Return-Path: Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id BFBDAC0177 for ; Wed, 26 Feb 2020 04:21:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id A9B0086239 for ; Wed, 26 Feb 2020 04:21:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nSTabF3z2oGI for ; Wed, 26 Feb 2020 04:21:25 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-il1-f169.google.com (mail-il1-f169.google.com [209.85.166.169]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 4C1D186237 for ; Wed, 26 Feb 2020 04:21:25 +0000 (UTC) Received: by mail-il1-f169.google.com with SMTP id l4so1229042ilj.1 for ; Tue, 25 Feb 2020 20:21:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vMDezTw8qww8kMIugdSd0Pgarp3iSz2JS5dAx8hiqd8=; b=BAPEhwuZcNhoVzk1kI107nkxI7Z5vtu6sPUaqmfIj22xEfiHZuXJNDFSXWTnXBzLDL YvjW961aEDRdFq9hCyxIR8oc3e+D027DVICyHSXZowcka5juGLnEMf6m9fsMvFPxWk31 pfFPmVknTBG6CaBCJMyHCfvT8B1JnlsqtFph1+CqLyRjGXmVx1MqbB3vlnnYIEJ+H1cO Wpyn/tU4W0ZZwo6BRnyEABJSzjXkXGMF5zT1PtjRodUk1Iu3XzN3ahcKUkwDIf4TGhif l9RDtE+27PtPSq6leOEkHe6tK9+PxpE+TiZVDMSXZJU+qSvRq4ft8iyL2Cyn0p80CG1E lpog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vMDezTw8qww8kMIugdSd0Pgarp3iSz2JS5dAx8hiqd8=; b=l7rpSMvl5c4N8NaZjkQmQdthDMZSc0qYrNx27KlA8H9NALfpcFodZUaCVjCOyS7rPa 9FMjNjKneyF6TndpA9gioliaLTpKsrhyvbE4O5/IIhv+WsJ7Zi/cyWvAX2Adl+AKA0op gdJYfxYKyTZkOUTtWgbFxJJlLa1y9EZ/S8xPn5fNk2M5wkp1U2Ik2BPUAVBLu8zMnsnM dF/i2USd6LVcdCwg8oiqYSAsuadxBCegkuH2upE7nmNkcDKoIgxcM4le9xrNUkNa0VJ2 8GWjell1uC33iMpZZv8DOrDL2ZiVGopyHQ6JWPSJV1CqOuco6gNlIcOQQoxfHFagincf TDog== X-Gm-Message-State: APjAAAW8jRLxJYfpheeZGxD0ZnL3L1pAChRrX6O1mix+te2SJ+NmEzvM 1UY9XBXqxVWhgeb3D+eAi/aYNqhMTtW/QmhABbE= X-Google-Smtp-Source: APXvYqwBfp+AJYizzwjhw+ih1LeFnAUpfi6XBKQ99usrpgrMtP3pRxNgs85Mv8v42PZGFMGJh+fVuteaDr0WAU7sDQE= X-Received: by 2002:a92:af44:: with SMTP id n65mr2121708ili.158.1582690884386; Tue, 25 Feb 2020 20:21:24 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Lloyd Fournier Date: Wed, 26 Feb 2020 15:20:58 +1100 Message-ID: To: Pieter Wuille , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000f4055c059f72ef6d" X-Mailman-Approved-At: Wed, 26 Feb 2020 04:59:27 +0000 Subject: Re: [bitcoin-dev] BIP 340 updates: even pubkeys, more secure nonce generation X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2020 04:21:26 -0000 --000000000000f4055c059f72ef6d Content-Type: text/plain; charset="UTF-8" Hi Pieter, Let me put change (1) into my own words. We are already computing affine coordinates since we store public keys as the affine x-coordinate. It is faster to compute is_even(y) than is_quadratic_residue(y) so we get a speed up here during keypair generation. In the verification algorithm, we do the following for the public key x_only => affine + negate if not is_even(y) => jacobian. The minor slowdown in verification comes from the extra evenness check and possible negation which we didn't have to be done in the previous version. This seems like a reasonable change if it makes things easier for existing code bases and infrastructure. With change (2), I feel like including this auxiliary random data is overkill for the spec. For me, the main point of the spec is the verification algorithm which actually affects consensus. Providing a note that non-deterministic signatures are preferable in many cases and here's exactly how you should do that (hash then xor with private key) is valuable. In the end, people will want several variations of the signing algorithm anyway (e.g. pass in public key with secret key) so I think specifying the most minimal way to produce a signature securely is the most useful thing for this document. I feel similarly about hashing the public key to get the nonce. A note in the alternative signing section that "if you pass the public key into `sign` along with the secret key then you should do hash(bytes(d) || bytes(P) || m)" would suffice for me. Despite only being included in the alternative signing section, I it would be nice to have a few of test vectors for these alternative methods anyway. Perhaps they even deserve their own BIP? Cheers, LL On Mon, Feb 24, 2020 at 3:26 PM Pieter Wuille via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Hello list, > > Despite saying earlier that I expected no further semantical changes > to BIP 340-342, I've just opened > https://github.com/bitcoin/bips/pull/893 to make a number of small > changes that I believe are still worth making. > > 1. Even public keys > > Only one change affects the validation rules: the Y coordinate of > 32-byte public keys is changed from implicitly square to implicitly > even. This makes signing slightly faster (in the microsecond range), > though also verification negligibly slower (in the nanosecond range). > It also simplifies integration with existing key generation > infrastructure. For example BIP32 produces public keys with known > even/oddness, but squaredness would need to be computed separately. > Similar arguments hold for PSBT and probably many other things. > > Note that the Y coordinate of the internal R point in the signature > remains implicitly square: for R the squaredness gives an actual > performance gain at validation time, but this is not true for public > keys. Conversely, for public keys integration with existing > infrastructure matters, but R points are purely internal. > > This affects BIP 340 and 341. > > 2. Nonce generation > > All other semantical changes are around more secure nonce generation > in BIP 340, dealing with various failure cases: > > * Since the public key signed for is included in the signature > challenge hash, implementers will likely be eager to use precomputed > values for these (otherwise an additional EC multiplication is > necessary at signing time). If that public key data happens to be > gathered from untrusted sources, it can lead to trivial leakage of the > private key - something that Greg Maxwell started a discussion about > on the moderncrypto curves list: > https://moderncrypto.org/mail-archive/curves/2020/001012.html. We > believe it should therefore be best practice to include the public key > also in the nonce generation, which largely mitigates this problem. > > * To protect against fault injection attacks it is recommended to > include actual signing-time randomness into the nonce generation > process. This was mentioned already, but the update elaborates much > more about this, and integrates this randomness into the standard > signing process. > > * To protect against differential power analysis, a different way of > mixing in this randomness is used (masking the private key completely > with randomness before continuing, rather than hashing them together, > which is known in the literature to be vulnerable to DPA in some > scenarios). > > 3. New tagged hash tags > > To make sure that any code written for the earlier BIP text fails > consistently, the tags used in the tagged hashes in BIP 340 are > changed as well. > > What do people think? > > -- > Pieter > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000f4055c059f72ef6d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Pieter,

