[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Taler] Fault attacks on RSA in libgcrypt

From: Jeff Burdges
Subject: [Taler] Fault attacks on RSA in libgcrypt
Date: Mon, 22 Aug 2016 19:42:42 +0200

Dear gcrypt-devel,

I implemented the protection against fault attacks recommended in
"Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
Mehdi Tibouchi and Jean-Christophe Zapalowicz.
It worries that a targeted fault attack could subvert the conditional
currently used to protect against fault attacks.  

Apply the attached patch by switching to a new branch of master and
running :
  git am ../Fault-attacks-on-RSA.patch

At present, I'm using rho = ctx.nbits-1 because Remark 2 on page 8
recommends roughly rho = ctx.nbits/2+200 and blind signing applications
like Taler need an FDH instead of a randomized scheme like PSS. 

In fact, if one worries about attacks on a conditional, then maybe one
should worry about attacks on ctx.nbits or even ctx.flags &
PUBKEY_FLAG_NO_BLINDING as well.  If so, Remark 2 argues that rho=512
should more than suffice, even if not covered by their proof, and
provide more security against fault attacks on ctx.  Thoughts?

In any case, I'd suggest disabling support for PUBKEY_FLAG_NO_BLINDING
by default too, with a compile time option to enable it.  Any occurrence
sounds like a bit flit attack target that enables timing attacks. 


Attachment: Fault-attacks-on-RSA.patch
Description: Text Data

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]