On Mon, Jun 20, 2016 at 7:30 AM, Niels Möller nisse@lysator.liu.se wrote:
I'm considering the below patch, making use of the side-channel silent mpz_powm_sec function. The idea is to make the RSA and DSA code less vulnerable to side-channel attacks. Exponentiation routines typically build a small table of powers at run time, and then look up exponent bits in the table, a few bits at the time. This table lookup may leak information about the exponent bits (which in the case of RSA and DSA are secret) to an attacker running other processes on the same physical machine.
I've checked the patch, and it seems to use mpz_powm_sec() in the blinding part (which uses only public parameters). Is that intentional? As far as that shouldn't affect the existing cache-exploiting attacks.
regards, Nikos