Documentation update and YSA-2024-03 Infineon ECDSA Private Key Recovery
NIIBE Yutaka
gniibe at fsij.org
Fri Sep 6 08:46:20 CEST 2024
Hello,
To reflect changes in Gnuk 2, I updated the Gnuk documentation:
https://www.fsij.org/doc-gnuk/
Important points are in this page:
https://www.fsij.org/doc-gnuk/gnuk-personalization.html
That is, I emphasize that importing private keys first, then change
passphrase. Also, I describe KDF-DO is now mandatory for Gnuk Token.
* * *
This week, I heard of YSA-2024-03.
In general, EdDSA is considered safe, because modular inversion is
usually done by computing number^(p-2) or using safegcd.
For Gnuk 2.2, I implemented safegcd256 for Ed25519 and Curve25519.
https://www.gniibe.org/memo/development/gnuk/safegcd256.html
AFAIK, the implementation of mod_inv (which is used for ECDSA on
secp256k1) in Gnuk is OK if MCU core is *not* good enough with dynamic
branch prediction. If it's not the case, we will be able to use
safegcd256 for secp256k1, since code is there.
--
More information about the Gnuk-users
mailing list