On Tue, 2024-12-17 at 10:15 +0000, Andrew Gallagher via Gnupg-devel wrote: > On 17 Dec 2024, at 04:21, James Bottomley > <[email protected]> wrote: > > > > The EC signature nonce must be both unique and unknown (if you know > > it you can also recover the private key). This means that if you > > use the message hash as part of a deterministic nonce scheme, you > > have to mix it with something unknown (like the private key or > > another random number). The point being that this mixing is an > > attack point that can be faulted to make nonce re-use much more > > likely. > > > In EdDSA, this mixing is done by calculating a digest over (private > key, message). Is this really a practical attack vector?
All rowhammer type attacks are probabalistic. The probability of success depends on the length of the target in memory and the time window to flip the bits. > How do you introduce a fault that causes a digest algorithm to > produce a *known* result? You don't need to. You just need to keep faulting it in a way that vastly increases the likelihood of collision over time (it's a classic rowhammer: set as many bits to 1 or 0 as possible in the nonce space). There's no detectable consequence to the attack and no alteration in victim behaviour you need to introduce. The probability of success is linear in the number of signatures produced (giving a vast time window, which is what makes success likely). I admit, since you would most need to execute this over the lifetime of a key and store as many signatures as you can, that it's a nation state type of attack rather than a quick hacker infiltration one. But these are also the types of attack we need to guard against. Regards, James > In any case, nobody is claiming that the signature salt is a magic > bullet.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
