Adding a nounce before hashing as covert channel
Andrew Gallagher
andrewg at andrewg.com
Tue Dec 17 11:15:56 CET 2024
On 17 Dec 2024, at 04:21, James Bottomley <James.Bottomley at HansenPartnership.com> wrote:
>
> The EC signature nonce must be both unique and unknown (if you know it
> you can also recover the private key). This means that if you use the
> message hash as part of a deterministic nonce scheme, you have to mix
> it with something unknown (like the private key or another random
> number). The point being that this mixing is an attack point that can
> be faulted to make nonce re-use much more likely.
In EdDSA, this mixing is done by calculating a digest over (private key, message). Is this really a practical attack vector? How do you introduce a fault that causes a digest algorithm to produce a *known* result?
In any case, nobody is claiming that the signature salt is a magic bullet.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241217/68c7bf24/attachment.sig>
More information about the Gnupg-devel
mailing list