crypto/ecdsa: Verify signature after signing to prevent faults from leaking private key #54681
Labels
NeedsDecision
Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What did you do?
It has been well known for quite some time that a single signature fault (e.g. due to a bit-flip or truncation) can lead to leaking the private key producing that signature. The crypto/rsa package has contained a defense against just such circumstances since 2015.
However, it is also possible for signature faults to leak ECDSA private keys. In particular, it has been shown that ECDSA private keys can be leaked if the same message is signed twice and one of those two signatures suffers a fault. This attack was recently demonstrated (PDF link) to be practical.
What did you expect to see?
I expected that ECDSA signatures would be validated immediately after being produced, in order to prevent faulty signatures from being exposed to an outside attacker.
What did you see instead?
I do not see any signature verification happening in the ecdsa call stack.
Additional information
I believe that the golang stdlib ecdsa implementation is not actually vulnerable to the signature fault attack as described above. In particular, that attack relies on the fact that many ecdsa implementations skirted the issue of bad random nonce generators by adopting deterministic nonces. It appears that the ecdsa implementation here uses true randomness, and is therefore not vulnerable. However I do believe that the implementation today could silently produce faulty signatures, which we may want to avoid as both a correctness and a defense-in-depth measure.
The text was updated successfully, but these errors were encountered: