Adding a nounce before hashing as covert channel
James Bottomley
James.Bottomley at HansenPartnership.com
Tue Dec 17 14:40:28 CET 2024
On Tue, 2024-12-17 at 10:15 +0000, Andrew Gallagher via Gnupg-devel
wrote:
> On 17 Dec 2024, at 04:21, James Bottomley
> <James.Bottomley at HansenPartnership.com> wrote:
> >
> > The EC signature nonce must be both unique and unknown (if you know
> > it you can also recover the private key). This means that if you
> > use the message hash as part of a deterministic nonce scheme, you
> > have to mix it with something unknown (like the private key or
> > another random number). The point being that this mixing is an
> > attack point that can be faulted to make nonce re-use much more
> > likely.
>
>
> In EdDSA, this mixing is done by calculating a digest over (private
> key, message). Is this really a practical attack vector?
All rowhammer type attacks are probabalistic. The probability of
success depends on the length of the target in memory and the time
window to flip the bits.
> How do you introduce a fault that causes a digest algorithm to
> produce a *known* result?
You don't need to. You just need to keep faulting it in a way that
vastly increases the likelihood of collision over time (it's a classic
rowhammer: set as many bits to 1 or 0 as possible in the nonce space).
There's no detectable consequence to the attack and no alteration in
victim behaviour you need to introduce. The probability of success is
linear in the number of signatures produced (giving a vast time window,
which is what makes success likely). I admit, since you would most
need to execute this over the lifetime of a key and store as many
signatures as you can, that it's a nation state type of attack rather
than a quick hacker infiltration one. But these are also the types of
attack we need to guard against.
Regards,
James
> In any case, nobody is claiming that the signature salt is a magic
> bullet.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20241217/1e206771/attachment.sig>
More information about the Gnupg-devel
mailing list