It isn't released yet, but Electrum 1.9 will support RFC 6979 deterministic signatures and BIP32 deterministic wallets. The only thing it'll rely on random numbers for is the initial seeding of a new wallet.
Hopefully most other Bitcoin wallets (especially the ones for mobile devices) will take the same approach, it's safer than relying on random number generators that might not be strong enough for cryptographic use.
Topic: For Crypto Experts: Removing random numbers from the mix? (Read 649 times)
IIRC, this is already being done:
https://bitcointalksearch.org/topic/deterministic-usage-of-dsa-and-ecdsa-digital-signature-algorithms-rfc-6979-285142
https://bitcointalksearch.org/topic/deterministic-usage-of-dsa-and-ecdsa-digital-signature-algorithms-rfc-6979-285142
Arstechnica had an interesting article, a basic primer on ECC.
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
In the comments, someone made a statement that I found surprising, considering it seems like a no-brainer.
Interestingly enough, this doesn't have to be the case. While traditional ECDSA does rely on a good source of randomness it's possible to modify it so that signing is entirely deterministic, yet it's still secure and the resulting signatures are still accepted by all existing ECDSA implementation. Loosely speaking, the trick is to hash the private key and the message hash being signed together with something like SHA-256 and use the result as k instead of a random value (I'm omitting some important details).
This is generally believed secure because it's unlikely two distinct signatures will have the same k, and it shouldn't be possible for an attacker to use the way k is generated to guess it unless they already know the target's private key anyway.
Is this possible to implement into Bitcoin? Would it work? Can we actually leave behind reliance on random numbers, and by relying more on fewer algorithms (SHA-256 in particular here) reduce potential problem spots?... or is there some problem with this method that the poster wasn't aware of?
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
In the comments, someone made a statement that I found surprising, considering it seems like a no-brainer.
Quote from: makomk
Quote
The ECDSA digital signature has a drawback compared to RSA in that it requires a good source of entropy. Without proper randomness, the private key could be revealed.
Interestingly enough, this doesn't have to be the case. While traditional ECDSA does rely on a good source of randomness it's possible to modify it so that signing is entirely deterministic, yet it's still secure and the resulting signatures are still accepted by all existing ECDSA implementation. Loosely speaking, the trick is to hash the private key and the message hash being signed together with something like SHA-256 and use the result as k instead of a random value (I'm omitting some important details).
This is generally believed secure because it's unlikely two distinct signatures will have the same k, and it shouldn't be possible for an attacker to use the way k is generated to guess it unless they already know the target's private key anyway.
Is this possible to implement into Bitcoin? Would it work? Can we actually leave behind reliance on random numbers, and by relying more on fewer algorithms (SHA-256 in particular here) reduce potential problem spots?... or is there some problem with this method that the poster wasn't aware of?
Jump to: