Security of OpenSSL ECDSA signatures

Aris Adamantiadis aris at
Tue May 24 18:15:10 EST 2011

Le 24/05/11 10:08, Damien Miller a écrit :
> I guess if you wanted to dither (pun!) then you could do something like:
> +       duration = (duration + (arc4random() & 1) ? 999 : 0) / 1000;
> to make it random whether you round up or down, but I suspect that would
> increase the infomation leaked rather than decrease it.

I think that shooting in the dark in order to block unknown timing
attacks is likely to worsen the problem rather to mitigate it. Wouldn't
be better to "simply" analyze the upstream algorithm and try to make it
O(1), whatever the situation ?
As said in the thread, putting timer loops will not stop side infoleaks
like cpu load, cache misses etc.


More information about the openssh-unix-dev mailing list