@techreport{irtf-cfrg-det-sigs-with-noise-04, number = {draft-irtf-cfrg-det-sigs-with-noise-04}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-irtf-cfrg-det-sigs-with-noise/04/}, author = {John Preuß Mattsson and Erik Thormarker and Sini Ruohomaa}, title = {{Hedged ECDSA and EdDSA Signatures}}, pagetotal = 17, year = 2024, month = nov, day = 6, abstract = {Deterministic elliptic-curve signatures such as deterministic ECDSA and EdDSA have gained popularity over randomized ECDSA as their security does not depend on a source of high-quality randomness. Recent research, however, has found that implementations of these signature algorithms may be vulnerable to certain side-channel and fault injection attacks due to their deterministic nature. One countermeasure to such attacks is hedged signatures where the calculation of the per-message secret number includes both fresh randomness and the message. This document updates RFC 6979 and RFC 8032 to recommend hedged constructions in deployments where side- channel attacks and fault injection attacks are a concern. The updates are invisible to the validator of the signature and compatible with existing ECDSA and EdDSA validators.}, }