----- Original Message -----
From: "Nomen Nescio" <[EMAIL PROTECTED]>
Sent: Monday, March 24, 2003 1:20 PM
Subject: Re: Brumley & Boneh timing attack on OpenSSL

> Regarding using blinding to defend against timing attacks, and supposing
> that a crypto library is going to have support for blinding:
>  - Should it do blinding for RSA signatures as well as RSA decryption?

If you are a client, and you manually control the signature generation (like
you use PGP to sign email messages), I wouldn't implement blinding.
But if you are a server (or a client that automatically responds to
that signs message for some reason, and you receive many requests, I would.
RSA decryption, yes for servers.

>  - How about for ElGamal decryption?
>  - Non-ephemeral (static) DH key exchange?

Again, if you are automatically answer to requests, yes I would.  In the
Freedom network, servers had non-ephemeral keys and did a DH key
exchange with clients (client side used ephemeral keys and was anonymous),
we implemented blinding on the server side to counter timing attacks because
we had a hunch that they could work over network connections.

>  - Ephemeral DH key exchange?

No, I wouldn't.  I would be very surprised if you could do timing attacks on
one execution of a modulo exponentiation, unless there is some way to trick
a server in using the same secret on different inputs, even though it's
to do ephemeral DH.

>  - How about for DSS signatures?

Yes if you automatically answer to requests.  Paul Kocher's initial paper on
subject explicitly mentions DH, RSA and DSS.
If there is a possibility that you can be used as an oracle, and you have a
key, you should be careful.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to