[Cryptech Tech] Storage of curve parameters for ECDSA

Pavel Shatov meisterpaul1 at yandex.ru
Fri Jan 22 15:42:14 UTC 2016


On 15.01.2016 15:00, Joachim Strömbergson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Aloha!
>
> Simon Josefsson wrote:
>> What threat model wrt side-channels are you assuming?  There are
>> many side-channel failure modes of ECDSA that have been successfully
>> attacked, and implementing it correctly is Hard.  At the least, I
>> suggest to make sure that your implementation is constant-time or at
>> least that different timing cannot be correlated with the private
>> key. Hiding private-key influence in power fluctuations is more
>> challenging, although I recall some presentations about some methods
>> presented by INRIA folks at ECC 2015.  People have also attacked
>> ECDSA by finding flaws in the bignum library that leaks private-key
>> bits for certain rare inputs, so you want to be certain that the
>> bignum library you use produce correct results for all inputs (no
>> general purpose bignum library comes with such proofs/guarantees as
>> far as I know).
>
> There is a new, good paper by Lange and DJB that among other things
> describes side channel problems related to NISTs EC curves (and that
> similar issues can be avoided using 25519):
>
> https://cr.yp.to/newelliptic/nistecc-20160106.pdf

That's an interesting paper, thanks!

As a person trying to implement elliptic curve point multiplication in 
an FPGA, I mostly agree with their criticism of ECDSA.

>
> Main focus is on typical SW-issues. Well worth a read through for HW
> implementation too, imho.
>

I see, that reference [32] from the paper 
(http://rijndael.ece.vt.edu/schaum/papers/2010hostf.pdf) should be 
interesting too, but I haven't had time to read it yet.


-- 
With best regards,
Pavel Shatov



More information about the Tech mailing list