You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I'm a student of Nadia's and changed the ECDSA-HNP code to work for arbitrary (not necessarily 0) leaked MSBs or LSBs. The main changes are the lattice construction, predicate checks, and input formatting. The CLI still works the same.
The zero-MSB sampling code lives on in the ecdsa.sample_msb_zero() function, which is still the default for benchmarking, estimation, etc. It is really only the solve functionality that I changed, although the sampling could be changed elsewhere if it's useful.
Let me know if anything in particular deserves more explanation or documented tests. We thought it'd be useful enough to merge so people don't have to work out the lattice changes themselves.
Regarding klen and nonce, my intention was to distinguish between the full nonce (nonce and nlen) and the unknown part of the nonce (k and klen). The distinction did not matter when the known bits were all MSB zeroes.
I agree it is a bit confusing. k usually refers to the nonce in ECDSA but it also refers to the HNP secret in the paper, which are now two separate things. The way I set it up was such that for MSBs, nonce = MSBs + k and for LSBs, nonce = 2^t * k + LSBs. This seemed to be a decent way to change as little as possible and ensure that the past experiments over k still refer to the same thing.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I'm a student of Nadia's and changed the ECDSA-HNP code to work for arbitrary (not necessarily 0) leaked MSBs or LSBs. The main changes are the lattice construction, predicate checks, and input formatting. The CLI still works the same.
The zero-MSB sampling code lives on in the
ecdsa.sample_msb_zero()function, which is still the default for benchmarking, estimation, etc. It is really only thesolvefunctionality that I changed, although the sampling could be changed elsewhere if it's useful.Let me know if anything in particular deserves more explanation or documented tests. We thought it'd be useful enough to merge so people don't have to work out the lattice changes themselves.