Adding a nounce before hashing as covert channel
James Bottomley
James.Bottomley at HansenPartnership.com
Fri Dec 13 18:07:21 CET 2024
On Fri, 2024-12-13 at 12:59 +0000, andrewg via Gnupg-devel wrote:
> On 2024-12-12 11:58, Wiktor Kwapisiewicz wrote:
> >
> > On 12.12.2024 11:43, Andrew Gallagher via Gnupg-devel wrote:
> > > It should be noted that the salt in v6 signatures also helps to
> > > protect against fault-based attacks.
> > > See https://eprint.iacr.org/2017/1014
> >
> > I'm not entirely sure that the v6 salt helps in this case - it
> > influences the final digest but the fault attack then operates on
> > that new digest. I've read section 9. Countermeasures and couldn't
> > find any mention of salt being effective.
>
> Fault attacks require the generation of multiple signatures over the
> same message digest. With an unsalted signature, it is sufficient to
> induce a victim to sign the same message twice with the same
> timestamp. With a salted signature, it is vanishingly improbable that
> the same digest will ever be produced.
Hey, that's a bit misleading. For Elliptic Curves a distinct nonce is
a required part of the signature scheme and the weakness is that if two
different messages are ever signed by the same key using the *same*
nonce then the private key can be mathematically recovered. Producing
the same signature for the same message twice is fine: that's why
deterministic signature schemes work. In a fault attack on a
deterministic signature scheme, you try to get the same message signed
twice (so same nonce), but attempt to fault the message or digest
before the second signing so the result is effectively two different
messages signed with the same nonce. On the other hand, for random
nonces, the worry is that weak random number generators or faulting the
rng can also lead to the same nonce being reused, especially if the
signer produces lots of signatures.
The 'Attacking Deterministic Signature Schemes using Fault Attacks'
paper discounts the latter problem in its analysis and concentrates on
the former. However, while the faulted message attack sounds more
plausible the same signature faulted second message is only achievable
in a limited timeframe, the timespan for pulling off a faulted rng
attack is the key lifetime, giving a determined attacker much more
leeway to produce an identical nonce.
The real problem, though, is the Elliptic Curve signature scheme
itself: however the nonce is generated (whether deterministic or random
or a mixture) the scheme is always vulnerable to faulting the nonce to
produce one that was previously used in a signature.
Regards,
James
More information about the Gnupg-devel
mailing list