Side-channel leakage in the mpz_powm_sec interface

Torbjörn Granlund tg at
Fri Aug 25 19:15:54 CEST 2023

  > Therefore,
  > additional layers of side-channel obfuscation is needed, like standard
  > RSA message blinding, mod argument blinding, exponent blinding.

  sure, but I think that should be performed by upper level code, as how
  you do blinding depends on the algorithm and operation you're performing

I don't think it would be mathematically possible to do any of these
blinding operations in mpn_sec_powm.  Not unless you successfully factor
the modulus operand locally, but that might be a tad bit expensive, in
particular if the factoring is to be side channel silent. :-)

Please encrypt, key id 0xC8601622

More information about the gmp-bugs mailing list