Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> You shouldn’t rely on these claims, because even 1 bit of bias on a 256 bit nonce value can be enough to attack certain cryptographic schemes!

This seems like a very high bar for a random generator to clear. It also raises a question: would using a larger nonce size actually increase risk, if the additional bits were biased?



It seems like the general case answer is "no, using a larger nonce does not increase risk".

Otherwise an attacker could just imagine that instead of a 256-bit nonce, the nonce was actually 257 bits long but the first bit is always 0.


With some schemes, like ECDSA, you can't use a larger nonce since the nonce is a field element.

In general, you shouldn't need to worry about it unless you're using a broken CSPRNG or a bad cryptography library. And some libraries will try and work around bad RNGs: https://cs.opensource.google/go/go/+/refs/tags/go1.19.1:src/...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: