Fault attacks on RSA in libgcrypt
Jeff Burdges
burdges at gnunet.org
Wed Aug 24 17:47:11 CEST 2016
On Wed, 2016-08-24 at 15:25 +0200, Werner Koch wrote:
> I do not have the time to read that paper right now. We recently had
> a similar thing with gpgv and dpkg and it was not clear whether we can
> do anything about it anyway.
>
> Wouldn't a signature verification after creation catch that fault?
I donno. There are definitely some provable security artifacts here
where just to make the proof scheme make sense they must hypothesize a
ridiculously strong adversary.
I now think the more promising approach is
http://dl.acm.org/citation.cfm?doid=1873548.1873556
which is not what I implemented in this patch sadly.
I think this better approach still focuses excessively on fault attacks,
but the methods employed look useful for defeating timing attack
protections too.
At present, I know too little about timing attack protections in RSA,
but maybe we can find a scheme whose real payoff is timing attack
protections, while giving a measure of fault attack protections.
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160824/6fa0b5da/attachment.sig>
More information about the Gcrypt-devel
mailing list