Published on: 2013-08-20T08:35:29+00:00
In August 2013, Gregory Maxwell proposed the creation of a BIP32 addendum to provide recommendations for signing in blockchain technology. He highlighted an ongoing issue with duplicated keys in blockchain.info's mywallet and discussed it with Pieter, who supported the idea. The aim was to create a BIP document outlining these recommendations.The author argues for the removal of the "CS-PRNG" component from signing, as it does not add value and hampers deterministic signing. However, the CS-PRNG is still necessary for generating the root master key of an HD wallet, which poses a potential vulnerability if the single invocation of the CS-PRNG is weak. To mitigate this risk, the author suggests collecting entropy over time through multiple invocations or sources. Additionally, compromised DSA signatures were isolated incidents, whereas a weak key in the BIP32 root could be more damaging. To enhance protection, the author proposes using smartphone sensors to provide additional entropy. Overall, the author advocates for minimizing the use of CS-PRNGs whenever possible and implementing best practices to reduce reliance on them.In an email conversation from August 2013, Bitcoin developer Mike Hearn raised concerns about analyzing hardware wallets and questioned their necessity if one already trusts their computer. Another participant expressed mistrust in both hardware wallets and computers. The discussion also touched on the absence of multisig support in the initial version of TREZOR and the challenges of implementing P2SH support for sending payments through Android wallets.A proposal has been made to create a Bitcoin Improvement Proposal (BIP) that standardizes the selection of K, recommends a specific deterministic DSA derandomization procedure, and promotes the use of even S values in signatures. By adopting these changes, complete test vectors in signing can be achieved, ensuring confidence in the absence of random number-related weaknesses in signing implementations. While concerns exist about using a less-reviewed cryptographic construct, the author suggests that the industry's movement towards derandomized DSA diminishes this issue. If positively reviewed, a new BIP incorporating these recommendations would be implemented.The author suggests a BIP32 addendum to provide specific deterministic recommendations for DSA derandomization procedures. Employing fully deterministic signatures would enable comprehensive test vectors in signing and uncover potential misbehavior in maliciously modified hardware wallets, even without insecure K values. The primary arguments against derandomizing DSA involve FIPS conformance and concerns about using less-reviewed cryptographic constructs. Nonetheless, the industry is gravitating towards derandomized DSA due to its identified hazards. The author recommends implementing a procedure for using only even S values in signatures to eliminate mutability in transactions. While existing signatures can undergo post-processing for this purpose, it is generally preferable to incorporate it during the signing process.
Updated on: 2023-08-01T05:39:01.173960+00:00