9

I heard that Ed25519 is a new digital signature. It has smaller public key size and generates a public key more quickly. I read an article about Ed25519 titled Practical fault attack against the Ed25519 and EdDSA signature scheme. The article mentions that the private key can be recovered in a so-called "fault attack". Knowing this, is the Ed25519 scheme still secure?

user
  • 7,670
  • 2
  • 30
  • 54
Aymn Alaney
  • 205
  • 1
  • 7

1 Answers1

12

Yes, Ed25519 is still secure. The paper describes an attack against hardware processing Ed25519 signatures. It is not a cryptographic attack against the algorithm itself. As explained here, a fault attack (also called a glitching attack) involves trying to confuse a processor while it is processing cryptographic material to cause it to glitch in a way that leaks internal information sufficient to reconstruct the private key. Unless someone is hooking up electrical probes to your CPU, the attack does not affect you at all.

The attack involves hooking up a device to the CPU and "glitching" it, for example by feeding it too much or too little voltage at specific times. If the glitch occurs while cryptographic material is being processed, it is possible to discover information about the key by observing the results of the glitching. It is a very invasive procedure, as you can see in this photo of the attack being performed:

fault attack

From the text describing this picture:

We demonstrated it on an Arduino Nano, using the Arduino Libs’ Crypto Ed25519 implementation and simple voltage glitches. We were able to cause single byte random errors at the end of the computation of H(R,A,M), allowing us to efficiently brute-force the error location and value, thus recovering half of the secret key.

So why is this attack newsworthy? The answer is simply that not every use of Ed25519 occurs on a machine that you have full control over. For example, secure embedded devices, such as smart cards, might fall into adversarial hands. These devices are designed to be secure and not reveal their private key even if you have physical access to them, so it would be bad if you could steal the private key just by monitoring the device while you feed it an incorrect voltage! This attack does not mean that every use of Ed25519 is doomed to be vulnerable to a fault attack, just that each implementation must apply mitigations to avoid this issue in situations where it is relevant.

forest
  • 64,616
  • 20
  • 206
  • 257