Statement on the “Biased Nonce Sense” Paper

In the cryptography industry, it is well known that using repeated or insufficiently random "nonces" (also called "k" values) in ECDSA digital signatures carries security risks. A new research paper authored by Joachim Breitner and Nadia Heninger discloses a more serious attack than was previously known on signatures with imperfect nonces.

The vulnerability comes from defects in software that signs transactions that are subsequently submitted to systems that use secp256k1 signatures -- including Bitcoin, Ethereum, XRP Ledger and dozens of other distributed ledger technologies. This vulnerability is not present in the core software that operates these blockchains / distributed ledgers.

For several years, the widely agreed upon industry recommendation has been to use deterministic nonces as described in RFC6979 when generating signatures for any of these systems. Those who use exclusively deterministic nonces (or use Ed25519 keys) are not vulnerable to this attack. Signing software contained in rippled and ripple-lib packages published by Ripple from August 2015 and later always use deterministic nonces.

FAQ