Hi Stephan, > > > as I am looking into the RSA countermeasures, I am wondering how much > of > > > countermeasures are actually applied inside hardware implementations. > > > > Please point me to the reference RSA countermeasures so that we have > > a common point of start. > > As the entire MPI logic is derived from libgcrypt, I am planning to use the > libgcrypt implementation as a basis to implement the blinding defined by > the > Handbook of Applied Cryptograpy 11.118/11.119. When using private key operation commands, our hardware provides 'timing equalization' to hide key information from timing attacks such that the modular exponentiation will take the same amount of time for a given byte length of N combined with a given byte length of the exponent. The other part of timing equalization causes each bit of exponent to take the same amount of time to process. In normal exponentiation, a one bit takes two multiplies, while a zero bit takes just one. In timing equalization, a zero bit causes an extra, but 'fake' multiply. Thanks, ta -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html