Hi Niels--
On Mon 2016-06-20 01:30:47 -0400, Niels Möller wrote:
I'm considering the below patch, making use of the side-channel silent mpz_powm_sec function. The idea is to make the RSA and DSA code less vulnerable to side-channel attacks.
This is a good goal for Nettle to have. Thanks!
Exponentiation routines typically build a small table of powers at run time, and then look up exponent bits in the table, a few bits at the time. This table lookup may leak information about the exponent bits (which in the case of RSA and DSA are secret) to an attacker running other processes on the same physical machine.
This is increasingly relevant in today's virtualized world.
- The patch drops support for GMP versions older than GMP-5.0, relased in 2010.
I don't think this bump in dependencies is a problem.
Despite not plugging *all* potential leaks in the RSA code, I think the simple change to use use mpz_powm_sec should make attacks using the cache side-channel considerably more difficult.
I agree that this is a step in the right direction. the closer to constant time, the better.
--dkg