|
Title: Safe to sign multiple messages with Armory not using RFC6979 Post by: donttrustverify1 on March 24, 2021, 08:22:52 AM Hello,
Is it safe to sign multiple messages using the same bitcoin address with Armory? Each signature produced is different (i am assuming that RFC6979 is not enabled). Can we trust Armory's random k generation? If someone would know the signed messages, would it be possible to derive the private key? ty Title: Re: Safe to sign multiple messages with Armory not using RFC6979 Post by: goatpig on March 24, 2021, 11:02:33 AM Quote i am assuming that RFC6979 is not enabled It's on by default in 0.96.5. You can turn it on with a command line argument in the versions that support it: https://github.com/goatpig/BitcoinArmory/blob/master/armoryengine/ArmoryUtils.py#L125 Quote Each signature produced is different For the same transaction? A RFC6979 will only yield the same (R, S) when signing for the same message. When generating a "legacy" ECC signature, you have to make sure you never reuse the same R (regardless of the message). Quote Can we trust Armory's random k generation? You already trust it to generate your wallets. Quote If someone would know the signed messages, would it be possible to derive the private key? ty If you present someone with 2 validly signed messages, both of which have the same R but a different S, he can reveal your private key. That aside, I remember some talk ages ago where the claim was made that you can leak bits of the private key when analyzing several signatures, but we're talking hundreds or thousands of sigs to leak a single bit. You'd have to dig that one up on your own, can't remember much more. To generally answer your question: no. Title: Re: Safe to sign multiple messages with Armory not using RFC6979 Post by: donttrustverify1 on March 24, 2021, 01:25:28 PM thank you for your reply.
About RFC6979 by default on windows, using the latest Armory version (0.96.5), each signature is different, using a newly generated wallet and also on an old wallet. With the argument "--enable-detsign" added to the shortcut, this does not change the behavior of Armory and continues to generate new signatures each time. Is there another way to do it? ty Title: Re: Safe to sign multiple messages with Armory not using RFC6979 Post by: goatpig on March 24, 2021, 06:39:47 PM Quote each signature is different You need to elaborate on this. Title: Re: Safe to sign multiple messages with Armory not using RFC6979 Post by: donttrustverify1 on March 25, 2021, 06:54:35 AM Quote each signature is different You need to elaborate on this. When signing with the same address, the same message, different signatures will appear, as below : HMVYgVEWUrQBS3smivNZsNpvVvISDpd+R2diIDMH2oqJfKToo9IrkAkrdnAP3xEc2GRfkEjyWwkG6A+SB8JuLrY= G7Yu0tzrcroQWcXYjCUZMPFH+5G5EvxhfNQHouSk2KjNYWbmU2yROb5x/trFxrhSNzSvlCCVJAUFLU1K/M8Ql0A= HIRGOvcVxG1ebcl7hSXMh0U7A2+A9ywt2SM9mfgu9GXDDYNDVABjahnZIOiGFXpcF+7IRnyeXpgmlqMXHSjkLP0= All of the signatures are shown as valid in the "verify bare signature" tab Title: Re: Safe to sign multiple messages with Armory not using RFC6979 Post by: goatpig on March 25, 2021, 05:18:49 PM When signing with the same address, the same message, Wait so you're not signing a transaction but a message? That algo is different and doesn't use the same code as tx signing. It's all in jasvet.py (https://github.com/goatpig/BitcoinArmory/blob/master/jasvet.py) This is some old code that neither etotheipi nor I had anything to do with, it was taken from another dev, we only replaced the RNG with CryptoPP's instead of Python's shitty one. It signs using some python routines and we didn't modify it to support deterministic k generation when that was done for tx sigs. https://github.com/goatpig/BitcoinArmory/blob/master/jasvet.py#L45 |