ECDSA random numbers
Last updated
Last updated
In the ECDSA signing process, a random number(or determined non-repeat hash number) is required to sign the message.
If you use the same random number for different messages, your private key will be exposed.
The most famous incident is .
Several simplified steps in ECDSA:
private key d_A, an integer generated from RNG
public key Q_A:
Calculate hash h = hash(M)
of the message M
Generate a random number k
Calculate the random point R = kG
Denote R's x coordinate R.x
as r
, then calculate s
Now we have the signature (r,s)
.
Calculate hash h = hash(M)
of the message M
Calculate the modular inverse
Recover the random point used during the signing
Check if R'.x == r
Apparently, if we use the same k
(also means the same r
) for different message M
, the private key can be solved by the following steps:
Never use the same random numbers when signing by ECDSA
Or, use a deterministic ECDSA
Developers should be familiar enough with the underlying cryptography to avoid similar attacks.