[Cryptography] "Physical Key Extraction Attacks on PCs"

Ray Dillinger bear at sonic.net
Mon Jun 6 21:29:29 EDT 2016

On 06/05/2016 01:32 PM, Jerry Leichter wrote:

> 1.  The cause of the correlation in the multiplication routines is
> that there's a shortcut in the particular routines they look at that
> skips over "digits" that are all 0 in the bignum representation.
>....  Why bother with this
> optimization?  Is it just a side-effect of using general-purpose
> bignum routines - in which case that teaches us a valuable lesson
> right there....

It's a common effect of people using the GMP bignum libraries.

There exist constant-time multiplication routines etc in that lib, but
they are not the default.  So using them requires that you

(a) realize there is a distinction which may matter.

(b) realize that the default GMP multiplication routines put you
    on the wrong side of the distinction, and

(c) read the documentation enough to find that the constant-time
    multiplication routines you want exist and how to invoke

The last step isn't at all hard, but most implementers in the
field, especially if inexperienced in coding crypto security,
miss one or both of the first two.

It is likely to be an issue with the default config of bignum
libs which I haven't worked with as well.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160606/07718aab/attachment.sig>

More information about the cryptography mailing list