dabura667
commented
8 years ago Yes. RFC6979 covers this vulnerability with a high probability.
The way rfc6979 works is it basically hashes the private key and the message hash together with various permutations.
Since the formula to obtain s is k^-1(z + rp) mod n
Besides k, the only variables are r (which is derived from k) z (the message) and p (the private key)
So by hashing z and p together to make k (its more complicated than that, but basically that's what's happening) there are a few properties we can deduce if we assume SHA256 is a good hashing algorithm.
- Using the same private key, any different message will always yield a unique k.
- Using the same message, any different private key will always yield a unique k.
- Using the same private key and message, the k will always be the same.
- Using a different private key and different message the k will always be different.
So your concern is covered by 2 and 4
RealBTC
We know that reusing the nonce (k variable) can lead to private key leaking. However this was fixed in Electrum 1.9 with RFC 6979 implementation.
What I'm asking is that is the Electrum vulnerable to reusing the nonce with different public keys, does the RFC 6979 cover this vulnerability?
You can watch here what I'm talking about, they call it ECDSA pivot attack: http://livestream.com/internetsociety/hopeconf/videos/130745035
Go to 31:52, and see the guy explain this attack, it's basically due to poor random number generators yielding the same nonce (k) for different addresses.
Also they talk about sharing nonces across different private keys, does Electrum share that too in the deterministic wallet architecture?
So is Electrum protected against this attack?