Paper 2024/427

A Cautionary Note: Side-Channel Leakage Implications of Deterministic Signature Schemes

Hermann Seuschek
Johann Heyszl
Fabrizio De Santis
Abstract

Two recent proposals by Bernstein and Pornin emphasize the use of deterministic signatures in DSA and its elliptic curve-based variants. Deterministic signatures derive the required ephemeral key value in a deterministic manner from the message to be signed and the secret key instead of using random number generators. The goal is to prevent severe security issues, such as the straight-forward secret key recovery from low quality random numbers. Recent developments have raised skepticism whether e.g. embedded or pervasive devices are able to generate randomness of sufficient quality. The main concerns stem from individual implementations lacking sufficient entropy source and standardized methods for random number generation with suspected back doors. While we support the goal of deterministic signatures, we are concerned about the fact that this has a significant influence on side-channel security of implementations. Specifically, attackers will be able to mount differential side-channel attacks on the additional use of the secret key in a cryptographic hash function to derive the deterministic ephemeral key. Previously, only a simple integer arithmetic function to generate the second signature parameter had to be protected, which is rather straight-forward. Hash functions are significantly more difficult to protect. In this contribution, we systematically explain how deterministic signatures introduce this new side-channel vulnerability.

Note: This is the accepted version and author copy of a publication at CS2 ’16, January 20 2016, Prague, Czech Republic. Final publication can be found under under DOI: http://dx.doi.org/10.1145/2858930.2858932

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. CS 2016, ACM
DOI
10.1145/2858930.2858932
Keywords
Deterministic ECDSASide-Channel Attack
Contact author(s)
hermann seuschek @ tum de
johann heyszl @ aisec fraunhofer de
desantis @ tum de
History
2024-03-15: approved
2024-03-12: received
See all versions
Short URL
https://ia.cr/2024/427
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/427,
      author = {Hermann Seuschek and Johann Heyszl and Fabrizio De Santis},
      title = {A Cautionary Note: Side-Channel Leakage Implications of Deterministic Signature Schemes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/427},
      year = {2024},
      doi = {10.1145/2858930.2858932},
      url = {https://eprint.iacr.org/2024/427}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.