Fault attacks on RSA in libgcrypt
Jeff Burdges
burdges at gnunet.org
Mon Aug 22 22:48:33 CEST 2016
Also, there are discussion threads on this topic elsewhere :
https://github.com/briansmith/ring/issues/264
https://www.ietf.org/mail-archive/web/tls/current/msg20750.html
Best,
Jeff
On Mon, 2016-08-22 at 19:42 +0200, Jeff Burdges wrote:
> Dear gcrypt-devel,
>
> I implemented the protection against fault attacks recommended in
> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
> https://eprint.iacr.org/2014/252
> It worries that a targeted fault attack could subvert the conditional
> currently used to protect against fault attacks.
>
> Apply the attached patch by switching to a new branch of master and
> running :
> git am ../Fault-attacks-on-RSA.patch
>
> At present, I'm using rho = ctx.nbits-1 because Remark 2 on page 8
> recommends roughly rho = ctx.nbits/2+200 and blind signing applications
> like Taler need an FDH instead of a randomized scheme like PSS.
>
> In fact, if one worries about attacks on a conditional, then maybe one
> should worry about attacks on ctx.nbits or even ctx.flags &
> PUBKEY_FLAG_NO_BLINDING as well. If so, Remark 2 argues that rho=512
> should more than suffice, even if not covered by their proof, and
> provide more security against fault attacks on ctx. Thoughts?
>
> In any case, I'd suggest disabling support for PUBKEY_FLAG_NO_BLINDING
> by default too, with a compile time option to enable it. Any occurrence
> sounds like a bit flit attack target that enables timing attacks.
>
> Best,
> Jeff
>
>
> _______________________________________________
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160822/50ff1093/attachment.sig>
More information about the Gcrypt-devel
mailing list