Less Leaky ECDSA signature generation (in master)
Jacob Bachmeyer
jcb62281 at gmail.com
Thu Mar 27 03:05:28 CET 2025
On 3/26/25 19:06, NIIBE Yutaka via Gcrypt-devel wrote:
> [...] For the first improvement,
> I realized that runtime checks in ec_mod and its friends could be leaky,
> because it depends on how small/big the value is.
Could these checks instead be improved to run in constant time?
> Since it is (or can be) precondition for those routines in the code of
> libgcrypt, it can be removed. Since it could be leaky, it's good to be
> removed.
Hypothetically, if those preconditions are violated, what could go
wrong? How badly does the math fall apart? Could an invalid result
potentially (partially) expose the signing key?
Removing runtime checks in this type of code makes me nervous. Maybe it
is just paranoia.
-- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250326/6bff864c/attachment.html>
More information about the Gcrypt-devel
mailing list