Re: [PATCH v6 0/3] crypto: caam - add support for RSA algorithm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Dienstag, 24. Mai 2016, 16:13:48 schrieb Tudor-Dan Ambarus:

Hi Tudor,

> Hi Stephan,
> 
> > > > as I am looking into the RSA countermeasures, I am wondering how much
> > 
> > of
> > 
> > > > countermeasures are actually applied inside hardware implementations.
> > > 
> > > Please point me to the reference RSA countermeasures so that we have
> > > a common point of start.
> > 
> > As the entire MPI logic is derived from libgcrypt, I am planning to use
> > the
> > libgcrypt implementation as a basis to implement the blinding defined by
> > the
> > Handbook of Applied Cryptograpy 11.118/11.119.
> 
> When using private key operation commands, our hardware provides
> 'timing equalization' to hide key information from timing attacks such that
> the modular exponentiation will take the same amount of time for a given
> byte length of N combined with a given byte length of the exponent.

Great, that is the other countermeasure option for RSA. So, your 
implementation would be covered.

I guess it would make sense to implement countermeasures on an as-needed basis 
then.
> 
> The other part of timing equalization causes each bit of exponent to take
> the same amount of time to process. In normal exponentiation, a one bit
> takes two multiplies, while a zero bit takes just one. In timing
> equalization, a zero bit causes an extra, but 'fake' multiply.

Good, so you have two types of countermeasures it seems. Again, you should be 
good then.


Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux