On 17 Dec 2024, at 04:21, James Bottomley <[email protected]> wrote: > > The EC signature nonce must be both unique and unknown (if you know it > you can also recover the private key). This means that if you use the > message hash as part of a deterministic nonce scheme, you have to mix > it with something unknown (like the private key or another random > number). The point being that this mixing is an attack point that can > be faulted to make nonce re-use much more likely.
In EdDSA, this mixing is done by calculating a digest over (private key, message). Is this really a practical attack vector? How do you introduce a fault that causes a digest algorithm to produce a *known* result? In any case, nobody is claiming that the signature salt is a magic bullet. A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
