Skip to content

Commit

Permalink
Update draft-irtf-cfrg-det-sigs-with-noise.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@emanjon
emanjon authored Feb 28, 2024
1 parent a4c8941 commit 48abb3d
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions draft-irtf-cfrg-det-sigs-with-noise.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -438,9 +438,7 @@ Side-channel attacks are potential attack vectors for implementations of cryptog

Fault attacks may also be possible without physical access to the device. RowHammer {{RowHammer14}} showed how an attacker to induce DRAM bit-flips in memory areas the attacker should not have access to. Plundervolt {{Plundervolt19}} showed how an attacker with root access can use frequency and voltage scaling interfaces to induce faults that bypass even secure execution technologies. RowHammer can e.g., be used in operating systems with several processes or cloud scenarios with virtualized servers. Protocols like TLS, SSH, and IKEv2 that add a random number to the message to be signed mitigate some types of attacks {{PSSLR17}}.

Government agencies are clearly concerned about these attacks. In {{Notice-186-5}} and {{FIPS-186-5}}, NIST warns about side-channel and fault injection attacks, but states that deterministic ECDSA may be desirable for devices that lack good randomness. The quantum-resistant ML-DSA {{Draft-204}} under standardization by NIST uses hedged signing by default.

BSI has published {{BSI}} and researchers from BSI have co-authored two research papers {{ABFJLM17}} {{PSSLR17}} on attacks on deterministic signatures. For many industries it is important to be compliant with both RFCs and government publications, alignment between IETF, NIST, and BSI recommendations would be preferable.
Government agencies are clearly concerned about these attacks. In {{Notice-186-5}} and {{FIPS-186-5}}, NIST warns about side-channel and fault injection attacks, but states that deterministic ECDSA may be desirable for devices that lack good randomness. The quantum-resistant ML-DSA {{Draft-204}} under standardization by NIST uses hedged signing by default. BSI has published {{BSI}} and researchers from BSI have co-authored two research papers {{ABFJLM17}} {{PSSLR17}} on attacks on deterministic signatures. For many industries it is important to be compliant with both RFCs and government publications, alignment between IETF, NIST, and BSI recommendations would be preferable.

Note that deriving per-message secret number deterministically, is also insecure in a multi-party signature setting {{I-D.irtf-cfrg-frost}}.

Expand Down

0 comments on commit 48abb3d

Please sign in to comment.