Author: Gregory Maxwell 2014-07-19 06:56:08
Published on: 2014-07-19T06:56:08+00:00
In a discussion about the security of DSA nonces, it was suggested that an attacker is not obligated to follow a protocol unless prevented from doing so. It was explained that saying to use derandomized DSA does not necessarily mean this will be followed, as there is no reasonable way to prove a particular nonce generation scheme is being used without revealing the private key. The verifier cannot know the nonce, or they can recover the private key, meaning it is difficult to control how a DSA nonce was generated in the verifier in a way that would prevent equivalent but not identical signatures. The only ways to control this would be through a very fancy ZKP or precommitting to a nonce per public key. It was noted that some signature systems are naturally randomness-free, such as most hash-based signatures and pairing short signatures, but not DSA, schnorr, or any of their derivatives.
Updated on: 2023-05-19T19:06:33.335259+00:00