Side-channel leakage in the mpz_powm_sec interface
Torbjörn Granlund
tg at gmplib.org
Fri Aug 25 13:19:40 CEST 2023
Niels Möller <nisse at lysator.liu.se> writes:
I know you've done more work on that recently, while I have no idea how
"mod argument blinding" works...
A random ring extension. Yes, mod argument invariance will still be
there, unless one changes extension for each multiply/squaring inside
the modexp loop, but an attacker cannot cause unlimited invariance.
... if GMP can provide advice and/or tools to do it, that's nice of
course.
Educating people is good, and here we in particular want to make sure
nobody thinks GMP's "sec" functions are the silver bullet.
--
Torbjörn
Please encrypt, key id 0xC8601622
More information about the gmp-bugs
mailing list