search

RustCrypto / elliptic-curves

Collection of pure Rust elliptic curve implementations: NIST P-224, P-256, P-384, P-521, secp256k1, SM2
669 stars 185 forks source link

sm2 sign method seems got same result when use same secret_key #883

Closed nyrf closed 1 year ago

nyrf commented 1 year ago 
fn main() {
    let sk = "228b2fa8bd433c6c068c8d803dff79792a519a55171b1b650c23661d15897263";

    let distid = "example@rustcrypto.org"; // distinguishing identifier

    let sk = hex::decode(sk).unwrap();
    let secret_key = SecretKey::from_slice(&sk).unwrap();

    let signing_key = SigningKey::new(distid, &secret_key).unwrap();
    let message = b"test message";
    let signature: Signature = signing_key.sign(message);
    println!("signature is {:?}", signature.to_bytes())
}
signature is [88, 130, 187, 135, 240, 100, 177, 164, 9, 68, 42, 124, 180, 193, 231, 22, 225, 9, 233, 161, 218, 68, 51, 10, 19, 96, 143, 29, 164, 15, 31, 11, 222, 122, 102, 150, 10, 62, 28, 207, 188, 64, 97, 83, 237, 218, 85, 246, 116, 48, 238, 107, 149, 11, 37, 165, 236, 63, 88, 177, 52, 135, 123, 199]

when i used others crates, it got different result every time.

tarcieri commented 1 year ago

This crate implements a deterministic version of SM2DSA based on RFC6979, similar to the deterministic implementation of ECDSA in the ecdsa crate.

The security of both ECDSA and SM2DSA relies on the generation of the k scalar used to compute a signature being unique per message and uniformly random with no bias. If there is a bias, lattice attacks can be used to recover the private key.

ECDSA has failed many times in practice in high profile applications because of bad selection of k, which is what RFC6979 aims to prevent by using HMAC-DRBG as an unbiased pseudorandom number generator. SM2DSA will fail the same way if k is not chosen in a uniformly random manner.

There are still some reasons to incorporate additional randomness though, like fault attacks. RFC6979 supports supplying additional randomness as an input to its pseudorandom number generator, and the ecdsa crate provides a RandomizedSigner implementation which uses this randomness. This crate could as well.

nyrf commented 1 year ago

This crate implements a deterministic version of SM2DSA based on RFC6979, similar to the deterministic implementation of ECDSA in the ecdsa crate.

The security of both ECDSA and SM2DSA relies on the generation of the k scalar used to compute a signature being unique per message and uniformly random with no bias. If there is a bias, lattice attacks can be used to recover the private key.

ECDSA has failed many times in practice in high profile applications because of bad selection of k, which is what RFC6979 aims to prevent by using HMAC-DRBG as an unbiased pseudorandom number generator. SM2DSA will fail the same way if k is not chosen in a uniformly random manner.

There are still some reasons to incorporate additional randomness though, like fault attacks. RFC6979 supports supplying additional randomness as an input to its pseudorandom number generator, and the ecdsa crate provides a RandomizedSigner implementation which uses this randomness. This crate could as well.

Thank you. I see. Then, thanks for your great work.