Point-on-curve check can detect certain faults, but it doesn't help if the adversary can actually flip a single bit of any scalar
If you can flip buts with Rowhammer then depending on PRNG implementation you might be able to reset PRNG state to replay the same output twice in a row, e.g. many ChaCah20-based PRNGs are used. This would create problems both for randomized EdDSA and for apps w/ nonces in msgs.
-
-
Further, if you can flip a bit with Rowhammer then you could flip the "TLS handshake is complete" flag and cause the app to accept unauthenticated/unencrypted input and/or write unencrypted output. https://bugzilla.mozilla.org/show_bug.cgi?id=919877 … shows such a magic bit exists/existed in real life.
-
In general, I am skeptical that we need crypto-specific mitigations for Rowhammer and similar bugs, because it seems likely there are always other magic bits that could be flipped to cause the same or worse damage.
-
This is true, you could e.g. flip a specific bit to get admin rights. The small motivation for our rowhammer eddsa attacks was that in certain scenarios you could flip ANY bit in a large message to be signed and obtain the key
-
Indeed, what?
-
The Problem with rowhammer is that depending on the scenario sometimes it is hard to flip specific bits, so that you could get admin rights or modify access flags (I am not an expert on rowhammer, please do not ask more :))
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.