[Cryptech Tech] Storage of curve parameters for ECDSA

Simon Josefsson simon at josefsson.org
Thu Jan 14 20:54:59 UTC 2016

Previous message (by thread): [Cryptech Tech] Storage of curve parameters for ECDSA
Next message (by thread): [Cryptech Tech] Storage of curve parameters for ECDSA
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What threat model wrt side-channels are you assuming?  There are many
side-channel failure modes of ECDSA that have been successfully
attacked, and implementing it correctly is Hard.  At the least, I
suggest to make sure that your implementation is constant-time or at
least that different timing cannot be correlated with the private key.
Hiding private-key influence in power fluctuations is more challenging,
although I recall some presentations about some methods presented by
INRIA folks at ECC 2015.  People have also attacked ECDSA by finding
flaws in the bignum library that leaks private-key bits for certain rare
inputs, so you want to be certain that the bignum library you use
produce correct results for all inputs (no general purpose bignum
library comes with such proofs/guarantees as far as I know).

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20160114/3596b9ad/attachment.sig>

Previous message (by thread): [Cryptech Tech] Storage of curve parameters for ECDSA
Next message (by thread): [Cryptech Tech] Storage of curve parameters for ECDSA
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list