Daniel Kahn Gillmor dkg@fifthhorseman.net writes:
My understanding is that RSA blinding is a countermeasure against timing attacks, and that it introduces a new dependency on some sort of RNG (though perhaps a weak one?) to parts of the process that wouldn't otherwise need it.
I confess I don't remember the details of why blinding is desirable. Does it improve hiding of the key, message, or both?
Would it help to use a powm function which has data-independent timing? There's a powm_sec in gmp which is supposed to do this (assuming underlying arithmetic instructions have data independent timing), and which is only slighly slower than the general version for sizes of interest. But a few other functions are still missing to make it really useful.
It would make sense to add an RSA interface which takes a randomness source as input (for blinding), and a DSA interface which doesn't need a randomness source (and instead uses something like the hash of the message beeing signed as the "random" value needed, like it's done putty).
But neither is currently a high priority for me.
Regards, /Niels