ECDSA: Explain limitations of constant blinding

commit: 75f2c20f9c59ce702edd5e73d777a3a01b06f542 [log] [tgz]
author: Janos Follath <janos.follath@arm.com> Tue Jan 15 11:44:31 2019 +0000
committer: Darryl Green <darryl.green@arm.com> Thu Sep 05 11:18:58 2019 +0100
tree: 2bb598dafeab9f7d318fbf417aac1aa7d0a0ebe8
parent: 896a2942117514bf0427c187f05d687d08e2b0c9 [diff]
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 775b58b..b009e73 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h

@@ -196,6 +196,19 @@
  *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
  *                  4.1.3, step 5.
  *
+ * \warning         Since the output of the internal RNG is always the same for
+ *                  the same key and message, this limits the efficiency of
+ *                  blinding and leaks information through side channels. For
+ *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
+ *
+ *                  (Optimally the blinding is a random value that is different
+ *                  on every execution. In this case the blinding is still
+ *                  random from the attackers perspective, but is the same on
+ *                  each execution. This means that this blinding does not
+ *                  prevent attackers from recovering secrets by combining
+ *                  several measurement traces, but may prevent some attacks
+ *                  that exploit relationships between secret data.)
+ *
  * \see             ecp.h
  *
  * \param grp       The context for the elliptic curve to use.
commit	75f2c20f9c59ce702edd5e73d777a3a01b06f542	[log] [tgz]
author	Janos Follath <janos.follath@arm.com>	Tue Jan 15 11:44:31 2019 +0000
committer	Darryl Green <darryl.green@arm.com>	Thu Sep 05 11:18:58 2019 +0100
tree	2bb598dafeab9f7d318fbf417aac1aa7d0a0ebe8
parent	896a2942117514bf0427c187f05d687d08e2b0c9 [diff]