Some RNG improvments#3
Conversation
- Seed jsbn rng with the CSPRNG when available - Use H(message||privkey||random) for picking K for signatures
|
I actually think that it would be better to just implement RFC6979, as I On 11/26/2013 11:21 PM, Nadav Ivgi wrote:
|
|
I'll look into implementing that. Perhaps you can merge the other change (seeding jsbn with the browser/node's csprng) in the meanwhile? It'll highly improve the randomness over the current state, where its based solely on Math.random() and Date.now(). |
H(message||privkey||random)for picking K for signaturesUsing
H(message||privkey||random)ensures that K is always unique (since its based on the transaction hash) and that it contains data that is hard for an attacker to guess (since it contains the private key). This is the recommend way to generate K values, and is how bitcoin-qt does that. The random data is not really necessary, but can't really hurt either.I actually think that its better to get rid of jsbn's rng and always use window.crypto's getRandomValues() or nodejs's randomValues(), and refuse to work at all if neither of those are available - but that's quite an extreme change and will break compatibility with some browsers. If you're okay with doing that, I'll send a new pull request.