Adding a nounce before hashing as covert channel
James Bottomley
James.Bottomley at HansenPartnership.com
Fri Dec 13 19:59:48 CET 2024
On Fri, 2024-12-13 at 17:28 +0000, andrewg via Gnupg-devel wrote:
[...]
> > However, while the faulted message attack sounds more
> > plausible the same signature faulted second message is only
> > achievable in a limited timeframe, the timespan for pulling off a
> > faulted rng attack is the key lifetime, giving a determined
> > attacker much more leeway to produce an identical nonce.
>
> In OpenPGP all signatures contain a timestamp, so even if a
> determined attacker was able to generate a large number of signatures
> using a faulty RNG, the timestamp field would keep incrementing. The
> attacker would need to either force a duplicate salt within ~1s, or
> find a hash collision.
I think there may be confusion here: the 'Nonce Reuse in deterministic
ECDSA' section of the paper only presents a special case of the general
problem: The EC signature algorithm requires an input nonce which must
be unique for every signature otherwise the private key can be
recovered mathematically from the two signatures that reused the nonce
provided they were signatures over different messages. It's not about
whether or not to salt the message and faulting the salt. I'm making
the point that it's this signature nonce you try to fault to break the
uniqueness guarantee; what you add to the message is irrelevant because
exploiting a duplicate nonce to extract the private key requires the
signed messages to be different anyway.
Regards,
James
More information about the Gnupg-devel
mailing list