Fault attacks on RSA in libgcrypt

Jeff Burdges burdges at gnunet.org
Mon Aug 22 22:48:33 CEST 2016


Also, there are discussion threads on this topic elsewhere : 
https://github.com/briansmith/ring/issues/264
https://www.ietf.org/mail-archive/web/tls/current/msg20750.html

Best,
Jeff


On Mon, 2016-08-22 at 19:42 +0200, Jeff Burdges wrote:
> Dear gcrypt-devel,
> 
> I implemented the protection against fault attacks recommended in
> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
>   https://eprint.iacr.org/2014/252
> It worries that a targeted fault attack could subvert the conditional
> currently used to protect against fault attacks.  
> 
> Apply the attached patch by switching to a new branch of master and
> running :
>   git am ../Fault-attacks-on-RSA.patch
> 
> At present, I'm using rho = ctx.nbits-1 because Remark 2 on page 8
> recommends roughly rho = ctx.nbits/2+200 and blind signing applications
> like Taler need an FDH instead of a randomized scheme like PSS. 
> 
> In fact, if one worries about attacks on a conditional, then maybe one
> should worry about attacks on ctx.nbits or even ctx.flags &
> PUBKEY_FLAG_NO_BLINDING as well.  If so, Remark 2 argues that rho=512
> should more than suffice, even if not covered by their proof, and
> provide more security against fault attacks on ctx.  Thoughts?
> 
> In any case, I'd suggest disabling support for PUBKEY_FLAG_NO_BLINDING
> by default too, with a compile time option to enable it.  Any occurrence
> sounds like a bit flit attack target that enables timing attacks. 
> 
> Best,
> Jeff
> 
> 
> _______________________________________________
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160822/50ff1093/attachment.sig>


More information about the Gcrypt-devel mailing list