It may have passed people by but I think gmax found something very dangerous here:

https://moderncrypto.org/mail-archive/curves/2020/001012.html

Let me condense it so it's more concrete:

(1) your hardware or software has a simple Schnorr style signing algo: take privkey x, message m, output a signature (R, s)

(2) Your nonce k in s = k + ex is generated deterministically (RFC6979, EdDSA). Think of it as k = f(x, m).

(3) Your e-value is a hash with pubkey prefix: e = H(P|R|m), P is pubkey P=xG.

(1/n)

#crypto

Follow

Now remember this operation happens on a device or piece of software that knows x, but is constrained to just say generate signatures. So it outputs s_1, knowing x internally. As an attacker you want to steal knowledge of x.

So all you do is repeat the process with another fake P, P_2:

s_2 = k(x,m) + H(P_2|R|m)x

Notice that k didn't change - it's a function of privkey x and message m.

Now we have:

s_1 = k + e_1 x

s_2 = k + e_2 x

.. subtract one from the other, and you can derive x.

(3/n).

Further into the autopsy: but why did the k value repeat whereas usually it doesn't? Because it's assumed in making k a function of x and m, that the inputs to the signing algo are x and m (the private key and the message), but we have changed the signing algo to take the public key as an input (for speed optimization). So it must be added to what is to be hashed.

By changing to k = f(x, m, P) the problem is solved.

More discussion: https://github.com/sipa/bips/issues/190

(5/5 maybe)

waxwing@waxwing@x0f.orgSo what went wrong? Basically we must never allow "nonce reuse" on a single private key. Many bitcoins were lost in the early days because of that mistake. And that attack is fundamental to the Schnorr protocol and all variants including ECDSA that use a "commit, challenge, response" (or 'sigma protocol') design.

Here, the deterministic nonce generation failed in its purpose, which is twofold:

the k value should be unguessably random

the k value must never repeat for different signatures

(4/n)