Published on: 2020-03-22T05:51:59+00:00
The bitcoin-dev mailing list has been discussing the need to protect against differential power analysis, which is a method used to extract sensitive information from cryptographic systems by analyzing their power consumption. The traditional method of mixing randomness was found to be vulnerable, so a different approach is now being recommended. This involves completely masking the private key with randomness before continuing. The writer suggests that including this method in the specification would be beneficial. They also raise concerns about the vulnerability of hardware wallets to these attacks during key derivation, as getting side channel information from hashes in nonce derivation means getting it from hashes in HD key derivation as well.In the discussion on BIP 340-342, two changes have been proposed. The first change involves modifying the Y coordinate of 32-byte public keys from implicitly square to implicitly even. This change will make signing slightly faster and verification negligibly slower. Importantly, it simplifies integration with existing key generation infrastructure like BIP32 and PSBT. The second change focuses on more secure nonce generation. It is recommended to include actual signing-time randomness into the nonce generation process to protect against fault injection attacks and differential power analysis. These changes aim to improve the security of the specification while still allowing optimization for use cases. One participant suggests that specifying the most minimal way to produce a signature securely is the most useful thing for the document, while another participant emphasizes the importance of a standard for nonce exfiltration protection and MuSig for compatibility across wallets. To ensure consistent failure of code written for earlier BIP texts, new tagged hash tags have been introduced.Pieter Wuille, a Bitcoin Core developer and co-founder of Blockstream, has made several small changes to BIP 340-342, despite initially stating that no further semantical changes were expected. In the first change, the Y coordinate of 32-byte public keys is changed from implicitly square to implicitly even. This modification improves signing speed, simplifies integration with existing key generation infrastructure, and has minimal impact on verification speed. The second change focuses on more secure nonce generation by including the public key in the process, incorporating actual signing-time randomness, and using a different method of mixing in this randomness to protect against differential power analysis. Additionally, new tagged hash tags have been added to ensure consistent failure of code written for earlier BIP texts.Pieter Wuille's updates to BIP 340-342 proposals aim to improve the security of the specifications. These changes include modifying the Y-coordinate of 32-byte public keys, enhancing nonce generation security, and adjusting tagged hash tags. Most changes are related to more secure nonce generation, with only one change affecting validation rules. The Y coordinate of the internal R point in the signature remains implicitly square. Implementers are encouraged to use precomputed values for public key data and include it in the nonce generation to mitigate the risk of private key leakage. A different method of mixing randomness is used to protect against differential power analysis. The modified tagged hash tags ensure consistent failure of code written for earlier BIP texts.
Updated on: 2023-08-02T01:51:58.348605+00:00