Zooko wrote: > Oh! I know, this is your defense for the "vm rollback RNG repeat" > problem, isn't it? The problem is, what if we are running inside a VM > and we read a random number from the RNG, use it in ECDSA, and send > our resulting digital signature out over the network, then our state > gets rolled back by the the VM guest gets rolled back, and then we do > it again and get the same random number but use it to sign a different > message. How bad is that? I can't figure out if ECDSA breaks > horribly if you re-use your random integer "k".
It's really bad. If you re-use your random integer "k" just once, an attacker can get your entire private key. > We could defend against "the vm rollback RNG repeat" more safely (for > ECDSA specifically) than the current defense (for RNG in general) by > using the message itself (or the hash thereof) as one input of > deterministic generation of the random number k. Yes, I'm doing that also. See line 1036 in pubkey.h. So the time() call in RandomPool is for defense in depth, and also other protocols where it's not convenient to hash the message into the random number. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
