Re: Blinding implementation in OpenSSL

2019-04-15 Thread Billy Brumley 
("OpenSSL doesn't do" _scalar_ blinding! Coordinate blinding is there.
sorry ...)

Re: Blinding implementation in OpenSSL

2019-04-15 Thread Billy Brumley 
> > Could you please explain how blinding works in OpenSSL?
> >
> > EC_KEY structure seems to have an unblinded private key structure and
> > blinded X, Y, Z- coordinates of the public key when blinding is in
> > use. But if I understand correctly, he idea of blinding is protecting
> > the private key from extracting from memory/swap/etc? Am I wrong?
>
> No, blinding is done during the private key operations to "randomize"
> the computations so timing and other side channels do not leak the
> private key. The private key itself is not modified.

Dmitry is correct in that coordinate blinding and scalar blinding are
different things. The question seems to be why doesn't OpenSSL do
coordinate blinding. (Hoping I'm not interpreting too much.)

BBB

Re: Blinding implementation in OpenSSL

2019-04-15 Thread Tomas Mraz 
On Mon, 2019-04-15 at 10:39 +0300, Dmitry Belyavsky wrote:
> Hello,
> 
> Could you please explain how blinding works in OpenSSL?
> 
> EC_KEY structure seems to have an unblinded private key structure and
> blinded X, Y, Z- coordinates of the public key when blinding is in
> use. But if I understand correctly, he idea of blinding is protecting
> the private key from extracting from memory/swap/etc? Am I wrong?

No, blinding is done during the private key operations to "randomize"
the computations so timing and other side channels do not leak the
private key. The private key itself is not modified.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

Blinding implementation in OpenSSL

2019-04-15 Thread Dmitry Belyavsky 
Hello,

Could you please explain how blinding works in OpenSSL?

EC_KEY structure seems to have an unblinded private key structure and
blinded X, Y, Z- coordinates of the public key when blinding is in use. But
if I understand correctly, he idea of blinding is protecting the private
key from extracting from memory/swap/etc? Am I wrong?

Many thanks in advance!

-- 
SY, Dmitry Belyavsky