On Wed, Jan 23, 2013 at 12:45 PM, Niels Möller nisse@lysator.liu.se wrote:
This is a fixed association again.
Now I'm getting confused. In ECDSA signing, the point multiplication is k * G where k is a nonce (used only once), and G is the (public) group generator. If you are saying that leaking a little information about k via the timing of this multiplication is no problem, then the conclusion seem to be that, for ECDSA, there's no need whatsoever to make the point multiplication timing resistant? Right?
My comments were not for ECDSA specifically. ECDSA is pretty fragile. k although used once per signature, if known, it can be used to obtain the (long term) private key. Because it is the private key you want to protect, any value that may leak info on that should be protected as well.
What is the main argument here, that the attacker has no control over k, or that k is used only once?
It is used only once and for this reason the attacker can only get a single timing for it. However, because the security of the ECDSA private key depends on that value, I would reasonably protect it.
I think there *is* a problem with leaking just a little bit of information about each k, since z = (k s - h) / r, and hence every piece of information about k implies a piece of information about z, and the information about z accumulates the more signatures you get.
Could be. Unfortunately unlike RSA there is not much on timing attacks on (EC)DSA or preventions (or at least known to me).
regards, Nikos