Join Log in
Score:3
sarmluk avatar Crypto

Schnorr signature in two steps, known vulnerabilities

in flag
sarmluk

We are looking to perform all the calculations for a Schnorr signature, more precisely EC-FSDSA, (BIP340-Schnorr), inside a secure element, to the exception of the Hash operation that is not supported and must be performed outside of the secure element.

Assuming the signature is the following: d=private key R = k.G = Q (unique random key, TRNG sourced inside secure element, can only be used once), and

S = k + d . H( Q | P | M )

The steps would be the followings:

  1. generate and get Q and get Q and P as output from secure element
  2. calculate and reinject H(Q | P | M) in secure element
  3. finalize and output S = k + d . H( Q | P | M )

Assuming the secure element functions as an oracle, and an attacker can inject H( Q | P | M ) = "1" and thus extract k + d (It cannot inject H( Q | P | M ) = "0" with same k, it changes all the time), without limitation, would d be vulnerable ? Has anyone read some discussions on that subject ?

For sake of clarity, note that our goal is to evaluate the possibility to guess the private key (d) which is hidden in a secure element, with unlimited possibility to calculate S=k + d*(any_integer_you_choose) . The secure element can only perform scalar multiplications, generate pseudo random (k) but unfortunately not some specific hash functions. It must thus be calculated outside and re-injected, thus potentially opening up vulnerabilities.

For this exercise, we assume the secure elements that hides (d) can perform unlimited S calculations whatever (H) is, and is in the hand of the attacker with full access to cryptographic calculations on S= k + dH. The attacker cannot control k, which is generated inside the secure element, used only once, and is ever hidden. On the other hand, the attacker can ignore (Q | P | M) and can choose any (H) to send to the secure element to calculate S= k+d.H, thus choosing H=0,1,2,3.. for example, and getting S1=k1+d1, S2=k2+d*2, etc.....in return, with no limitation of tries. Even if always obfuscated by the different random k, can that help you guess (d)?....

(You could ask then: if the attacker has access to calculations on (d), then its like having (d). Well not exactly as an attacker could secretly extract (d), and wait for a use case later in time)

143
0 + 2
Maarten Bodewes avatar
in flag
Maarten Bodewes
Hi sarmluk and welcome. Note that this site supports MathJax, so it should be possible [to create nicely formatted formulas](https://crypto.meta.stackexchange.com/a/1070/1172).
0
Reply
Manish Adhikari avatar
us flag
Manish Adhikari
I know of no attack scenario where an attacker injects $H(Q|P|M)$, can you describe it clearly how he does that? $Q$ is picked by the signer and hash is also initially calculated by her. In a chosen message attack, the attacker has to find $M$ s.t. $H(Q|P|M)$ = 1 and that without knowing $Q$. Even if $Q$ was predictable for some magical reason, the attacker would have to perform pre-image attack on $H$ to find such $M$
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.