nettle perl bindings
nisse at lysator.liu.se
Thu Mar 17 10:35:50 CET 2011
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> My understanding is that RSA blinding is a countermeasure against timing
> attacks, and that it introduces a new dependency on some sort of RNG
> (though perhaps a weak one?) to parts of the process that wouldn't
> otherwise need it.
I confess I don't remember the details of why blinding is desirable.
Does it improve hiding of the key, message, or both?
Would it help to use a powm function which has data-independent timing?
There's a powm_sec in gmp which is supposed to do this (assuming
underlying arithmetic instructions have data independent timing), and
which is only slighly slower than the general version for sizes of
interest. But a few other functions are still missing to make it really
It would make sense to add an RSA interface which takes a randomness
source as input (for blinding), and a DSA interface which doesn't need a
randomness source (and instead uses something like the hash of the
message beeing signed as the "random" value needed, like it's done
But neither is currently a high priority for me.
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
More information about the nettle-bugs