Fault attacks on RSA in libgcrypt

Jeff Burdges burdges at gnunet.org
Fri Sep 2 05:27:59 CEST 2016


On Fri, 2016-09-02 at 09:34 +0900, NIIBE Yutaka wrote:
> So, I think that the idea of this attack itself is valid and we have
> no way to solve it by software, in general (while we could find a way
> to mitigate somehow for a given scenario).

As I said before, I now think the patch I submitted up thread is
useless.  And we should instead look towards approaches resembling :
http://dl.acm.org/citation.cfm?doid=1873548.1873556

In this new article, there is considerably more randomization throughout
the signing algorithm.  Indeed, one could imagine extending it to two
layers of randomization, so that the actual key only exists briefly when
loaded from disk before being randomized for the session, and each
decryption operation gets its own randomization as well. 

There are good odds that a more throughly randomized approach like this
can be justified purely for added protection against timing attacks,
while my now retracted patch is obviously useless for that.  The paper
does not make such a case though. 

Anyone here who understands the existing protections against timing
attacks want to glance over this new article?  

Jeff


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160902/da56c805/attachment-0001.sig>


More information about the Gcrypt-devel mailing list