Am Dienstag, 24. Mai 2016, 16:13:48 schrieb Tudor-Dan Ambarus: Hi Tudor, > Hi Stephan, > > > > > as I am looking into the RSA countermeasures, I am wondering how much > > > > of > > > > > > countermeasures are actually applied inside hardware implementations. > > > > > > Please point me to the reference RSA countermeasures so that we have > > > a common point of start. > > > > As the entire MPI logic is derived from libgcrypt, I am planning to use > > the > > libgcrypt implementation as a basis to implement the blinding defined by > > the > > Handbook of Applied Cryptograpy 11.118/11.119. > > When using private key operation commands, our hardware provides > 'timing equalization' to hide key information from timing attacks such that > the modular exponentiation will take the same amount of time for a given > byte length of N combined with a given byte length of the exponent. Great, that is the other countermeasure option for RSA. So, your implementation would be covered. I guess it would make sense to implement countermeasures on an as-needed basis then. > > The other part of timing equalization causes each bit of exponent to take > the same amount of time to process. In normal exponentiation, a one bit > takes two multiplies, while a zero bit takes just one. In timing > equalization, a zero bit causes an extra, but 'fake' multiply. Good, so you have two types of countermeasures it seems. Again, you should be good then. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html