Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Here you write: "Two (or more) ECDSA signatures were generated with the same secret nonce."

On the blog you write: "In DSA, the k value is not a nonce."

Is it any wonder people get confused?



Please quote in context. The complete quote:

  "In DSA, the k value is not a nonce. In addition to being 
  unique, the value must be unpredictable and secret. This 
  makes it more like a random session key than a nonce. When
  an implementer gets this wrong, they expose the private 
  key, often with only one or two signatures."
There is no standard term for "nonce that must remain secret", hence I believe that "secret nonce" is the best I can do. The term "nonce" is general enough that it can be public; it only must be unique.

I take great pains to create a reasonable term where none exists because I agree terminology and consistency are important in crypto. If you have a better term, I'm happy to hear it.


I believe calling it simply a "secret" or "random secret" would lead to less confusion. But my point wasn't so much to prove you wrong, but to point out that the issue was more subtle than "sony didn't read the crypto manual".

I liked your comment in general, but I think the jab at Sony for not reading your blog and the parenthetical (surprise) insinuate a level of boneheadedness that's unwarranted. Maybe that's just my reading of it.


"Random secret" doesn't capture the fact that it must not be reused across messages. A session key ("random secret") can be reused to encrypt multiple messages, a DSA secret nonce can't.

You need three concepts: unique (used only once, ever), unpredictable (pseudo-random), and secret (never revealed to anyone, before or after use).

You should read the DSA spec, FIPS 186-3, section 4.5. They call this parameter the "Per-Message Secret Number", which doesn't capture the fact it needs to be unpredictable. (Later in that section, they mention it is "random", but the name of the parameter doesn't have that notion.)

My surprise is not that Sony didn't read our blog, but that they didn't read FIPS 186 when implementing their concrete-vault root signing tool. "Per-message" is spelled out right there in the title of section 4.5.


"Nonce" means "a token that is used once." It's sort of meaningless to say "used the nonce twice", but the only way around it is rigorously formal, but even more circuitous and confusing speech:

"Two (or more) ECDSA signatures were generated with a constant value provided where a secret nonce value should go, making it not effectively a nonce."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: