Can you ask again without 6 layers of abstraction? What’s a specific example?
Is this the normal way it's done? I thought it was normal to try to implement x25519 and then implement Ed25519 as a hack on top of it. If the hacky way isn't normal then it's probably less of a concern.
-
-
How would one do that? AFAIK for signing you can't use x-only Montgomery arithmetic because encoded Ed25519 points specify a single point, not a pair of points; and for verification, you can't use a differential addition formula with Shamir's trick.
-
+1 to what
@bmastenbrook said.@BRIAN_____, people usually convert public keys from X25519 to Ed25519, to use a single key pair for both encryption and signature (I never am comfortable with this idea) -
OK, let's jump ahead to the thing I want to verify: For these kinds of fault attacks, what is the value of checking that the result is on the curve? If the bit flipping is actually modifying the private key scalar itself then it doesn't help AFAICT, but how about otherwise?
-
EdDSA signing requires two scalar mults, one to compute the public key (which can be cached) and another to compute R. If adversary can cause any faults in these computations, and also learn the correct value of the public key or R, they can compute the private key
-
Point-on-curve check can detect certain faults, but it doesn't help if the adversary can actually flip a single bit of any scalar
-
Something to think about: suppose there's a deterministic carry mispropagation bug that can be triggered with 1% of the scalar values. Is it possible to extract the private key?
-
Point-on-curve check can detect mispropagation bugs, but I'm not sure whether these bugs leak the Ed25519 private key. Since the bugs are deterministic, the adversary cannot obtain two different R values for the same nonce and message.
@jurajsomorovsky thoughts? -
I think this is probably something beyond what's reasonable to solve on Twitter. What I'm really wondering is what are the near-zero-cost countermeasures that can reduce the likelihood of a Rowhammer-like attack the most, ideally without randomization the scalar mult.
- 12 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.