Daniel Kahn Gillmor <[email protected]> writes: > My understanding is that RSA blinding is a countermeasure against timing > attacks, and that it introduces a new dependency on some sort of RNG > (though perhaps a weak one?) to parts of the process that wouldn't > otherwise need it.
I confess I don't remember the details of why blinding is desirable. Does it improve hiding of the key, message, or both? Would it help to use a powm function which has data-independent timing? There's a powm_sec in gmp which is supposed to do this (assuming underlying arithmetic instructions have data independent timing), and which is only slighly slower than the general version for sizes of interest. But a few other functions are still missing to make it really useful. It would make sense to add an RSA interface which takes a randomness source as input (for blinding), and a DSA interface which doesn't need a randomness source (and instead uses something like the hash of the message beeing signed as the "random" value needed, like it's done putty). But neither is currently a high priority for me. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
