Add side-channel countermeasures to DSA.

This patch strenghten the DSA signing code against
side-channel attacks.

The DSA signing formulae:

r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q

becomes:

b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q

In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).

See also attack DSA_2 in:

"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI

0 files changed, 0 insertions, 0 deletions