Point-on-curve check can detect mispropagation bugs, but I'm not sure whether these bugs leak the Ed25519 private key. Since the bugs are deterministic, the adversary cannot obtain two different R values for the same nonce and message. @jurajsomorovsky thoughts?
-
-
This is true, you could e.g. flip a specific bit to get admin rights. The small motivation for our rowhammer eddsa attacks was that in certain scenarios you could flip ANY bit in a large message to be signed and obtain the key
-
Indeed, what?
-
The Problem with rowhammer is that depending on the scenario sometimes it is hard to flip specific bits, so that you could get admin rights or modify access flags (I am not an expert on rowhammer, please do not ask more :))
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.