Published on: 2020-03-25T15:07:48+00:00
On March 24, 2020, Lloyd Fournier posted a message to the bitcoin-dev mailing list regarding proposed changes to BIP-340. These changes included adding random auxiliary data into the nonce derivation function to enhance security against "differential power analysis" (DPA) attacks. However, Pieter Wuille responded to the email, expressing agreement with Lloyd but also providing a summary of the discussion that led to the decision to use a non-standard scheme.Pieter pointed out an issue that Lloyd may have overlooked in a BIP32/Taproot scenario. The private key used in the signing algorithm functions as both a secret and something known to the attacker. This means that interactions between bits inside the hash operation, which all come from the private key, can potentially leak bit-level information. To address this, Pieter suggested XORing the private key with another value before passing it to the hash function. This would prevent the leakage of bit-level information.However, Pieter acknowledged that DPA issues are challenging to reason about, as finding a realistic attack model that only leaks some information without immediately exposing the entire key is difficult. The discussion also touched upon concerns such as efficiency, the risk of midstate leakage in the hash function, and the presence of public keys from an attacker in the signing algorithm.The proposed solution discussed in the thread, H(priv XOR H(aux) || pub || msg), seemed to satisfy most of the requirements. Pieter emphasized that different prioritizations might lead to different conclusions. He welcomed further input and suggestions on the matter.In summary, the post on the mailing list delves into the security of a proposed change to BIP-340 involving the addition of random auxiliary data to prevent DPA attacks. The author questions whether this new approach offers any significant advantages over the current simpler and more efficient method. They argue that the current method is already secure against DPA attacks and provide explanations of how DPA attacks work, along with relevant papers and sources for further reading. The author suggests that if there are justifications for the new approach that they do not understand, these should be documented.
Updated on: 2023-08-02T01:56:36.603022+00:00