[Cryptech Tech] Storage of curve parameters for ECDSA

[Pavel Shatov]

On 14.01.2016 23:54, Simon Josefsson wrote:
> What threat model wrt side-channels are you assuming?  There are many
> side-channel failure modes of ECDSA that have been successfully
> attacked, and implementing it correctly is Hard.  At the least, I
> suggest to make sure that your implementation is constant-time or at
> least that different timing cannot be correlated with the private key.
> Hiding private-key influence in power fluctuations is more challenging,
> although I recall some presentations about some methods presented by
> INRIA folks at ECC 2015.  People have also attacked ECDSA by finding
> flaws in the bignum library that leaks private-key bits for certain rare
> inputs, so you want to be certain that the bignum library you use
> produce correct results for all inputs (no general purpose bignum
> library comes with such proofs/guarantees as far as I know).
>

Thank you for your feedback, Simon!

Right now we have software implementation of ECDSA, and our next goal is 
to move elliptic curve point multiplication into an FPGA. Speaking of 
constant-time operation, it will be easier to achieve, than in a 
processor, because there will be no branching, no cache, no interrupts, etc.

Speaking of power fluctuations, as far as I know, the rule of thumb is 
to not use any clock enable signals to save power, i.e. if there's a 
multiplier somewhere, it should be crunching all the time, regardless of 
whether its output is needed right now or not.

Speaking of bignum libraries, the software implementation uses libtfm, 
and for the hardware FPGA implementation I've written modules, that do 
multi-word modular arithmetic and now I'm in the process of writing 
point addition and doubling procedures. In that sense your mentioning of 
bignum flaws is very interesting. Do you have any links to papers or 
presentations maybe?


-- 
With best regards,
Pavel Shatov