Field of the Disclosure
Various features relate to digital signature generation, particularly nonce-based digital signature generation.
Description of Related Art
Digital signature schemes such as Digital Signature Algorithm (DSA) and Elliptic Curve DSA (ECDSA) can fail if nonces (i.e. per-message secret numbers used by such procedures) are reused for different messages. That is, a hacker or malicious entity can determine the long-term secret key used with the digital signature, thereby allowing the malicious entity to create false signatures that otherwise appear valid. To address this issue, deterministic generation of nonces has being proposed wherein a nonce k is generated roughly in accordance with k=HMAC(d, h(m)), where d is a long-term private key, h is a hash function, m is a message to be signed and HMAC is a Hash-based Message Authentication Code function. Each message thereby leads deterministically to a single k value for a given key d. A deterministic approach is described, for example, in “Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)” by T. Pornin, August 2013. One issue with a deterministic approach is that it potentially exposes the private key to certain side-channel attacks, e.g. differential power analysis (DPA), because the attacker can repeat measurements to reduce noise that would otherwise hinder the attack.
According to the Request for Comments (RFC) for the aforementioned paper (i.e. RFC 6979, ISSN: 2070-1721), side-channel attacks are a consideration whenever an attacker can accurately measure aspects of an implementation such as the length of time it takes to perform a signing operation or the power consumed at each point of the signing operation. The determinism of such algorithms may thus be useful to an attacker in some forms of side-channel attacks and so implementations should use defensive measures to avoid leaking the private key through a side channel. Note that in the exponentiation or point multiplication portion of signature generation operations used to produce a signature, DSA (or similar techniques) are rarely a target for DPA-style side-channel analysis attacks utilizing side-channels such as power, electromagnetic radiation or timing because the nonce is different for each call to the signature oracle. Instead, attackers employ simple power analysis (SPA) techniques that are much more restrictive with respect to attacker capabilities, e.g. measurements cannot be repeated to reduce noise in the side-channel. Deterministic generation of nonces can help to eliminate or hinder this natural side-channel resistance. In other words, although the deterministic generation of nonces can help reduce certain vulnerabilities in digital signature techniques, other vulnerabilities can arise.
Therefore, it would be helpful to provide improved nonce-based procedures for use, for example, in generating digital signatures.