Cryptography
- public-key signature timing-attack
- Updated Fri, 20 May 2022 21:04:45 GMT
-
Do asymmetric signatures require constant-time verification?
To avoid a timing attack, HMAC signatures are usually compared in constant-time (every byte is compared, and the results aggregated).
Is the same necessary for asymmetric signature algorithms such as ECDSA or RSA?
Solution
Towards the security of the signature scheme, no precaution against timing attack is necessary when verifying an asymmetric signature. That's because there is no secret involved, thus no information leak to fear.
However it can happen that the message, or the signature itself, is intended to be secret; a leak by timing dependency (during computation of the hash of the message, during verification of message padding..) could compromise this (not the security of the signature mechanism). Except for intentionally leaky implementation of signature verification, the leak would most likely be only of few bits, and thus not to fear for the signature. However sometime any small message leak is important; and repeated leaks on related messages could in the end leak a lot of information about what's common in the messages.
Comments (3)
- +1 – Thank you, that makes sense. So if I have a function that takes an arbitrary signature, and verifies it against an unknown (to the attacker) (message, public key) pair, could a non-constant time verification leak information about either the message or the public key? — Mar 19, 2015 at 22:11
- +0 – @SylarMorgan: you are very right to mention the secrecy of the message! The first version of my answer had forgotten about that, shame on me, time to go to bed! — Mar 19, 2015 at 22:26
- +0 – @fgrieu I don't think non-constant-time DSS verification of secret message is any more dangerous than just any non-constant-time processing of secret information. There are many non-cryptographic data processing applications out there that don't give time side channel any consideration. — Aug 07, 2021 at 02:27