Skip to content

Commit

Permalink
Update draft-irtf-cfrg-det-sigs-with-noise.md
Browse files Browse the repository at this point in the history 
Fixed a hypothetical attack where an attacker is able to induce a nonce collision between Hedged Ed25519 and Hedged Ed25519ctx by completely controlling Z and setting the context value to empty

The new construction aligns more with the first part of #3 since dom2 and dom4 of RFC 8032 are potentially variable length.

Added domain separation with dom2 and dom4 of RFC 8032 through leading 0x00 byte.
  • Loading branch information
@ethorm
ethorm authored Mar 16, 2024
1 parent 2af6996 commit 195f4e2
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions draft-irtf-cfrg-det-sigs-with-noise.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -459,7 +459,7 @@ Update to RFC 8032:
For Ed25519ph, Ed25519ctx, and Ed25519: In deployments where side-channel and fault injection attacks are a concern, the following step is RECOMMENDED instead of step (2) in Section 5.1.6 of {{RFC8032}}:

~~~~~~~~~~~~~~~~~~~~~~~
2. Compute SHA-512(dom2(F, C) || Z || 000... || prefix || 000... ||
2. Compute SHA-512(0x00 || Z || dom2(F, C) || 000... || prefix || 000... ||
PH(M)), where M is the message to be signed, Z is 32 octets of
random data, the number of zeroes 000... is chosen so that the
lengths of (dom2(F, C) || Z || 000...) and (prefix || 000...) are
Expand All @@ -470,7 +470,7 @@ For Ed25519ph, Ed25519ctx, and Ed25519: In deployments where side-channel and fa
For Ed448ph and Ed448: In deployments where side-channel and fault injection attacks are a concern, the following step is RECOMMENDED instead of step (2) in Section 5.2.6 of {{RFC8032}}:

~~~~~~~~~~~~~~~~~~~~~~~
2. Compute SHAKE256(dom4(F, C) || Z || 000... || prefix || 000... ||
2. Compute SHAKE256(0x00 || Z || dom4(F, C) || 000... || prefix || 000... ||
PH(M), 114), where M is the message to be signed, and Z is 57
octets of random data, the number of zeroes 000... is chosen so
that the length of (dom4(F, C) || Z || 000...) and (prefix ||
Expand Down Expand Up @@ -535,6 +535,8 @@ With the construction in this document, the repetition of the same per-message s

Implementations need to follow best practices on how to protect against all side-channel attacks, not just attacks that exploit determinism, see for example {{BSI}}.

The leading 0x00 octet in Hedged EdDSA provides domain separation with RFC 8032 since the first octets of dom2 and dom4 are distinct from 0x00.

# Test Vectors {#test}

TODO
Expand Down

0 comments on commit 195f4e2

Please sign in to comment.