Nostr Web Client

Remember kids, in the Schnorr family of signatures nonces are *fragile* not robust. Bias them by a few bits and you're in serious danger to lattice attacks. Generating them with an algo where half the bits are public knowledge could be considered ... inadvisable 😆

https://eprint.iacr.org/2023/841.pdf

test_1 2y ago

Considering 4bit bias is feasible to compute in reasonable timeframe and cost and <1bit is the real statistic LLL threat, we should add to schnorr and ECDSA even with det a disclaimer -sign never not more than ... times with the same key - i wonder how many crypto K... (ETH, nostr et al.) can guess ... correct.

Reply to this note

Please Login to reply.

Discussion

waxwing 2y ago

I had the same thought, especially about nostr. It might push these schemes a bit beyond their acceptable limit.

Sorry for late reply, only now getting the feed properly stable.