OpenSSL BIGNUM vs. GMP
Ben Laurie
ben at algroup.co.uk
Wed Jan 4 09:53:51 EST 2006
Adam Back wrote:
> On Tue, Jan 03, 2006 at 10:10:50PM +0000, Ben Laurie wrote:
>> Jack Lloyd wrote:
>>> Some relevant and recent data: in some tests I ran this weekend
>>> [gmp faster than openssl]
>>> AFAIK blinding alone can protect against all (publicly known)
>>> timing attacks; am I wrong about this?
>> Yes, you are - there's the cache attack, which requires the attacker to
>> have an account on the same machine. I guess I shouldn't have called it
>> constant time, since its really constant memory access that defends
>> against this.
>
> Does openSSL defend against cache related attacks?
Yes - from the change log (this came in with 0.9.7h):
*) Make a new fixed-window mod_exp implementation the default for
RSA, DSA, and DH private-key operations so that the sequence of
squares and multiplies and the memory access pattern are
independent of the particular secret key. This will mitigate
cache-timing and potential related attacks.
BN_mod_exp_mont_consttime() is the new exponentiation implementation,
and this is automatically used by BN_mod_exp_mont() if the new flag
BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH
will use this BN flag for private exponents unless the flag
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
[Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list