You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hannesm
changed the title
use powm_sec instead of powm to mitigate timing side channels
mitigate timind side-channels in public key cryptography: use powm_sec instead of powm
Mar 2, 2020
hannesm
changed the title
mitigate timind side-channels in public key cryptography: use powm_sec instead of powm
mitigate timing side-channels in public key cryptography: use powm_sec instead of powm
Mar 6, 2020
For a little bit more background on powm_sec, this paper is worth reading, including motivation and some benchmarks (performance drop ~20%). I still don't think that for public key encryption (c = m ^ e mod n) we should use powm_sec since e and n are public.
Another very interesting thread is on the nettle list from 2016, starting with https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html that are basically in the same situation as mirage-crypto. TL;DR: check your inputs, use powm_sec, be aware that it won't save all your timing issues. For input validation, #28 is ready for review (I strongly believe once that is merged, we can more freely use powm_sec without fearing any exceptions (odd modulus, negative or zero exponent).
RSA optionally uses blinding for mitigation, but DH and DSA do not.
Using powm_sec should be done carefully, since it is different from powm:
there are several ways forward:
other questions
(@hannesm thinks not since both attempt to mitigate the same issue)powm_sec
be used for public data (i.e. verification, c ^ e mod n), @cfcs mentions "c may be private", reference neededThe text was updated successfully, but these errors were encountered: