[Cryptech Tech] RSA-CRT fault based key leakage
Bernd Paysan
bernd at net2o.de
Fri Sep 4 19:55:56 UTC 2015
Am Freitag, 4. September 2015, 15:16:15 schrieb Rob Austein:
> I've seen this general recommendation (always verify the signature
> you just generated) in a couple of places, for both RSA and ECDSA.
> For RSA this is a relatively cheap operation; for ECDSA it probably
> costs at least as much as generating the signature.
For ECDSA (or Ed25519-style DSA), I don't think there is a similar fault-based
attack, but only the one on the defect random number generator. k absolutely
must be different for different hashes (if it is deterministically computed by
hashing the message hash and the secret key, asn in Ed25519, identical hashes
produce identical k, so the signature is repeatedly the same, which is
perfectly fine).
RSA signatures are easier to verify than to make, with ECDSA, it's the other
way round. That means verifying all signatures is more costly, so hardening
ECDSA against RSA-CRT bugs is more expensive. But then, it does not have this
problem, so why bother?
There have been successful timing attacks at ECDSA, too, so all operations
using the secret need to be constant-time.
--
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/
More information about the Tech
mailing list