[Cryptech Tech] RSA-CRT fault based key leakage

Bernd Paysan bernd at net2o.de
Fri Sep 4 19:55:56 UTC 2015

Previous message (by thread): [Cryptech Tech] RSA-CRT fault based key leakage
Next message (by thread): [Cryptech Tech] why not deterministic ecdsa?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Freitag, 4. September 2015, 15:16:15 schrieb Rob Austein:
> I've seen this general recommendation (always verify the signature
> you just generated) in a couple of places, for both RSA and ECDSA.
> For RSA this is a relatively cheap operation; for ECDSA it probably
> costs at least as much as generating the signature.

For ECDSA (or Ed25519-style DSA), I don't think there is a similar fault-based 
attack, but only the one on the defect random number generator.  k absolutely 
must be different for different hashes (if it is deterministically computed by 
hashing the message hash and the secret key, asn in Ed25519, identical hashes 
produce identical k, so the signature is repeatedly the same, which is 
perfectly fine).

RSA signatures are easier to verify than to make, with ECDSA, it's the other 
way round.  That means verifying all signatures is more costly, so hardening 
ECDSA against RSA-CRT bugs is more expensive.  But then, it does not have this 
problem, so why bother?

There have been successful timing attacks at ECDSA, too, so all operations 
using the secret need to be constant-time.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
http://bernd-paysan.de/

Previous message (by thread): [Cryptech Tech] RSA-CRT fault based key leakage
Next message (by thread): [Cryptech Tech] why not deterministic ecdsa?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list