From 969a5d94f2516245a77245cf815f3351cd991b02 Mon Sep 17 00:00:00 2001 From: Luke Parker Date: Fri, 24 Feb 2023 06:16:22 -0500 Subject: [PATCH] 3.6.1 Document rejection of zero nonces --- crypto/frost/src/curve/mod.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/frost/src/curve/mod.rs b/crypto/frost/src/curve/mod.rs index c1d95bb0..14ceb91d 100644 --- a/crypto/frost/src/curve/mod.rs +++ b/crypto/frost/src/curve/mod.rs @@ -77,6 +77,12 @@ pub trait Curve: Ciphersuite { let mut repr = secret.to_repr(); + // Perform rejection sampling until we reach a non-zero nonce + // While the IETF spec doesn't explicitly require this, generating a zero nonce will produce + // commitments which will be rejected for being zero (and if they were used, leak the secret + // share) + // Rejection sampling here will prevent an honest participant from ever generating 'malicious' + // values and ensure safety let mut res; while { seed.extend(repr.as_ref());