Less Leaky ECDSA signature generation (in master)
NIIBE Yutaka
gniibe at fsij.org
Mon Mar 31 03:07:07 CEST 2025
Jacob Bachmeyer wrote:
> That raises another question: is the modular reduction (or more
> importantly its bypass if unneeded) constant-time? In other words, is
> the choice of "use intermediate result (0<X<P) as-is" or "reduce
> intermediate result (P<X<2*P)" constant-time? (It should already be;
> this would be a fairly severe timing leak if it is not.)
In the context of ECDSA (Weierstrass curve), for NIST curves and
secp256k1, it's constant-time. For other curves, it's good to have
constant-time implementation, but this goal has not been achieved in
libgcrypt yet.
--
More information about the Gcrypt-devel
mailing list