(EC)DSA signature generation constant-time (not depend value of K)
NIIBE Yutaka
gniibe at fsij.org
Mon Feb 17 06:38:32 CET 2025
Hello,
For (EC)DSA signature generation, I created a ticket:
https://dev.gnupg.org/T7519
And added some patches (including some *_lli routines).
Here are more patches to be applied on top of master commit of:
58e72af4eac4711993191919b6890b5ebb554acc
Major improvement for least leak might be the change of
_gcry_dsa_modify_k.
_gcry_dsa_modify_k was introduced for original Minerva attack so that
the length of limbs for K is always same size, but use of mpi_add in the
routine becomes the source of the signal for K.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-cipher-EC-DSA-Fix-_gcry_dsa_modify_k-to-least-leak.patch
Type: text/x-diff
Size: 1585 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250217/7a148917/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-cipher-EC-DSA-Avoid-MPI-normalize-by-mpi_rshift.patch
Type: text/x-diff
Size: 1270 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250217/7a148917/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-cipher-EC-DSA-Fix-_gcry_dsa_gen_-k-not-to-normalize-.patch
Type: text/x-diff
Size: 1636 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250217/7a148917/attachment-0002.patch>
More information about the Gcrypt-devel
mailing list