Re: Alleged recovery of PS3 ECDSA private key from signatures

Francois Grieu wrote:
there is a serious bug in the signature-production code
that was used to produce ECDSA signatures for the PS3:
the same secret random was reused in several signatures,

There's some interesting discussion about that failure here :
http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
« Each key (for each different type of loader) seems to have an associated random number ‘m’ — the numbers follow no pattern, but they are consistent between different signatures on different versions of the same loader — almost as if they treated ‘m’ as one of the parameters of the key. Any idea what error in understanding might have caused that? »

If I understand correctly this means Sony decided they were smart enough to reimplement their own version of ECDSA from scratch.
Famous last word.

This being said, the weakness of DSA/ECDSA with regard to weak random generators is a real drawback of that algorithm that is usually very little talked about. The above article contains some really interesting discussion about that and how Sony are *not* the first ones to be bitten hard by this. Not only fully predictable K are broken, but also the cases where a few bits of K are predictable (once enough signatures have been generated).

The DSA wikipedia entry compares this to the problems when you use RSA badly, but AFAIK none of the errors you can do with RSA will reveal your private key so IMO that problem is really at different scale.
.

Relevant Pages