Thomas H. Ptacek(a) Ruhr strikes again.
(b) This is one of the all-time great cryptography footguns: not filling the ECDSA modulus.
Couldn't be any more thrilled.
Sean's writeup of the mechanics of this attack in his Cryptopals set 8 is *so good*.
The big thing here is is a programmer-brain impedance mismatch.
You need a cryptographically random 521 bit modulus, to work P-521. Your libraries easily generate 512-bit moduli. 512 bits seems essentially as cryptographically unguessable as 521 bits. If these were like, AES keys, the distinction would not matter.
But it matters a fuckload in asymmetric cryptography, because 521-512 leaves 9 bits biased to 0, which over a collection of signatures lets you set up a linear algebra problem to recover the secret key.
d@nny disc@ mc²@tqbf "programmer-brain impedance mismatch" is an incredibly pretentious way to say something incredibly simple. don't pretend like mathematics is some sort of fucking lost art only interpretable by the chosen divine messengers, that does not at all help anyone to understand how to process this in the future and only contributes to self-esteem issues
@tqbf reading posts like this is much more annoying than someone just telling me not to write my own crypto because they're not telling me i'm "programmer-brained" for something it's implied i would never have thought of myself