Adding a nounce before hashing as covert channel

[James Bottomley]

On Sat, 2024-12-14 at 10:21 +0000, Andrew Gallagher via Gnupg-devel
wrote:
> On 13 Dec 2024, at 18:59, James Bottomley
> <James.Bottomley at HansenPartnership.com> wrote:
> > 
> > I think there may be confusion here: the 'Nonce Reuse in
> > deterministic
> > ECDSA' section of the paper only presents a special case of the
> > general
> > problem: The EC signature algorithm requires an input nonce which
> > must
> > be unique for every signature otherwise the private key can be
> > recovered mathematically from the two signatures that reused the
> > nonce
> > provided they were signatures over different messages.  It's not
> > about
> > whether or not to salt the message and faulting the salt.
> 
> Correct, that’s not what it’s about. I think perhaps the confusion
> arises because discussion of ECC signatures in the paper uses the
> terminology “Message”, but this “ECC Message” is not the same thing
> as the "OpenPGP Message”. Because OpenPGP applies a pre-hashing stage
> to all signatures, the “Message” passed to the ECC layer is always a
> digest. Salting *this* digest ensures that the ECC nonce is never
> reused, because in deterministic ECC, the nonce is calculated from
> the “ECC Message”, i.e. the OpenPGP digest, which if salted can never
> be the same twice.
> 
> It is therefore not possible to perform the fault attack against a
> salted OpenPGP signature, because faulting a deterministic ECC
> signature requires an attacker to pass the same “ECC message" to the
> signature algorithm twice, and then cause a fault between the
> calculation of the nonce and the calculation of the signature, so
> that the nonce is the same twice but the messages that effectively
> get signed are different. In OpenPGP v6 the nonce can never be the
> same because the input ECC message can never be the same.

The EC signature nonce must be both unique and unknown (if you know it
you can also recover the private key).  This means that if you use the
message hash as part of a deterministic nonce scheme, you have to mix
it with something unknown (like the private key or another random
number).  The point being that this mixing is an attack point that can
be faulted to make nonce re-use much more likely. 

This means it's possible to do fault attacks against *any* EC
signature, regardless of the way the message is salted.

> Bluntly, salting the OpenPGP digest works by forcing nonce uniqueness
> at a high level, regardless of where in the stack below a fault may
> arise.

But not high enough to avoid EC signature nonce faulting because of the
mixing requirement after the digest is obtained.

Regards,

James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241216/055e02f4/attachment-0001.sig>