On Fri, 2024-12-13 at 17:28 +0000, andrewg via Gnupg-devel wrote: [...] > > However, while the faulted message attack sounds more > > plausible the same signature faulted second message is only > > achievable in a limited timeframe, the timespan for pulling off a > > faulted rng attack is the key lifetime, giving a determined > > attacker much more leeway to produce an identical nonce. > > In OpenPGP all signatures contain a timestamp, so even if a > determined attacker was able to generate a large number of signatures > using a faulty RNG, the timestamp field would keep incrementing. The > attacker would need to either force a duplicate salt within ~1s, or > find a hash collision.
I think there may be confusion here: the 'Nonce Reuse in deterministic ECDSA' section of the paper only presents a special case of the general problem: The EC signature algorithm requires an input nonce which must be unique for every signature otherwise the private key can be recovered mathematically from the two signatures that reused the nonce provided they were signatures over different messages. It's not about whether or not to salt the message and faulting the salt. I'm making the point that it's this signature nonce you try to fault to break the uniqueness guarantee; what you add to the message is irrelevant because exploiting a duplicate nonce to extract the private key requires the signed messages to be different anyway. Regards, James _______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel
