Fault attacks on RSA in libgcrypt

Jeff Burdges burdges at gnunet.org
Mon Aug 22 19:42:42 CEST 2016


Dear gcrypt-devel,

I implemented the protection against fault attacks recommended in
"Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
Mehdi Tibouchi and Jean-Christophe Zapalowicz.
  https://eprint.iacr.org/2014/252
It worries that a targeted fault attack could subvert the conditional
currently used to protect against fault attacks.  

Apply the attached patch by switching to a new branch of master and
running :
  git am ../Fault-attacks-on-RSA.patch

At present, I'm using rho = ctx.nbits-1 because Remark 2 on page 8
recommends roughly rho = ctx.nbits/2+200 and blind signing applications
like Taler need an FDH instead of a randomized scheme like PSS. 

In fact, if one worries about attacks on a conditional, then maybe one
should worry about attacks on ctx.nbits or even ctx.flags &
PUBKEY_FLAG_NO_BLINDING as well.  If so, Remark 2 argues that rho=512
should more than suffice, even if not covered by their proof, and
provide more security against fault attacks on ctx.  Thoughts?

In any case, I'd suggest disabling support for PUBKEY_FLAG_NO_BLINDING
by default too, with a compile time option to enable it.  Any occurrence
sounds like a bit flit attack target that enables timing attacks. 

Best,
Jeff


-------------- next part --------------
A non-text attachment was scrubbed...
Name: Fault-attacks-on-RSA.patch
Type: text/x-patch
Size: 2458 bytes
Desc: not available
URL: </pipermail/attachments/20160822/2dbcaebb/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160822/2dbcaebb/attachment-0001.sig>


More information about the Gcrypt-devel mailing list