diff options
author | Legrandin <helderijs@gmail.com> | 2013-12-27 23:44:38 +0100 |
---|---|---|
committer | Dwayne Litzenberger <dlitz@dlitz.net> | 2014-06-22 23:30:26 -0700 |
commit | 0782d68840d0ebf850516e606e398b8a5396eb64 (patch) | |
tree | 6359b6f7e320b50f2b2f07f6b148467ddaa80944 /src/galois.c | |
parent | f49fd0e1b57071e52200806d095679753fe36e17 (diff) | |
download | pycrypto-0782d68840d0ebf850516e606e398b8a5396eb64.tar.gz |
Add side-channel countermeasures to DSA.
This patch strenghten the DSA signing code against
side-channel attacks.
The DSA signing formulae:
r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q
becomes:
b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q
In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).
See also attack DSA_2 in:
"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI
Diffstat (limited to 'src/galois.c')
0 files changed, 0 insertions, 0 deletions