On Fri, 2024-12-13 at 12:59 +0000, andrewg via Gnupg-devel wrote: > On 2024-12-12 11:58, Wiktor Kwapisiewicz wrote: > > > > On 12.12.2024 11:43, Andrew Gallagher via Gnupg-devel wrote: > > > It should be noted that the salt in v6 signatures also helps to > > > protect against fault-based attacks. > > > SeeĀ https://eprint.iacr.org/2017/1014 > > > > I'm not entirely sure that the v6 salt helps in this case - it > > influences the final digest but the fault attack then operates on > > that new digest. I've read section 9. Countermeasures and couldn't > > find any mention of salt being effective. > > Fault attacks require the generation of multiple signatures over the > same message digest. With an unsalted signature, it is sufficient to > induce a victim to sign the same message twice with the same > timestamp. With a salted signature, it is vanishingly improbable that > the same digest will ever be produced.
Hey, that's a bit misleading. For Elliptic Curves a distinct nonce is a required part of the signature scheme and the weakness is that if two different messages are ever signed by the same key using the *same* nonce then the private key can be mathematically recovered. Producing the same signature for the same message twice is fine: that's why deterministic signature schemes work. In a fault attack on a deterministic signature scheme, you try to get the same message signed twice (so same nonce), but attempt to fault the message or digest before the second signing so the result is effectively two different messages signed with the same nonce. On the other hand, for random nonces, the worry is that weak random number generators or faulting the rng can also lead to the same nonce being reused, especially if the signer produces lots of signatures. The 'Attacking Deterministic Signature Schemes using Fault Attacks' paper discounts the latter problem in its analysis and concentrates on the former. However, while the faulted message attack sounds more plausible the same signature faulted second message is only achievable in a limited timeframe, the timespan for pulling off a faulted rng attack is the key lifetime, giving a determined attacker much more leeway to produce an identical nonce. The real problem, though, is the Elliptic Curve signature scheme itself: however the nonce is generated (whether deterministic or random or a mixture) the scheme is always vulnerable to faulting the nonce to produce one that was previously used in a signature. Regards, James _______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel
