Fault attacks on RSA in libgcrypt

Jeff Burdges burdges at gnunet.org
Wed Aug 24 17:47:11 CEST 2016


On Wed, 2016-08-24 at 15:25 +0200, Werner Koch wrote:
> I do not have the time to read that paper right now.  We recently had
> a similar thing with gpgv and dpkg and it was not clear whether we can
> do anything about it anyway.
> 
> Wouldn't a signature verification after creation catch that fault?

I donno.  There are definitely some provable security artifacts here
where just to make the proof scheme make sense they must hypothesize a
ridiculously strong adversary. 

I now think the more promising approach is 
http://dl.acm.org/citation.cfm?doid=1873548.1873556
which is not what I implemented in this patch sadly. 

I think this better approach still focuses excessively on fault attacks,
but the methods employed look useful for defeating timing attack
protections too. 

At present, I know too little about timing attack protections in RSA,
but maybe we can find a scheme whose real payoff is timing attack
protections, while giving a measure of fault attack protections.

Jeff


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160824/6fa0b5da/attachment.sig>


More information about the Gcrypt-devel mailing list