RustCrypto hardening recommendation

[satoshiotomakan]

It's recommended for the crypto libraries to integrate countermeasures against unexpected events, such as memory faults, arithmetic errors, and broken CPUs. In the event a computation is incorrect, detecting negative processes of this nature rather than releasing the outcome(s) of a faulty computation is preferable.

One can refer back to several publicly documented cases whereby a single faulty operation within the RSA PKCS signature scheme has leaked the private key. Deterministic ECDSA and EdDSA signature schemes feature similar properties.

Could RustCrypto crates contain sufficient self checks to detect faulty computations?

[tarcieri]

The only countermeasure for fault attacks we currently provide is the ability to provide supplemental randomness via the RandomizedSigner trait. This e.g. avoids potential reuses of k for ECDSA when an attacker is able to perform a fault attack.

This approach of strategically preventing such fault attacks is much more robust than fault detection, which can often be trivially bypassed with a double fault attack (or n+1 fault attacks for n fault detectors).

As far as simply broken CPUs go outside the immediate threat of an attacker, we could potentially implement self-tests, and in many cases have the test vectors to do so already embedded in the crates themselves (not just their test suites). We can't easily run these tests automatically due to Rust's lack of "life before main" without creating some rather onerous APIs which force such usage via ZSTs or what have you, but it could be possible for a crate user to call the self-tests directly as part of some initialization process in their code.