Oddbean new post about | logout
RebelOfBabylon | 2 months ago (raw) | root | parent | reply | flag +2 
 If I understand correctly, you want to make sure that whenever you generate a nonce for your ECDSA signatures, they should be as random as possible and should never be reused because it's simple to derive the secret key from the signature and the nonce. 

I imagine that in both nostr and bitcoin, this is known and applications are designed with this in mind? Is ensuring random, non-reused nonces that hard to do?
waxwing | 2 months ago (raw) | root | parent | reply | flag +1 
 It is and it isn't.
The reason we're talking about lattice attacks is they make it possible to extract private keys from anything from a few signatures to 100s+ - if there are just slight biases (nonrandomness) in the nonces generated by your nonce algo.
RebelOfBabylon | 2 months ago (raw) | root | parent | reply | flag 
 Interesting. So I suppose we definitely want to use proper sources of randomness and hope there aren't any bugs that can cause a pattern to emerge. Any thoughts on EdDSA and how it deterministically generates the nonce? Can this sort of thing be implemented in Bitcoin/nostr libraries (assuming it's good and solves the issue)?
waxwing | 2 months ago (raw) | root | parent | reply | flag +1 
 RFC6979 does the same as EdDSA in terms of deterministic randomness.