this is for holding javascript data
Scott Fluhrer edited untitled.tex
almost 9 years ago
Commit id: 119fd2c3febafa1df263c14eebe8df5b435dff62
deletions | additions
diff --git a/untitled.tex b/untitled.tex
index 0e05e1c..e3b6741 100644
--- a/untitled.tex
+++ b/untitled.tex
...
\item Compute $s = u_4u(z + rd)$ (where $z$, $r$ and $d$ have the normal meanings for ECDSA; $z$ is the hash, $r$ is the x-coordinate computed previously, and $d$ is the ECDSA private key).
\end{itemize}
If you go through this procedure, it should be clear that this is effectively the ECDSA signature algorithm (with $k = a+b \bmod
n$), and n$). It should also be clear that the
value of $k$ chosen is unbiased, and that internal bits of all the intermediate values are uncorrelated to the bits of
$k$, $k$ (in fact, except for $t_5$, the value of all intermediates are distributed independently of $k$), hence we have achieved blinding against first order side channel attacks. In addition, the operations that we have added over the straight-forward ECDSA signature generation with Coron blinding (generating $2\log{n}$ additional random bits, three additional multiplications, one additional binary addition, one addition in base-48, and two base conversions) are relatively cheap (say, compared to computing the multiplicative inverse), and so we haven't increased the expense significantly.
\section{Summary}
...