Add EdDSA signature verification step to detect and avoid outputting faulty signatures #11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…gnatures EdDSA is known to be vulnerable to fault attacks which can lead to secret key extraction if two signatures over the same data can be collected. Randomly occurring bitflips in specific parts of the computation might in principle result in vulnerable faulty signatures being generated, hence we add the option to verify the signatures before outputting them.
larabr
force-pushed
the
protonmail/v5-eddsa-faulty-verify-stats
branch
from
19bd6f1 to
624debe
Compare
To be able to control the deployment of the eddsa check. Support is limited to the global config object as the affected functions currently don't take a config input, and we don't need to selectively enable the option anyway, so we limit the scope of the changes.
twiss
approved these changes
Nov 27, 2023
larabr
added a commit
that referenced
this pull request
Nov 29, 2023
…g faulty signatures (#11) EdDSA is known to be vulnerable to fault attacks which can lead to secret key extraction if two signatures over the same data can be collected. Randomly occurring bitflips in specific parts of the computation might in principle result in vulnerable faulty signatures being generated, hence we add the option to verify the signatures before outputting them. This commit also adds the `checkEdDSAFaultySignatures` flag to the global config to be able to control the deployment of the eddsa check. Support is limited to the global config object as the affected functions currently don't take a config input, and we don't need to selectively enable the option anyway, so we limit the scope of the changes.
larabr
added a commit
that referenced
this pull request
Mar 1, 2024
…g faulty signatures (#11) EdDSA is known to be vulnerable to fault attacks which can lead to secret key extraction if two signatures over the same data can be collected. Randomly occurring bitflips in specific parts of the computation might in principle result in vulnerable faulty signatures being generated, hence we add the option to verify the signatures before outputting them. This commit also adds the `checkEdDSAFaultySignatures` flag to the global config to be able to control the deployment of the eddsa check. Support is limited to the global config object as the affected functions currently don't take a config input, and we don't need to selectively enable the option anyway, so we limit the scope of the changes.
larabr
added a commit
that referenced
this pull request
Mar 1, 2024
…g faulty signatures (#11) EdDSA is known to be vulnerable to fault attacks which can lead to secret key extraction if two signatures over the same data can be collected. Randomly occurring bitflips in specific parts of the computation might in principle result in vulnerable faulty signatures being generated, hence we add the option to verify the signatures before outputting them. This commit also adds the `checkEdDSAFaultySignatures` flag to the global config to be able to control the deployment of the eddsa check. Support is limited to the global config object as the affected functions currently don't take a config input, and we don't need to selectively enable the option anyway, so we limit the scope of the changes.
larabr
added a commit
that referenced
this pull request
Apr 10, 2024
…faulty signatures (#11) EdDSA is known to be vulnerable to fault attacks which can lead to secret key extraction if two signatures over the same data can be collected. Randomly occurring bitflips in specific parts of the computation might in principle result in vulnerable faulty signatures being generated, hence we add the option to verify the signatures before outputting them. This commit also adds the `checkEdDSAFaultySignatures` flag to the global config to be able to control the deployment of the eddsa check. Support is limited to the global config object as the affected functions currently don't take a config input, and we don't need to selectively enable the option anyway, so we limit the scope of the changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Randomly occurring bitflips in specific parts of the EdDSA signature computation might in principle result in vulnerable faulty signatures being generated, hence we add the option to verify the signatures before outputting them.
This change is made primarily to gather stats about whether such faulty signatures are generated by our web apps.
The flag
checkEdDSAFaultySignatureshas also been added to the globalopenpgp.configobject to control its activation.