[tahoe-dev] Windwos installation problems
Wei Dai
weidai at weidai.com
Mon Jun 15 22:14:51 UTC 2009
Zooko wrote:
> Oh! I know, this is your defense for the "vm rollback RNG repeat"
> problem, isn't it? The problem is, what if we are running inside a VM
> and we read a random number from the RNG, use it in ECDSA, and send
> our resulting digital signature out over the network, then our state
> gets rolled back by the the VM guest gets rolled back, and then we do
> it again and get the same random number but use it to sign a different
> message. How bad is that? I can't figure out if ECDSA breaks
> horribly if you re-use your random integer "k".
It's really bad. If you re-use your random integer "k" just once, an
attacker can get your entire private key.
> We could defend against "the vm rollback RNG repeat" more safely (for
> ECDSA specifically) than the current defense (for RNG in general) by
> using the message itself (or the hash thereof) as one input of
> deterministic generation of the random number k.
Yes, I'm doing that also. See line 1036 in pubkey.h. So the time() call in
RandomPool is for defense in depth, and also other protocols where it's not
convenient to hash the message into the random number.
More information about the tahoe-dev
mailing list