Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/ecdsa: leaks information about k #7652

Closed
gopherbot opened this issue Mar 27, 2014 · 4 comments
Closed

crypto/ecdsa: leaks information about k #7652

gopherbot opened this issue Mar 27, 2014 · 4 comments
Labels
FrozenDueToAge
Milestone
Go1.3

Comments

@gopherbot
Copy link

by watsonbladd:

ECDSA.go uses Math.BigInt to invert k. However, the inversion is not constant time as it
uses the Euclidean algorithm without blinding. This leaks information about k, which is
fairly bad for ECDSA security. In particular the runtime gives me the length of the
continued fraction expansion of k/q. Whether or not this is enough information to
compromise the private key remains to be seen.

Two possible solutions are to blind the inversion, or to use modular exponentiation to
compute the inverse instead.

Credit belongs to Martin Rex of SAP for informing me that this sort of leakage had been
used to compromise smart cards in the past.

Sincerely,
Watson Ladd
@bradfitz
Copy link
Contributor

Comment 1:

Labels changed: added release-go1.3maybe, repo-main.

Owner changed to @agl.

Status changed to Accepted.

@agl
Copy link
Contributor

agl commented Mar 27, 2014

Comment 2:

OpenSSL is switch this at the moment so it seems like an opportune time to do so in Go
also. (Although note that only P-224 and P-256 even come close to constant-time.)

@agl
Copy link
Contributor

agl commented Mar 31, 2014

Comment 3:

https://golang.org/cl/82740043 (note caveats in the CL description.)

@agl
Copy link
Contributor

agl commented Apr 8, 2014

Comment 4:

This issue was closed by revision f23d3ea.

Status changed to Fixed.

@rsc rsc added this to the Go1.3 milestone Apr 14, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.3
Development

No branches or pull requests
4 participants
@bradfitz @agl @rsc @gopherbot