Implement anti-klepto protocol to protect against covert nonces

paulmillr / noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.

https://paulmillr.com/noble

MIT License

664 stars 62 forks source link

Implement anti-klepto protocol to protect against covert nonces #47

Open paulmillr opened 1 year ago

paulmillr commented 1 year ago

Not sure if the low-level library is the best place for such API, but at least some primitives need to be implemented for the anti-klepto protocol.

hot->cold: sha(k_hot)
cold->hot: kP_cold = hash(tx, privkey, sha(k_hot)) * G
hot->cold: k_hot
cold->hot: signed_tx
hot:       verify tx.R == kP_cold + k_hot*G

https://shiftcrypto.ch/blog/anti-klepto-explained-protection-against-leaking-private-keys/, https://github.com/bitcoin-core/secp256k1/pull/637

paulmillr commented 1 year ago

Disadvantage: user may erroneously sign 2 txs, producing different non-deterministic nonces, and push those txs, which will leak their private key.