Implement hedged deterministic nonces in Frost signing
cronokirby opened this issue · comments
Right now, we simply generate d_i, e_i
randomly when doing Frost signing. This is the only time we use randomness when signing.
One theoretically better way of doing this is to use a deterministic process, taking some optional randomness, to generate the hash using your secret, the context, and the message.
This would protect against bad randomness on one hand, and fault attacks on the other.
There's no current flaw with generating things randomly, but since Frost only needs randomness in this one place, it would be a bit more elegant to switch to hedged determinism.