[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] Fault attacks on RSA in libgcrypt

From: Jeff Burdges
Subject: Re: [Taler] Fault attacks on RSA in libgcrypt
Date: Fri, 02 Sep 2016 05:27:59 +0200

On Fri, 2016-09-02 at 09:34 +0900, NIIBE Yutaka wrote:
> So, I think that the idea of this attack itself is valid and we have
> no way to solve it by software, in general (while we could find a way
> to mitigate somehow for a given scenario).

As I said before, I now think the patch I submitted up thread is
useless.  And we should instead look towards approaches resembling :

In this new article, there is considerably more randomization throughout
the signing algorithm.  Indeed, one could imagine extending it to two
layers of randomization, so that the actual key only exists briefly when
loaded from disk before being randomized for the session, and each
decryption operation gets its own randomization as well. 

There are good odds that a more throughly randomized approach like this
can be justified purely for added protection against timing attacks,
while my now retracted patch is obviously useless for that.  The paper
does not make such a case though. 

Anyone here who understands the existing protections against timing
attacks want to glance over this new article?  


Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]