On 14.01.2016 23:54, Simon Josefsson wrote:
What threat model wrt side-channels are you assuming? There are many
side-channel failure modes of ECDSA that have been successfully
attacked, and implementing it correctly is Hard. At the least, I
suggest to make sure that your implementation is constant-time or at
least that different timing cannot be correlated with the private key.
Hiding private-key influence in power fluctuations is more challenging,
although I recall some presentations about some methods presented by
INRIA folks at ECC 2015. People have also attacked ECDSA by finding
flaws in the bignum library that leaks private-key bits for certain rare
inputs, so you want to be certain that the bignum library you use
produce correct results for all inputs (no general purpose bignum
library comes with such proofs/guarantees as far as I know).
Thank you for your feedback, Simon!
Right now we have software implementation of ECDSA, and our next goal is
to move elliptic curve point multiplication into an FPGA. Speaking of
constant-time operation, it will be easier to achieve, than in a
processor, because there will be no branching, no cache, no interrupts, etc.
Speaking of power fluctuations, as far as I know, the rule of thumb is
to not use any clock enable signals to save power, i.e. if there's a
multiplier somewhere, it should be crunching all the time, regardless of
whether its output is needed right now or not.
Speaking of bignum libraries, the software implementation uses libtfm,
and for the hardware FPGA implementation I've written modules, that do
multi-word modular arithmetic and now I'm in the process of writing
point addition and doubling procedures. In that sense your mentioning of
bignum flaws is very interesting. Do you have any links to papers or
presentations maybe?
--
With best regards,
Pavel Shatov
_______________________________________________
Tech mailing list
Tech@cryptech.is
https://lists.cryptech.is/listinfo/tech
