You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ECDSA.go uses Math.BigInt to invert k. However, the inversion is not constant time as it
uses the Euclidean algorithm without blinding. This leaks information about k, which is
fairly bad for ECDSA security. In particular the runtime gives me the length of the
continued fraction expansion of k/q. Whether or not this is enough information to
compromise the private key remains to be seen.
Two possible solutions are to blind the inversion, or to use modular exponentiation to
compute the inverse instead.
Credit belongs to Martin Rex of SAP for informing me that this sort of leakage had been
used to compromise smart cards in the past.
Sincerely,
Watson Ladd
The text was updated successfully, but these errors were encountered:
OpenSSL is switch this at the moment so it seems like an opportune time to do so in Go
also. (Although note that only P-224 and P-256 even come close to constant-time.)
by watsonbladd:
The text was updated successfully, but these errors were encountered: