Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The original implementation of Elliptic Curve Digital Signatures Algorithm (ECDSA) worked the same as DSA besides it used EC math. It has a known bad flaw: if you use reuse the nonce, then it's trivial to recover the private key with only two different messages. This has been the root cause for many hacks, such as the Playstation 3s key leak from Geohot.

To prevent the duplicate usage of nonces on different data, deterministic signatures were created. The nonce, k, is deterministic based upon the private key and message used. For instance, hash(key||message) would always be the same for every message. Since the attack described above requires two separate messages, this removes the attack vector entirely. Or, so we thought. Since a bug in ellipitic.js was announced, this is being rethought.

If two different messages can create the same nonce value then we have the same issue as before. In RFC6979 the JavaScript implementation converted a Uint8Array to a bigint. This had a bug that doesn't properly add leading zeros to a hex value. So, the arrays [1, 1, 30] and [17, 30] led to the same nonces being used. If an attacker could trick the system to sign these two pieces of data, they could recover the key as a result.

So, if both are bad then how about we combine them? This is the concept behind hedged signatures. If there is BOTH a deterministic portion and a random portion, then BOTH would need to be done incorrectly for this to fail. There are some downsides, mentioned in the post, but it's interesting none-the-less.