Page MenuHome GnuPG
Create Task
Maniphest T7519

libgcrypt: (EC)DSA signature generation should be constant-time
Open, WishlistPublic
Actions

Description

Current implementation of (EC)DSA signature generation is leaky for K.
Reportedly, for NIST384p curve, timing difference ~800 ns could be observed (by billion of invocations).

Details

Version
1.11

Related Objects

Event Timeline

gniibe claimed this task.Fri, Feb 7, 6:37 AM
gniibe triaged this task as Wishlist priority.
gniibe created this task.
gniibe added a comment.Fri, Feb 7, 6:42 AM

This is needed for RFC6979 flag support.

0001-cipher-ec-dsa-Avoid-MPI-normalize-by-mpi_rshift.patch1 KBDownload

And then, calls of mpi_cmp should be fixed (by using _gcry_mpih_cmp_lli), so that no timing difference by the value of K.

gniibe added a comment.Mon, Feb 10, 3:24 AM

Commit rC35a6a6feb9dc: Fix _gcry_dsa_modify_k. is related, but it doesn't matter for usual compilers (it's an issue for MSVC).

gniibe added a comment.Mon, Feb 10, 3:34 AM

This is needed before we remove leaks by mpi_add in _gcry_dsa_modify_k :

0001-Add-_gcry_mpih_add_lli.patch1 KBDownload

gniibe added a comment.Mon, Feb 10, 5:35 AM

And this is for less leak for _gcry_dsa_modify_k:

0001-cipher-EC-DSA-Fix-_gcry_dsa_modify_k-to-least-leak.patch1 KBDownload

gniibe added a comment.Mon, Feb 10, 5:37 AM

And then, we need to use less leaky version of mpi_cmp (because mpi_cmp calls mpi_normalize, it's not good).