Breaking Ed25519 in WolfSSL

Abstract: This publication is distributed under the terms of Article 25fa of the Dutch Copyright Act (Auteurswet) with explicit consent by the author. Dutch law entitles the maker of a short scientific work funded either wholly or partially by Dutch public funds to make that work publicly available for no consideration following a reasonable period of time after the work was first published, provided that clear reference is made to the source of the first publication of the work. This publication is distributed under Th… Show more

“…We now exercise our fault-resilient unforgeability notion to establish that derandomized schemes are vulnerable to the weakest fault injection attack of random one-bit flips. This in particular confirms the corresponding observations by Poddebniak et al and others [48,54,1,56] in our formalism. To recap, derandomization here refers to the approach to deterministically extract a permessage random value from the secret signing key and message input, replacing an otherwise needed true random sampling of a per-message nonce.…”

“…In several works concurrent and closely related to that by Poddebniak et al [48], Romailler and Pelissier [54], Ambrose et al [1], as well as Samwel et al [56,55] studied differential fault and side-channel attacks on deterministic signatures in general and the ECDSA and EdDSA schemes specifically, also revisiting a previous result by Barenghi and Pelosi [5]. Notably, all works agree that adding randomness back into the signing process is necessary in order to prevent the described fault attacks.…”

“…However, as observed before [48,54,1,56], a fault introduced within the message memory variable m between reading m for deriving the nonce r and reading m again for computing the signature (with nonce r), recovers the nonce reuse scenario and, with it, a signing key extraction attack. In the following theorem, we formalize this observation in our generalized fault resilience setting.…”

“…We begin by augmenting the classical security notions for existential and strong unforgeability under chosen-message attacks for signatures with our extension to capture fault resilience, as described in Section 2. We then study the effects of faults specifically on a de-randomized (deterministic) signature schemes and analyze to which extent the proposed countermeasure to include additional randomness [48,54,1,56] provably provides fault resilience.…”

“…A key point in the augmented model is to attribute the signature to a message, because the adversary may alter the message content during the signing process. The extension enables us to formally restate the concept of above fault attacks on deterministic signatures [48,54,1,56] in terms of our security model, as a sanity check for our modeling so to speak.…”

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

“…We now exercise our fault-resilient unforgeability notion to establish that derandomized schemes are vulnerable to the weakest fault injection attack of random one-bit flips. This in particular confirms the corresponding observations by Poddebniak et al and others [48,54,1,56] in our formalism. To recap, derandomization here refers to the approach to deterministically extract a permessage random value from the secret signing key and message input, replacing an otherwise needed true random sampling of a per-message nonce.…”

“…In several works concurrent and closely related to that by Poddebniak et al [48], Romailler and Pelissier [54], Ambrose et al [1], as well as Samwel et al [56,55] studied differential fault and side-channel attacks on deterministic signatures in general and the ECDSA and EdDSA schemes specifically, also revisiting a previous result by Barenghi and Pelosi [5]. Notably, all works agree that adding randomness back into the signing process is necessary in order to prevent the described fault attacks.…”

“…However, as observed before [48,54,1,56], a fault introduced within the message memory variable m between reading m for deriving the nonce r and reading m again for computing the signature (with nonce r), recovers the nonce reuse scenario and, with it, a signing key extraction attack. In the following theorem, we formalize this observation in our generalized fault resilience setting.…”

“…We begin by augmenting the classical security notions for existential and strong unforgeability under chosen-message attacks for signatures with our extension to capture fault resilience, as described in Section 2. We then study the effects of faults specifically on a de-randomized (deterministic) signature schemes and analyze to which extent the proposed countermeasure to include additional randomness [48,54,1,56] provably provides fault resilience.…”

“…A key point in the augmented model is to attribute the signature to a message, because the adversary may alter the message content during the signing process. The extension enables us to formally restate the concept of above fault attacks on deterministic signatures [48,54,1,56] in terms of our security model, as a sanity check for our modeling so to speak.…”

Modeling Memory Faults in Signature and Authenticated Encryption Schemes

One Trace Is All It Takes: Machine Learning-Based Side-Channel Attack on EdDSA

Taming the Many EdDSAs