[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] Fault attacks on RSA in libgcrypt

From: Jeff Burdges
Subject: Re: [Taler] Fault attacks on RSA in libgcrypt
Date: Mon, 22 Aug 2016 22:48:33 +0200

Also, there are discussion threads on this topic elsewhere : 


On Mon, 2016-08-22 at 19:42 +0200, Jeff Burdges wrote:
> Dear gcrypt-devel,
> I implemented the protection against fault attacks recommended in
> "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> Mehdi Tibouchi and Jean-Christophe Zapalowicz.
>   https://eprint.iacr.org/2014/252
> It worries that a targeted fault attack could subvert the conditional
> currently used to protect against fault attacks.  
> Apply the attached patch by switching to a new branch of master and
> running :
>   git am ../Fault-attacks-on-RSA.patch
> At present, I'm using rho = ctx.nbits-1 because Remark 2 on page 8
> recommends roughly rho = ctx.nbits/2+200 and blind signing applications
> like Taler need an FDH instead of a randomized scheme like PSS. 
> In fact, if one worries about attacks on a conditional, then maybe one
> should worry about attacks on ctx.nbits or even ctx.flags &
> PUBKEY_FLAG_NO_BLINDING as well.  If so, Remark 2 argues that rho=512
> should more than suffice, even if not covered by their proof, and
> provide more security against fault attacks on ctx.  Thoughts?
> In any case, I'd suggest disabling support for PUBKEY_FLAG_NO_BLINDING
> by default too, with a compile time option to enable it.  Any occurrence
> sounds like a bit flit attack target that enables timing attacks. 
> Best,
> Jeff
> _______________________________________________
> Gcrypt-devel mailing list
> address@hidden
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]