OpenSSL BIGNUM vs. GMP
Jack Lloyd
lloyd at randombit.net
Tue Jan 3 14:10:40 EST 2006
Some relevant and recent data: in some tests I ran this weekend (GMP 4.1.2,
OpenSSL 0.9.8a, Athlon/gcc/Linux) RSA operations using GMP were somewhat faster
than ones using OpenSSL even when blinding was used with both (typical
performance boost was 15-20%).
I'm assume "both of which are needed" should have been "at least one of which
is needed"? AFAIK blinding alone can protect against all (publicly known)
timing attacks; am I wrong about this?
-Jack
On Sat, Dec 31, 2005 at 11:04:31AM +0000, Ben Laurie wrote:
> It appears that one reason GMP may sometimes be faster than OpenSSL for
> RSA is that it seems that GMP does not do blinding or constant time
> arithmetic, both of which are needed to defend against known attacks.
>
> So, if you are going to use GMP for speed, be aware that you may be
> risking your private keys.
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list