On 15.01.2016 15:00, Joachim Strömbergson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aloha!
Simon Josefsson wrote:
What threat model wrt side-channels are you assuming? There are
many side-channel failure modes of ECDSA that have been successfully
attacked, and implementing it correctly is Hard. At the least, I
suggest to make sure that your implementation is constant-time or at
least that different timing cannot be correlated with the private
key. Hiding private-key influence in power fluctuations is more
challenging, although I recall some presentations about some methods
presented by INRIA folks at ECC 2015. People have also attacked
ECDSA by finding flaws in the bignum library that leaks private-key
bits for certain rare inputs, so you want to be certain that the
bignum library you use produce correct results for all inputs (no
general purpose bignum library comes with such proofs/guarantees as
far as I know).
There is a new, good paper by Lange and DJB that among other things
describes side channel problems related to NISTs EC curves (and that
similar issues can be avoided using 25519):
https://cr.yp.to/newelliptic/nistecc-20160106.pdf
That's an interesting paper, thanks!
As a person trying to implement elliptic curve point multiplication in
an FPGA, I mostly agree with their criticism of ECDSA.
Main focus is on typical SW-issues. Well worth a read through for HW
implementation too, imho.
I see, that reference [32] from the paper
(http://rijndael.ece.vt.edu/schaum/papers/2010hostf.pdf) should be
interesting too, but I haven't had time to read it yet.
--
With best regards,
Pavel Shatov
_______________________________________________
Tech mailing list
Tech@cryptech.is
https://lists.cryptech.is/listinfo/tech
