Description
Recent Elliptic.js CVE highlightened a danger of fault attacks.
Check out blog post: Deterministic signatures are not your friends and ethresear.ch post. Deterministic RFC6979 signatures are good, however, if an error happens during sig generation, then the error is propagated to the very end. In worst cases it will mean k reuse and private key leak.
Solution
Use hedged signatures. RFC6979 3.6: already specifies additional k' extraEntropy to mix-in 32 byte of random data on every signature. It is standard way of doing this.
Switch is from k = hash_6979(private_key, message) to k = hash_6979(private_key, message, extraEntropy)
Pros
Increased security against private key leakage. Even when passed-through randomness is bad, the security would be just like today, not worse.
- Fault attacks / attacks against deterministic signatures have been discussed in SH16, BP16, RP17, ABFJLM17, SBBDS17, PSSLR17, SB18, WPB19, AOTZ19, FG19.
- Hedging was described in specs BIP340 in 2018-2020 ("Using unpredictable randomness additionally increases protection against other side-channel attacks, and is recommended whenever available."), CFRG draft in 2022 and of course RFC6979 section 3.6.
- Bitcoin has been using extra entropy for low-r grinding since 2018 and hedged schnorr BIP340 since 2021
- Apple iOS, Safari browser and Signal all specifically use hedged ed25519 even though RFC8032 ed25519 is not hedged
Cons
- Signatures (r, s) would become non-deterministic and "new" after every signature.
- Some protocols use deterministic sigs as keys.
- These protocols can ask for deterministic sigs, for example, by specifying static extraEntropy
- Slightly increased chance of fingerprinting
- Injecting
caf3as first 2 bytes will take 65K+ generations on average - totally infeasible for hardware wallets (ledger uses 48MHz STM32F042) - To be reliable, fingerprinting needs to inject 10+ bytes, which means billions of signatures
- Injecting