Signatures should not be used to derive keys

[benma]

Hi

A BitBox02 user cannot regain access to their rhino.fi account after successfully registering using a EIP-712 signed message.

It seems like the signature is used as some sort of account identifier or encryption key.

The user mentioned that rhino.fi uses this repo. I am not sure if this is true, but maybe this function is being used?

https://github.com/starkware-libs/starkware-crypto-utils/blob/bf4066c81e4389daea0c388370ac509d89f1a3e1/src/js/key_derivation.js#L49-L60

This function is problematic, as signatures should not be assumed to be deterministic or be used as an encryption key or account identifier. There are many different valid signatures for one private key and message, and one cannot assume that a signer will always return the same one.

The problem in practice is that the BitBox02 hardware wallet returns a different valid signature every time a message is signed, even for the same private key and message, as a result of deploying the anti-klepto-protocol. This seems to have locked the user out of his account.

[benma]

Any response here? It seems multiple projects like loopring and DYDX are using this, potentially risking the funds of users which use signers that do not produce the same signatures every time.

[AlonStark]

Hey @benma . It is our understanding that you approached RhinoFi with this issue and were refunded appropriately, which we are happy to hear. Regarding this issue note that there is an explicit warning in our documentation regarding the use of non-deterministically signing in the process of Stark key pair derivation process. Please see this link for more information. Please note the code in this repo provides tools for exchanges integrating with StarkEx to implement their own key derivation and signature schemes. We discussed this issue with RhinoFi and other StarkEx powered system to make sure measures are in place to prevent such issue from occuring in the future. Thank you very much for pointing this out.

[benma]

@AlonStark why do you even use signatures for key derivations?

There seem to be more and more apps using this function.

So far I am aware of rhino.fi, loopring and dydx. Using the signature for this sort of this is not a good idea and is not compatible with ECDSA in general. It's bad to require deterministic signature as it is not compatible with security protocols like the anti-klepto protocol.