pull down to refresh

⚠️ NEVER reuse Nonce
2890 sats \ 6 comments \ @bitcoin_devs 22h bitcoin

Nonce Reuse Attack

- If you prefer reading on the website, check πŸ‘‰ https://bitcoindevs.xyz/decoding/nonce-reuse-attack
Nonce is a random, unique value used in the signing process.
In Schnorr signatures, each signature requires a fresh nonce. Reusing the same nonce is a dangerous mistake that allows an attacker to calculate your private key.
Let's start by breaking down the Schnorr signature equation to see how this happens.
If the nonce k remains the same across different transactions, an attacker can isolate the private key d by comparing two signatures.
Imagine you want to sign two separate transactions but mistakenly use the same nonce for both. Here's how it plays out:

Here’s where things go wrong when the nonce is reused!
Since the only variable difference between S1 and S2 is the hash of the transactions, an attacker can calculate k and subsequently derive your private key d. This exposes your Bitcoin funds to theft.

How to Prevent Nonce Reuse Attacks ?

The solution is straightforward:
Never reuse a nonce!
Never reuse a nonce!
Never reuse a nonce!
Never reuse a nonce!
Never reuse a nonce!
Never reuse a nonce!
Never reuse a nonce!
Never reuse a nonce!
Always ensure that your cryptographic library generates a unique, random nonce for each signature.

6. Calculating the Private Key from Reused Nonces

Check πŸ‘‰ https://bitcoindevs.xyz/decoding/nonce-reuse-attack for the explanation
write
preview
related posts
0 sats \ 0 replies \ @025738dda8 16h
When using libsodium-based cryptography, it does the magic under the hood:
https://github.com/jedisct1/libsodium/blob/1d9fec9566455e27e831d05fecf45d7585b60af1/src/libsodium/crypto_sign/ed25519/ref10/sign.c#L50
The nonce is derived from the sha512 of hashed private key and the message being signed. Optionally, if enabled during compilation, the nonce can be randomized via func _crypto_sign_ed25519_synthetic_r_hv().
reply
0 sats \ 2 replies \ @ZezzebbulTheMysterious 21h
In ECDSA, we use RFC6979 to use a deterministic nonce based on the private key and message, this prevents accidental reuse of the nonce value.
https://datatracker.ietf.org/doc/html/rfc6979
It seems these conventions have not been specified in Schnorr. We probably need an RFC or BIP on ensuring deterministic nonces in Schnorr too to ensure that wallet or library implementers do not get this wrong.
Biased nonces can lead to complete private key compromise! https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf
reply
0 sats \ 1 reply \ @nym 20h
deleted by author
reply
0 sats \ 0 replies \ @ZezzebbulTheMysterious 20h
AI slop?
Schnorr has already been implemented. Your comment is nonsense and isn't saying anything new.
reply
0 sats \ 0 replies \ @zuspotirko 21h
Semi related to your post but back in the day there was an attack on Bluetooth (in LE Legacy JW Mode) that had big problems with reusing nonces. It wasn't in signatures like here but I think in key derivation they did something like AES(ox00|π‘Ž|𝑏) with 0x00 being a constant nonce. Quite a hilarious saga.
reply
0 sats \ 0 replies \ @zuspotirko 21h
Sidenote: Nonce literally means number only used once. A lot of people don't know that, even highly respected icons of computer security.
reply