Skip to content
  • Matt Caswell's avatar
    Add blinding to a DSA signature · 7f9822a4
    Matt Caswell authored
    
    
    This extends the recently added ECDSA signature blinding to blind DSA too.
    
    This is based on side channel attacks demonstrated by Keegan Ryan (NCC
    Group) for ECDSA which are likely to be able to be applied to DSA.
    
    Normally, as in ECDSA, during signing the signer calculates:
    
    s:= k^-1 * (m + r * priv_key) mod order
    
    In ECDSA, the addition operation above provides a sufficient signal for a
    flush+reload attack to derive the private key given sufficient signature
    operations.
    
    As a mitigation (based on a suggestion from Keegan) we add blinding to
    the operation so that:
    
    s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
    
    Since this attack is a localhost side channel only no CVE is assigned.
    
    This commit also tweaks the previous ECDSA blinding so that blinding is
    only removed at the last possible step.
    
    Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6522)
    7f9822a4
To find the state of this project's repository at the time of any of these versions, check out the tags.