Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
On Fri, Jan 18, 2013 at 9:35 AM, Niels Möller nisse@lysator.liu.se wrote:
- If wmnaf_len depends on the exponent bit pattern, then so does the number of iterations through the loop.
This is a fixed association again.
Now I'm getting confused. In ECDSA signing, the point multiplication is
k * G
where k is a nonce (used only once), and G is the (public) group generator. If you are saying that leaking a little information about k via the timing of this multiplication is no problem, then the conclusion seem to be that, for ECDSA, there's no need whatsoever to make the point multiplication timing resistant? Right?
What is the main argument here, that the attacker has no control over k, or that k is used only once?
For each signature (r, s) on hash h using secret key z, the attacker gets to observe the values
h, r, s, with s = (h + z r)/k
I think there *is* a problem with leaking just a little bit of information about each k, since z = (k s - h) / r, and hence every piece of information about k implies a piece of information about z, and the information about z accumulates the more signatures you get.
And this issues is the same for plain DSA. Daniel Bleichenbacher's attack on biased generation of k, from back in 2001, could be related, even though you would get a different type of partial information about k from timing-attacks.
If it's not already done, this type of timing attack on DSA should be a great topic for a side-channel cryptanalysis paper (I'm not really following current cryptanalysis research, unfortyunately).
Regards, /Niels