Oddbean

Great idea! Best used in conjunction with timestamps to prove notes were written well prior to the coins being taken. Amethyst supports OpenTimestamps. Although every time I timestamp a note amethyst seems to get stuck in a crash at startup state... nostr:nevent1qqstad8stq2phk0fn35ek9wjpjs8tdel8q455gs5py8g2kwcxvkdj5gpzpmhxue69uhkummnw3ezumt0d5hsygzxpsj7dqha57pjk5k37gkn6g4nzakewtmqmnwryyhd3jfwlpgxtspsgqqqqqqsugwkh0

I sadly somewhat agree. I had a discussion ~ 1.5 yrs ago on here with someone where we both had the same thought: what saves bitcoin users from slightly weak nonces being dangerous to their funds is non-address reuse. (I recommend the paper "biased nonce-sense" by Tanja Lange et al on this). If you use nostr keys as bitcoin keys then even 1 or 2 bits of bias in your nonce generation could be enough to lose the funds.

Read the thread for context. I think it's interesting to compare other situations where signatures get used a lot on keys. A good one might be lightning: in that case, they use a noise-based transport protocol to encrypt the actual tx messages etc, as well as onion routing. however, channel counterparties by definition will see a lot of messages on the same key; just not, 1000s, usually it'll be more like 10s (but that can be enough for lattice attacks to work). Another example is TLS, it's been years since I studied it but iirc it starts with a diffie hellman exchange, not a signature; signatures are used for the PKI part (that is, the certificates presented by the server (not usually client) to the client are signed by an authority in a tree structure; i guess technically this can result in a lot of signatures on single authority keys, so there could be conceivably attacks there). I'm certainly not sure but I think the continued use of RFC6979 is a tremendous bastion of defence against all these attacks (and the algo is changed in BIP340 signing but it's just a simpler version, it should give the same result - no nonce bias). The area of concern might be more likely the cooperative protocols where deterministic nonces can't be used (see the MuSig bip for some discussion). nostr:nevent1qqs92txscwu60xju27h065cjmwnvzu8xq8jz0rwhqh3pfjq378cuzvcpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgsxwkuyle67y94tj378gw8w2xw2wa6nwmwlqhddlwnz0z7sztsaw2qrqsqqqqqpm4l5x3

I am following, to the slightest degree, what you're talking about but want to pick up a good book on the basics of cryptography so i dont feel so lost when i read stuff like this. Any recommendations?

Serious Cryptography by J P Aumasson is a pretty good 'high level introduction to the main areas of applied modern cryptography' i feel like. You could use it as a starting point for the stuff you want to delve into. There are tons of learning materials online of course.

If I understand correctly, you want to make sure that whenever you generate a nonce for your ECDSA signatures, they should be as random as possible and should never be reused because it's simple to derive the secret key from the signature and the nonce. I imagine that in both nostr and bitcoin, this is known and applications are designed with this in mind? Is ensuring random, non-reused nonces that hard to do?

It is and it isn't. The reason we're talking about lattice attacks is they make it possible to extract private keys from anything from a few signatures to 100s+ - if there are just slight biases (nonrandomness) in the nonces generated by your nonce algo.

Interesting. So I suppose we definitely want to use proper sources of randomness and hope there aren't any bugs that can cause a pattern to emerge. Any thoughts on EdDSA and how it deterministically generates the nonce? Can this sort of thing be implemented in Bitcoin/nostr libraries (assuming it's good and solves the issue)?