On 13 Dec 2024, at 18:59, James Bottomley <james.bottom...@hansenpartnership.com> wrote: > > I think there may be confusion here: the 'Nonce Reuse in deterministic > ECDSA' section of the paper only presents a special case of the general > problem: The EC signature algorithm requires an input nonce which must > be unique for every signature otherwise the private key can be > recovered mathematically from the two signatures that reused the nonce > provided they were signatures over different messages. It's not about > whether or not to salt the message and faulting the salt.
Correct, that’s not what it’s about. I think perhaps the confusion arises because discussion of ECC signatures in the paper uses the terminology “Message”, but this “ECC Message” is not the same thing as the "OpenPGP Message”. Because OpenPGP applies a pre-hashing stage to all signatures, the “Message” passed to the ECC layer is always a digest. Salting *this* digest ensures that the ECC nonce is never reused, because in deterministic ECC, the nonce is calculated from the “ECC Message”, i.e. the OpenPGP digest, which if salted can never be the same twice. It is therefore not possible to perform the fault attack against a salted OpenPGP signature, because faulting a deterministic ECC signature requires an attacker to pass the same “ECC message" to the signature algorithm twice, and then cause a fault between the calculation of the nonce and the calculation of the signature, so that the nonce is the same twice but the messages that effectively get signed are different. In OpenPGP v6 the nonce can never be the same because the input ECC message can never be the same. Bluntly, salting the OpenPGP digest works by forcing nonce uniqueness at a high level, regardless of where in the stack below a fault may arise. A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Gnupg-devel mailing list Gnupg-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-devel
