Author: Gregory Maxwell 2013-08-16 02:26:29
Published on: 2013-08-16T02:26:29+00:00
The author is proposing a BIP32 addendum to make specific deterministic recommendations for DSA derandomization procedures. The use of fully deterministic signatures will allow complete test vectors in signing and provide confidence that there is no random number related weakness in a signing implementation. The author warns that maliciously modified hardware wallets could leak key material via its signatures, even without producing insecure K values. Making the signatures deterministic would make this kind of misbehavior practically discoverable. The primary arguments against derandomizing DSA are FIPS conformance and reasonable concerns about the risks of using a less reviewed cryptographic construct. However, industry is moving towards derandomized DSA as it has become clear that DSA is a hazard otherwise. The author recommends implementing a procedure for using only even S values in signatures, eliminating this source of mutability in transactions. This can be accomplished via post-processing of existing signatures, but it's usually preferable to implement it along with signing.
Updated on: 2023-05-19T17:26:04.130911+00:00