Side-channel leakage in the mpz_powm_sec interface

Torbjörn Granlund tg at gmplib.org
Fri Aug 25 13:19:40 CEST 2023


Niels Möller <nisse at lysator.liu.se> writes:

  I know you've done more work on that recently, while I have no idea how
  "mod argument blinding" works...

A random ring extension.  Yes, mod argument invariance will still be
there, unless one changes extension for each multiply/squaring inside
the modexp loop, but an attacker cannot cause unlimited invariance.

  ... if GMP can provide advice and/or tools to do it, that's nice of
  course.

Educating people is good, and here we in particular want to make sure
nobody thinks GMP's "sec" functions are the silver bullet.

-- 
Torbjörn
Please encrypt, key id 0xC8601622


More information about the gmp-bugs mailing list