[Taler] Fault attacks on RSA in libgcrypt

[Jeff Burdges]

Dear gcrypt-devel,

I implemented the protection against fault attacks recommended in
"Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
Mehdi Tibouchi and Jean-Christophe Zapalowicz.
  https://eprint.iacr.org/2014/252
It worries that a targeted fault attack could subvert the conditional
currently used to protect against fault attacks.  

Apply the attached patch by switching to a new branch of master and
running :
  git am ../Fault-attacks-on-RSA.patch

At present, I'm using rho = ctx.nbits-1 because Remark 2 on page 8
recommends roughly rho = ctx.nbits/2+200 and blind signing applications
like Taler need an FDH instead of a randomized scheme like PSS. 

In fact, if one worries about attacks on a conditional, then maybe one
should worry about attacks on ctx.nbits or even ctx.flags &
PUBKEY_FLAG_NO_BLINDING as well.  If so, Remark 2 argues that rho=512
should more than suffice, even if not covered by their proof, and
provide more security against fault attacks on ctx.  Thoughts?

In any case, I'd suggest disabling support for PUBKEY_FLAG_NO_BLINDING
by default too, with a compile time option to enable it.  Any occurrence
sounds like a bit flit attack target that enables timing attacks. 

Best,
Jeff

Fault-attacks-on-RSA.patch
Description: Text Data

signature.asc
Description: This is a digitally signed message part