Descriptioncrypto/(ec)dsa: use Fermat's inversion.
Now that we have a constant-time P-256 implementation, it's worth
paying more attention elsewhere.
The inversion of k in (EC)DSA was using Euclid's algorithm which isn't
constant-time. This change switches to Fermat's algorithm, which is
much better. However, it's important to note that math/big itself isn't
constant time and is using a 4-bit window for exponentiation with
variable memory access patterns.
(Since math/big depends quite deeply on its values being in minimal (as
opposed to fixed-length) represetation, perhaps crypto/elliptic should
grow a constant-time implementation of exponentiation in the scalar
field.)
R=bradfitz
Fixes issue 7652.
Patch Set 1 #Patch Set 2 : diff -r 4715c1017053 https://code.google.com/p/go/ #Patch Set 3 : diff -r 4715c1017053 https://code.google.com/p/go/ #Patch Set 4 : diff -r d376b77a0d7d https://code.google.com/p/go #
MessagesTotal messages: 5
|