Side-channel leakage in the mpz_powm_sec interface

Torbjörn Granlund tg at
Fri Aug 25 13:19:40 CEST 2023

Niels Möller <nisse at> writes:

  I know you've done more work on that recently, while I have no idea how
  "mod argument blinding" works...

A random ring extension.  Yes, mod argument invariance will still be
there, unless one changes extension for each multiply/squaring inside
the modexp loop, but an attacker cannot cause unlimited invariance.

  ... if GMP can provide advice and/or tools to do it, that's nice of

Educating people is good, and here we in particular want to make sure
nobody thinks GMP's "sec" functions are the silver bullet.

Please encrypt, key id 0xC8601622

More information about the gmp-bugs mailing list