RSA blinding

Bernd Eckenfels bernd-2013 at eckenfels.net
Fri Dec 20 00:01:01 UTC 2013


Hello,

there is a recent paper by Genkin, Shamir, Tromer out which deals with
acoustic side channels in crypto operations. The paper is geared towards
the GnuPG implementation (of RSA), but I guess it could be adopted for
other RSA implementations.

http://www.cs.tau.ac.il/~tromer/acoustic/

One recommended (and in case of GnuPG 2 used) counter measurement is RSA
ciphertext blinding. I wonder if it would be a good idea to either use
blinding in the normal RSA Cipher or to offer an additional blinded
provider.

Or do you think with Java the typical side channel countermeasurements
(avoid timing and energy consumption predictions by not using conditional
brnaching, by adding decoy operations or similiar) are not possible?

The Diploma work of Feng Lue at TU-Darmstadt has a nice overview:

https://www.cdc.informatik.tu-darmstadt.de/reports/reports/KP/Feng_Lue.diplom.pdf
(Chapter 5)

It suggest that the ciphertext randomization from Tsuyoshi Takagi to be
used.

BC has an RSA blinding implementation, but mostly concerned with using it
for blind signatures. When blinding is only used to add randomness it
would not require parameters to be configured.

Greetings
Bernd
-- 
http://www.zusammenkunft.net



More information about the security-dev mailing list