[Cryptech Tech] Storage of curve parameters for ECDSA

Joachim Strömbergson joachim at secworks.se
Fri Jan 15 12:00:29 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Simon Josefsson wrote:
> What threat model wrt side-channels are you assuming?  There are
> many side-channel failure modes of ECDSA that have been successfully 
> attacked, and implementing it correctly is Hard.  At the least, I 
> suggest to make sure that your implementation is constant-time or at 
> least that different timing cannot be correlated with the private
> key. Hiding private-key influence in power fluctuations is more
> challenging, although I recall some presentations about some methods
> presented by INRIA folks at ECC 2015.  People have also attacked
> ECDSA by finding flaws in the bignum library that leaks private-key
> bits for certain rare inputs, so you want to be certain that the
> bignum library you use produce correct results for all inputs (no
> general purpose bignum library comes with such proofs/guarantees as
> far as I know).

There is a new, good paper by Lange and DJB that among other things
describes side channel problems related to NISTs EC curves (and that
similar issues can be avoided using 25519):

https://cr.yp.to/newelliptic/nistecc-20160106.pdf

Main focus is on typical SW-issues. Well worth a read through for HW
implementation too, imho.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJWmN9dAAoJEF3cfFQkIuyNArsP/iyJaIqU3cS0SQTaHtbeD1SN
mSCNGNB1Z/4UcOKEBbLDH2faE75xBgDgBFCGt0mEnLggGoAkzPV8AKLnDlPAc6Bd
EsMbRHx4rIFajeVp0YmXvMbc4HJFEdurt2QoCrxJiBqMOX3C4JY6gKPcZhHVCc5E
UDTYw68/umj2IIzSXksKPxWNSkrKmomTsBRPuBtqoKPO0HwjTDa3Jnq/DEf3cB32
GC3NM8NLypCjd9V5IYhN2nSG8E3tIh8VnwxAnhax7QkmgtQntT2odS0I3p0Y6rv9
jVgGU2j62dRC+5KJevWr5ez0hM4mFasba6H0GoYxYyBy099Qo95IqjJAx6C6nKmu
wdUzvowHiWWg3wxM6jFqAM2tjHJwjHmH9yumHummsmxhkFlFPzChoZhhKzOEHdK4
DlsmpwV+to/KKOpS2UhPTCkBYh0Bp6o1SwJ5I168NZYbyXa2iZ18Ja5qHEUrs6Gh
InKKjelNOix6zR+48GaThqDKttALx0AfGLlXmPSWFC2mjIeUf6PvjpLHazpH6f3D
bPE90WkOBg4yS4v0JmGrfpJzjFd7qB2+5Fa90XalaQsZ8cm7K5792k23CgP+Wgtj
aSYJu7wkiJ+BVV+cjbVMGLOV0ppqVWAHaI+z1YNx5aq28zNpz9iWA/aEAB2BKDa2
ZZBpX6K8nQ9W6sAOjyY0
=Sdsd
-----END PGP SIGNATURE-----


More information about the Tech mailing list