[Cryptography] "Physical Key Extraction Attacks on PCs"
Ray Dillinger
bear at sonic.net
Mon Jun 6 21:29:29 EDT 2016
On 06/05/2016 01:32 PM, Jerry Leichter wrote:
> 1. The cause of the correlation in the multiplication routines is
> that there's a shortcut in the particular routines they look at that
> skips over "digits" that are all 0 in the bignum representation.
>.... Why bother with this
> optimization? Is it just a side-effect of using general-purpose
> bignum routines - in which case that teaches us a valuable lesson
> right there....
It's a common effect of people using the GMP bignum libraries.
There exist constant-time multiplication routines etc in that lib, but
they are not the default. So using them requires that you
(a) realize there is a distinction which may matter.
(b) realize that the default GMP multiplication routines put you
on the wrong side of the distinction, and
(c) read the documentation enough to find that the constant-time
multiplication routines you want exist and how to invoke
them.
The last step isn't at all hard, but most implementers in the
field, especially if inexperienced in coding crypto security,
miss one or both of the first two.
It is likely to be an issue with the default config of bignum
libs which I haven't worked with as well.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160606/07718aab/attachment.sig>
More information about the cryptography
mailing list