Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
It seems that some guys managed to "listen" gnupg private keys. While some parts of the attack are gnupg specific, similar attacks could apply in nettle as well (and I guess every implementation that does RSA decryption).
I have only had a very quick look at the paper.
I see on their mitigation section that "ciphertext normalization", i.e., c=c%n, avoids their key recovery attack,
Wouldn't it make more sense to simply reject ciphertexts with c >= n? And since this condition depends on no secret information, there's no harm in returning failure early in this case, right?
Or do they mean c >= q, where q is the secret factor? I think the right way for the CRT processing is to always zero pad c to the same size of n, and then reduce it mod p and mod q using a side-channel silent reduction algorithm. Not entirely trivial to do with the mpz interface, though.
On mitigation, it also sounds like RSA blinding (which you implemented a while ago) is effective. It ought to be effective against any attacks relying on *chosen* ciphertexts.
(And I think you forgot to attach the patch).
Regards, /Niels