diff options
author | Jack Lloyd <[email protected]> | 2018-04-04 11:53:36 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-04-04 11:53:36 -0400 |
commit | c2d4eefafed4aad95f501fa932ab67699db2c5a5 (patch) | |
tree | 4e4a545dd92069447ea614447427808a44c56128 /doc/manual/side_channels.rst | |
parent | db65873a56c75373280c61417332a4d1c466a494 (diff) |
Update side channel doc, and update RSA blinding test
It needs to account for bits taking from the blinding RNG for
exponent blinding.
Diffstat (limited to 'doc/manual/side_channels.rst')
-rw-r--r-- | doc/manual/side_channels.rst | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst index 6d6bd74bb..cf5f26003 100644 --- a/doc/manual/side_channels.rst +++ b/doc/manual/side_channels.rst @@ -13,13 +13,17 @@ RSA ---------------------- Blinding is always used to protect private key operations (there is no way to -turn it off). As an optimization, instead of choosing a new random mask and +turn it off). Both base blinding and exponent blinding are used. + +For base blinding, as an optimization, instead of choosing a new random mask and inverse with each decryption, both the mask and its inverse are simply squared to choose the next blinding factor. This is much faster than computing a fresh value each time, and the additional relation is thought to provide only minimal useful information for an attacker. Every BOTAN_BLINDING_REINIT_INTERVAL (default 32) operations, a new starting point is chosen. +Exponent blinding uses new values for each signature. + RSA signing uses the CRT optimization, which is much faster but vulnerable to trivial fault attacks [RsaFault] which can result in the key being entirely compromised. To protect against this (or any other computational error which |