OpenSSL BIGNUM vs. GMP

[Ben Laurie]

Adam Back wrote:
> On Tue, Jan 03, 2006 at 10:10:50PM +0000, Ben Laurie wrote:
>> Jack Lloyd wrote:
>>> Some relevant and recent data: in some tests I ran this weekend
>>> [gmp faster than openssl]
>>> AFAIK blinding alone can protect against all (publicly known)
>>> timing attacks; am I wrong about this?
>> Yes, you are - there's the cache attack, which requires the attacker to
>> have an account on the same machine. I guess I shouldn't have called it
>> constant time, since its really constant memory access that defends
>> against this.
> 
> Does openSSL defend against cache related attacks?

Yes - from the change log (this came in with 0.9.7h):

  *) Make a new fixed-window mod_exp implementation the default for
     RSA, DSA, and DH private-key operations so that the sequence of
     squares and multiplies and the memory access pattern are
     independent of the particular secret key.  This will mitigate
     cache-timing and potential related attacks.

     BN_mod_exp_mont_consttime() is the new exponentiation implementation,
     and this is automatically used by BN_mod_exp_mont() if the new flag
     BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
     will use this BN flag for private exponents unless the flag
     RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
     DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.

     [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com