Side-channel leakage in the mpz_powm_sec interface

[Torbjörn Granlund]

  > Therefore,
  > additional layers of side-channel obfuscation is needed, like standard
  > RSA message blinding, mod argument blinding, exponent blinding.

  sure, but I think that should be performed by upper level code, as how
  you do blinding depends on the algorithm and operation you're performing

I don't think it would be mathematically possible to do any of these
blinding operations in mpn_sec_powm.  Not unless you successfully factor
the modulus operand locally, but that might be a tad bit expensive, in
particular if the factoring is to be side channel silent. :-)

-- 
Torbjörn
Please encrypt, key id 0xC8601622