Commit 1347037a authored by Niels Möller's avatar Niels Möller

Started on Security considerations, with some notes on side channels

parent 0640c062
......@@ -382,7 +382,33 @@ def verify(public, msg, signature):
<section title="Security considerations">
<section title="Side-channel leaks">
<t> For implementations performing signatures, secrecy of the
key is fundamental. It is possible to protect against some
side-channel attacks by ensuring that the implementation
executes exactly the same sequence of instructions and
performs exactly the same memory accesses, for any value of
the secret key.
<t> To make an implementation side-channel silent in this way,
the modulo q arithmetic must not use any data-dependent
branches, e.g., related to carry propagation. <!--FIXME: Refer
to curve25519 paper.--> Side channel-silent point addition is
straight-forward, thanks to the unified formulas.
<t>Scalar multiplication, multiplying a point by an integer,
needs some additional effort to implement in a side-channel
silent manner. One simple approach is to implement a
side-channel silent conditional assignment, and use together
with binary algorithm to examine one bit of the integer at a
<t>Note that the example implementation in this document does
not attempt to be side-channel silent.</t>
<section anchor="ed25519-test-vectors"
title="Test Vectors for Ed25519">
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment