From c2d4eefafed4aad95f501fa932ab67699db2c5a5 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Wed, 4 Apr 2018 11:53:36 -0400 Subject: Update side channel doc, and update RSA blinding test It needs to account for bits taking from the blinding RNG for exponent blinding. --- doc/manual/side_channels.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'doc/manual/side_channels.rst') diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst index 6d6bd74bb..cf5f26003 100644 --- a/doc/manual/side_channels.rst +++ b/doc/manual/side_channels.rst @@ -13,13 +13,17 @@ RSA ---------------------- Blinding is always used to protect private key operations (there is no way to -turn it off). As an optimization, instead of choosing a new random mask and +turn it off). Both base blinding and exponent blinding are used. + +For base blinding, as an optimization, instead of choosing a new random mask and inverse with each decryption, both the mask and its inverse are simply squared to choose the next blinding factor. This is much faster than computing a fresh value each time, and the additional relation is thought to provide only minimal useful information for an attacker. Every BOTAN_BLINDING_REINIT_INTERVAL (default 32) operations, a new starting point is chosen. +Exponent blinding uses new values for each signature. + RSA signing uses the CRT optimization, which is much faster but vulnerable to trivial fault attacks [RsaFault] which can result in the key being entirely compromised. To protect against this (or any other computational error which -- cgit v1.2.3