Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
I've checked the patch, and it seems to use mpz_powm_sec() in the blinding part (which uses only public parameters). Is that intentional?
Kind-of, I wasn't sure what to do here, but since the number r should be considered secret, it seemed safest.
Let me first recap my understanding if RSA blinding (which I find a bit questionable). When computing m^d (mod n), the point of blinding is to obscure the bits of m, not the bits if d. It adds no protection against side-channel attacks directly on the exponent bits, since they're the same before and after blinding. The point of blinding is instead to defend against attacks exploiting side-channnel leaks in the mod p reduction code, which typically depend on a chosen-ciphertect attack scenario or similar, where m is carefully chosen by the attacker. Do you agree?
Since the secret value r goes into the input that blinding tries to obscure, using powm_sec makes sme sense to me, even if it may be overkill.
Now, in recent GMP versions, powm_sec uses a reduction method which is intended to be side-channel silent. So when using it, blinding is perhaps not adding any benefit at all. But I think it's best to nevertheless keep RSA-bliding for now, as a belt-and-suspenders measure. And because I'd prefer not to have to think of the PR issues when deleting a established security feature...
Regards, /Niels