Let me put = change (1) into my own words. We are already computing affine coordinates s= ince we store public keys as the affine x-coordinate. It is faster to compu= te is_even(y) than is_quadratic_residue(y) so we get a speed up here during= keypair generation. In the verification algorithm, we do the following for= the public key=C2=A0 x_only =3D> affine=C2=A0+ negate if not is_even(y)= =3D> jacobian. The minor slowdown in verification comes from the extra = evenness check and possible negation which we didn't have to be done in= the previous version. This seems like a reasonable change if it makes thin= gs easier for existing code bases and infrastructure.

<= div>With change (2), I feel like including this auxiliary=C2=A0random data = is overkill for the spec.=C2=A0For me, the main point of the spec is the ve= rification algorithm which actually affects consensus. Providing a note tha= t non-deterministic signatures are preferable=C2=A0in many cases and here&#= 39;s exactly how you should do that (hash then xor with private key) is val= uable. In the end, people will want several variations of the signing algor= ithm anyway (e.g. pass in public key with secret key) so I think specifying= the most minimal way to produce a signature securely is the most useful th= ing for this document.

I feel similarly about hash= ing the public key to get the nonce. A note in the alternative signing sect= ion that "if you pass the public key into `sign` along with the secret= key then you should do=C2=A0hash(bytes(d) || bytes(P) || m)" would su= ffice for me.

Despite only being included in the a= lternative signing section, I it would be nice to have a few of test vector= s for these alternative methods anyway. Perhaps they even deserve their own= BIP?

Cheers,

LL


On Mon, Feb 24, 2020 at 3:26 PM Pieter Wuille via bitcoin-dev <bitcoin-dev@lists.linuxfo= undation.org> wrote:
Hello list,

Despite saying earlier that I expected no further semantical changes
to BIP 340-342, I've just opened
https://github.com/bitcoin/bips/pull/893 to make a numbe= r of small
changes that I believe are still worth making.

1. Even public keys

Only one change affects the validation rules: the Y coordinate of
32-byte public keys is changed from implicitly square to implicitly
even. This makes signing slightly faster (in the microsecond range),
though also verification negligibly slower (in the nanosecond range).
It also simplifies integration with existing key generation
infrastructure. For example BIP32 produces public keys with known
even/oddness, but squaredness would need to be computed separately.
Similar arguments hold for PSBT and probably many other things.

Note that the Y coordinate of the internal R point in the signature
remains implicitly square: for R the squaredness gives an actual
performance gain at validation time, but this is not true for public
keys. Conversely, for public keys integration with existing
infrastructure matters, but R points are purely internal.

This affects BIP 340 and 341.

2. Nonce generation

All other semantical changes are around more secure nonce generation
in BIP 340, dealing with various failure cases:

* Since the public key signed for is included in the signature
challenge hash, implementers will likely be eager to use precomputed
values for these (otherwise an additional EC multiplication is
necessary at signing time). If that public key data happens to be
gathered from untrusted sources, it can lead to trivial leakage of the
private key - something that Greg Maxwell started a discussion about
on the moderncrypto curves list:
https://moderncrypto.org/mail-archive/c= urves/2020/001012.html. We
believe it should therefore be best practice to include the public key
also in the nonce generation, which largely mitigates this problem.

* To protect against fault injection attacks it is recommended to
include actual signing-time randomness into the nonce generation
process. This was mentioned already, but the update elaborates much
more about this, and integrates this randomness into the standard
signing process.

* To protect against differential power analysis, a different way of
mixing in this randomness is used (masking the private key completely
with randomness before continuing, rather than hashing them together,
which is known in the literature to be vulnerable to DPA in some
scenarios).

3. New tagged hash tags

To make sure that any code written for the earlier BIP text fails
consistently, the tags used in the tagged hashes in BIP 340 are
changed as well.

What do people think?

--
Pieter
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000f4055c059f72ef6d--