You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
publicfunc modular_pow<T:BinaryInteger>(_ base :T, _ exponent :T, _ mod :T)->T
) you implement modular exponentiation using square-and-multiply. However this leaks the bits of the exponent (which in RSA and DH are secrets) to a timing or side channel attack. Also the reductions are implemented using Knuth's Algorithm D, which probably leak information about the inputs.
publicfunc modular_inverse<T:BinaryInteger>(_ x :T, _ y :T, mod :T)->T
) which is known to leak information due to input dependent branches. The most common solution to this is to use Fermat's little theorem to compute the inverse (for any prime p and any x < p, x^{p-2} mod p == x^-1 mod p)
The text was updated successfully, but these errors were encountered:
Part one of issue #9
In (
SwiftTLS/SwiftTLS/Sources/TLS/math.swift
Line 15 in f5010aa
In ECDSA signature https://github.com/nsc/SwiftTLS/blob/master/SwiftTLS/Sources/Crypto/ECDSA.swift#L72 you must invert the k nonce modulo the group order during ECDSA signature. This is done using extended Euclidean algorithm (
SwiftTLS/SwiftTLS/Sources/TLS/math.swift
Line 73 in f5010aa
The text was updated successfully, but these errors were encountered: