Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for randomized signatures? #54

Open
ksperling opened this issue Apr 2, 2018 · 0 comments
Open

Add support for randomized signatures? #54

ksperling opened this issue Apr 2, 2018 · 0 comments

Comments

@ksperling
Copy link

This recent paper demonstrates using a differential power analysis attack on the SHA-512 part of the Ed25519 signature generation to recover the nonce key (aka auxiliary key), and also proposes a mitigation: https://eprint.iacr.org/2017/985.pdf

We need to create a scenario such that an attacker is not able
make a hypothesis on the constant key value. This can be achieved by padding
the key with fresh random bits such that the first 1024-bit block is composed
only by key and random value, without any bits known to the attacker. The
input message will be processed in blocks after that. Fig. 9 visualizes how the
input should look. The R0 block would be a random number of 768 bits. We
argue that is also possible to have an R0 block composed by 128 bits of randomness
and pad the rest of the block with 640 bits with a constant value (e.g. all
zero).
[...]
Obviously, this countermeasure kills the deterministic signature properties,
but we do not see this as a dramatic problem. The main motivation for the proposal
of deterministic signature was to avoid a poor management of randomness
that can introduce security problems [12, 14]. The proposed countermeasure is
also not re-introducing the strong security requirement of randomness needed
by ECDSA. Basically, even if the same randomness is used to sign two different
messages, the attacker will not be able to recover the key as would it be possible
with ECDSA. Additionally we want to highlight that the signature verification
procedure remains as is.

As I'm using Ed25519 in an IoT-type device where this type of attack is (at least theoretically) possible, I'm considering adding (optional) support for this mitigation. Would there be interest in this if I provide a PR?

It should be straightforward to add this logic to EdDSAEngine.digestInitSign, conditional on a (new) randomize flag added to EdDSAParameterSpec, which could then be exposed as an EdDSANamedCurveSpec with a different identifier, e.g. Ed25519rnd.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant