Nonce in Cryptography: Nonce Covert Channel Attack

Blog_nonce.png

While some believe "nonce" stands for "number used once," its origin is more likely in Middle English, where "nonse" refers to a single occasion or instance. 

The nonce plays a crucial role in guaranteeing the uniqueness of each block's hash, which serves as a cryptographic fingerprint and identifier for the block. This hash is fundamental to the growth of the blockchain. Miners can manipulate hash values and potentially solve mathematical problems for creating new blocks by adjusting the nonce.

The value of nonces in crypto mining

Blockchain mining based on the proof-of-work consensus algorithm involves network nodes solving mathematical problems to add new blocks to the chain.

If we "look inside" a block to see its contents, we'll find a block header and a list of transactions. The block header contains:

  • the hash of the previous block;
  • the Merkle root hash (hashed transactions);
  • a timestamp;
  • the mining difficulty (a target number that is regularly adjusted so that the hash value of the block header is equal to or below it);
  • the nonce.

To add a block to the chain, miners don't just need to calculate its hash. They need to do so in such a way that the result meets the difficulty criterion determined by the network. Without this, blocks would be added too quickly (hash calculation is a fairly simple operation), and the network wouldn't be able to reach consensus in time.

The nonce is used to avoid this "excess speed." When receiving a block, the miner adds it to the hash and calculates the hash of the resulting "set." If the result doesn't match the value set by the difficulty target, the miner changes the nonce value and recalculates the hash.

This approach requires the network nodes to have quite a lot of computing power, as miners need to sort through literally billions of nonces to find the correct one.

When the correct nonce value is found, the required hash sum is obtained, and the block is created. It is then shared with the network so that it can be checked by other miners and, if there are no errors, added to the blockchain. The miner who created the new block receives a reward.

Nonces primarily aim to prevent the generation of identical hashes when encrypting the same plaintext multiple times with the same private key. This mitigates the risk of an eavesdropper gaining insights through frequency analysis. But what happens if this nonce is not random? Let's look at how the nonce is calculated.

Nonce covert channel attack

The main technology supporting the top two cryptocurrencies, Bitcoin and Ethereum, is the elliptic curve digital signature algorithm (ECDSA). 

ECDSA is a method for creating digital signatures to prove ownership of your crypto assets. Each signature serves as proof of two things:

  1. You own a private key. Each private key is linked to a public key. Your crypto "address" is essentially a short version of this public key. 
  2. You used your private key to sign a specific message (transaction).

ECDSA operates on the principle that it's easy to generate a public key from a private key, but it's almost impossible to derive a private key from a public key. However, there are certain limited conditions under which you can use a transaction's signature to decrypt the private key. It might get a bit technical, but we'll explain it.

To generate signatures, ECDSA uses a private key (d), a random number (k), and the hash of a message (h). It combines these with Q, the public key linked to the private key (d), and two standardized numbers in the ECDSA algorithm, G and n. These elements work together in a specific algorithm to compute a digital signature.

r = k * G mod n

s = {h + d * r}/{k} mod n

The Nonce value

The random number k in ECDSA signatures is crucial, and it must remain confidential, being used only once. This is why it's also referred to as a nonce. Suppose an attacker discovers the nonce used for a specific signature. In that case, they can uncover the private key used for signing that message. Through some algebra, the following formula can be derived.

d = (s*k-h)*r^(-1)  mod n

Likewise, if a nonce is reused for two distinct signatures, the private key used for signing those signatures becomes vulnerable. Once more, through some algebra, we can deduce the nonce used from the following equation.

k = (h1-h2)*(s1-s2)^(-1) mod n

How can you detect nonce reuse?

Remember the formula for generating r in the ECDSA algorithm: r = k * G mod n. Since G and n are constants, the only variable changing between signatures is k, the random number. Therefore, if k is reused for two messages, their signatures will share the same r. This is why k should never be reused.

Knowing this, we can identify reused ECDSA nonces in Ethereum transactions by looking for two transactions from the same account with the same r but different s values.

How Tangem Wallet protects you from the Nonce covert channel attack

The nonce for ECDSA is generated in a certified (CC EAL5+) library from Samsung using a certified hardware true random number generator; we can't influence the nonce in any way — we can't even recognize it.

If a wallet is created without a seed phrase, the same TRNG module and the same certified libraries are used to generate private keys. This applies to all types of Tangem Wallet when there is no seed phrase (the recommended option). In this scenario, everything happens inside the card (the TRNG module is part of the chip), and no external data is used. ECDSA nonce never leaves the Tangem card and is kept secret.

Nonce in blockchain explorer

The nonce in a transaction is just a coincidence in naming. It's the transaction's sequence number (visible in any blockchain explorer), used to protect against replay attacks (the possibility of repeating the same transaction) in the blockchain. It is part of the data that is signed in the transaction. Therefore, it simply depends on the number of previous transactions and is derived from the current state of the blockchain, unrelated to the TRNG and the Tangem card.

Single addresses in Tangem Wallet

While not reusing addresses can make nonce reuse not a problem for Bitcoin and other UTXO-based blockchains, it doesn't solve the issue generally. Account-based blockchains like Ethereum are designed for use with a single key pair, and they still have the same nonce in ECDSA signatures while having completely different nonce used to protect from transaction replay. So these types of blockchains require proper nonce generation anyway.


With Tangem Wallet's proper TRNG, you shouldn't worry about it accidentally generating the same nonce twice. The probability is similar to someone accidentally generating the same private key as yours — it's effectively impossible.