|
|
|
|
|
|
by djao
797 days ago
|
|
|
Schnorr wouldn't have helped in this specific case, since Schnorr is equally vulnerable to biased nonces (https://ecc2017.cs.ru.nl/slides/ecc2017-tibouchi.pdf). EdDSA, which is essentially deterministic Schnorr, does solve the problem. Also, the use of P-521 didn't specifically cause the vulnerability, but the bad interaction between SHA512 and P-521 did play a role. It is unfortunate that nature conspired against us to make 2^511 - 1 a composite number. The fact that you have to go up to 521 bits to get a Mersenne prime whereas the natural target length for a hash output is 512 bits is the fatal interaction here. |
|
|
(And indeed, nature could have been kinder to us and given us a Mersenne between 127 and 521...)