Short Nonces in ECDSA signature generation

Asked Nov 29 '21 at 17:32

Active Apr 21 '22 at 21:09

Viewed 504 times

Recently I noticed that my device generates short-sized Nonces.

Approximately $2 ^ {243} - 2^{244}$.

Could it turn out that there will be a small leak of information about the first 3 bits of Nonces?

Accordingly, if Nonces is short, then it must contain null at the beginning. That is, the first 3 bits of Nonces contain null at the beginning.

Hence, for the sake of safety:

When creating an ECDSA signature, the value of signatures $[R, S, H (e)]$ that in this Nonces signature is short in size can be disclosed to an attacker?

edited Apr 21 '22 at 21:09

TMM

asked Nov 29 '21 at 17:32

Derick Swodnick

How does the "biased-k attack" on (EC)DSA work? – kelalaka Nov 29 '21 at 17:37
@kelalaka Please show me an example of how with signatures [R, S, H (e)] can tell that Nonces is short-sized? – Derick Swodnick Nov 29 '21 at 17:47
https://eprint.iacr.org/2019/023.pdf – kelalaka Nov 29 '21 at 17:48
@kelalaka On which page is this information written? – Derick Swodnick Nov 29 '21 at 17:51
Look at the second page. – kelalaka Nov 29 '21 at 17:54

Short Nonces in ECDSA signature generation

0 Answers0