Author: Lloyd Fournier 2020-03-24 13:00:45
Published on: 2020-03-24T13:00:45+00:00
The post discusses the security of a new PR to change BIP-340, which includes adding random auxiliary data into the nonce derivation function to make it more secure against "differential power analysis" (DPA) attacks. The post questions the claim that this new approach is more secure than the simpler and more efficient method currently being used. The author argues that there is no advantage of the new approach over the current one against DPA attacks. The post provides an explanation of DPA attacks and how they work, as well as two papers that may have been the origin of the idea for the new approach. The post goes on to explain that the original nonce derivation in BIP-340 was vulnerable to DPA attacks because the SHA256 compression function run on (sec_key || message) may leak information about sec_key. The new approach adds secret randomness before each sensitive operation and then strips off the secret randomness afterwards to fix this problem. However, the author argues that this new approach does not provide any extra protection over the current method. The post concludes that the current method is preferable because it is simpler and more efficient, and no less secure against DPA attacks. The author suggests that if there is a justification for the new approach over the current one that they do not understand, someone needs to write it down. The post provides links to relevant papers and sources for further reading.
Updated on: 2023-06-14T00:12:13.756265+00:00