0

If I sign two messages with the same private key and nonce, it compromises security, making it possible to calculate the private key.

I'm implementing a system (outside of bitcoin) where a message, with a unique property, must be signed only once.

In order to enforce this, I'm making it mandatory to use a hash of the unique property as the nonce.

This means that signing a two messages, having the same unique property, will give away the signer's private key. (Which is not something they want to do, in this system.)

How do I use the secp256k1 functions to obtain a private key from two signed messages which use the same nonce? (This is alluded to in this question.)

fadedbee
  • 143
  • 4
  • Presumably, if the unique property for two messages is the same, the content of those messages is also the same (wouldn't be much of a unique property, otherwise) - if your systems is designed correctly, you would end up with the same signature in both instances then, which would not leak the private key. For leakage to occur, two different messages must be signed with a shared R value. – Raghav Sood Jun 28 '20 at 06:16
  • @RaghavSood No, the messages might be {"election":2018,"vote":"green"} and {"election":2018,"vote":"blue"} with the unique property being just the election and NOT the vote. – fadedbee Jun 28 '20 at 06:23
  • 1
    This does not work. The reason the private key leaks is because attackers now know a relation between those two signatures. If they know the nonce up front (as required by nonce=H(msg)), attackers will learn the private key from one signature directly. – Pieter Wuille Jun 28 '20 at 15:04
  • @PieterWuille I'm confused, I thought nonces were not secret information (at least in encryption). Can you verify a signature without knowing the nonce for secp256k1? – fadedbee Jun 29 '20 at 05:23
  • 1
    The term nonce as used in signatures is confusing. It security requirement is not the same as those in encryption. It is not enough that they are just used once. They have to be completely unpredictable to an attacker, which implies they are secret (but even knowing one bit of information about each nonce in many signatures may be enough to recover the private key). – Pieter Wuille Jun 29 '20 at 05:25

0 Answers0