Skip to content
Commit c0caa945 authored by Pauli's avatar Pauli Committed by Matt Caswell
Browse files

Address a timing side channel whereby it is possible to determine some

information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: default avatarAndy Polyakov <>
Reviewed-by: default avatarMatt Caswell <>
(Merged from
parent 8d3363f2
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment