From 0a5ca2422f14f9c17a017207feb9f83f94ce0e89 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 27 Sep 2021 14:40:06 -0400 Subject: [PATCH] crypto/ecdsa: draw a fixed amount of entropy while signing The current code, introduced in CL 2422, mixes K bits of entropy with the private key and message digest to generate the signature nonce, where K is half the bit size of the curve. While the ECDLP complexity (and hence security level) of a curve is half its bit size, the birthday bound on K bits is only K/2. For P-224, this means we should expect a collision after 2^56 signatures over the same message with the same key. A collision, which is unlikely, would still not be a major practical concern, because the scheme would fall back to a secure deterministic signature scheme, and simply leak the fact that the two signed messages are the same (which is presumably already public). Still, we can simplify the code and remove the eventuality by always drawing 256 bits of entropy. Change-Id: I58097bd3cfc9283503e38751c924c53d271af92b Reviewed-on: https://go-review.googlesource.com/c/go/+/352530 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda TryBot-Result: Go Bot Reviewed-by: Roland Shoemaker --- src/crypto/ecdsa/ecdsa.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go index 219436935f..282596d2d2 100644 --- a/src/crypto/ecdsa/ecdsa.go +++ b/src/crypto/ecdsa/ecdsa.go @@ -200,12 +200,8 @@ var errZeroParam = errors.New("zero parameter") func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) { randutil.MaybeReadByte(rand) - // Get min(log2(q) / 2, 256) bits of entropy from rand. - entropylen := (priv.Curve.Params().BitSize + 7) / 16 - if entropylen > 32 { - entropylen = 32 - } - entropy := make([]byte, entropylen) + // Get 256 bits of entropy from rand. + entropy := make([]byte, 32) _, err = io.ReadFull(rand, entropy) if err != nil { return -- 2.50.0