From gniibe at fsij.org  Fri Sep  6 08:46:20 2024
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Fri, 06 Sep 2024 15:46:20 +0900
Subject: Documentation update and YSA-2024-03 Infineon ECDSA Private Key
 Recovery
Message-ID: <87ikv9gtz7.fsf@akagi.fsij.org>

Hello,

To reflect changes in Gnuk 2, I updated the Gnuk documentation:
    https://www.fsij.org/doc-gnuk/

Important points are in this page:
    https://www.fsij.org/doc-gnuk/gnuk-personalization.html

That is, I emphasize that importing private keys first, then change
passphrase.  Also, I describe KDF-DO is now mandatory for Gnuk Token.

			*	*	*

This week, I heard of YSA-2024-03.

In general, EdDSA is considered safe, because modular inversion is
usually done by computing number^(p-2) or using safegcd.

For Gnuk 2.2, I implemented safegcd256 for Ed25519 and Curve25519.

   https://www.gniibe.org/memo/development/gnuk/safegcd256.html

AFAIK, the implementation of mod_inv (which is used for ECDSA on
secp256k1) in Gnuk is OK if MCU core is *not* good enough with dynamic
branch prediction.  If it's not the case, we will be able to use
safegcd256 for secp256k1, since code is there.
--