll produce a signature which is different from some other implementations:
Which seems like a consensus bug between libraries? Is there any disadvantage in making it conform to spec? |
It only matters on the signing side, so it's not a consensus issue. I also believe it is harmless (both because msg should be a hash for ecdsa_verify to be secure, and even if it isn't, it just strictly increases the information fed to the nonce functions, which never hurts). I see no reason why it couldn't be fixed to make it follow the spec to the letter, though. |
More background here: paulmillr/noble-secp256k1#42 |
Fixes #1063 45f37b6 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes #1063. (Paul Miller) Pull request description: ACKs for top commit: siv2r: ACK 45f37b6. The diff looks good. It reduces `msg32` to modulo curve order for rfc6979 nonce generation. All tests passed on my machine with `make check`. sipa: utACK 45f37b6 real-or-random: ACK 45f37b6 Tree-SHA512: 4c36784b2d6f2983bc0c3f380ff59cd9f2bd1822b98116d70964cd15183742fcc1f2ccde225a76dd30d946b3678b2cf29caff018efc07f40a200ee85843b39dd
RFC6979 3.2.d says:
where bits2octets is, as per RFC6979 2.3.4 curve order modulo-reduced message:
The implementation's
sign
takesmsg32
— not modulo-reducedmsg
, and passes it forward.secp256k1/src/secp256k1.c
Line 476 in 0559fc6
Seems like a bug, which does not exist in go-btcec etc.
The text was updated successfully, but these errors were encountered: