Rob Austein <s...@hactrn.net> writes: >We've left RSA blinding enabled unconditionally in all cases for now, out of >paranoia, but would be interested in opinions from wider heads about how >necessary this really is.
Definitely a good idea in any case. Most of the side-channel attacks require repeated sampling of an operation and then statistical analysis to break out the details of interest, with randomisation each time you're making that a lot harder. Russ Housley <hous...@vigilsec.com> writes: >If the Verilog is constant-time and constant-power-consumption, then the >major side channels are protected. I don't think anyone's ever managed to do a constant-time, constant-power, constant-EMI, constant-* implementation of something like that have they? You occasionally get conference papers demonstrating some new side-channel- analysis-resistant implementation, but then the following year at the same conference you get another paper un-demonstrating it. The thing is, for hardware you don't actually need to have a side-channel- resistant implementation. For software you do because the person writing the conference paper can give themselves whatever privileges they need to perform the attack (hostile code running on the same CPU with insight into the cache or memory access patterns or whatever), but with an HSM you define how far they can go, and that's the outside of the HSM. There's a twenty-year-old HSM, IBM's 4758, that was resistant to pretty much all of the side-channel attacks that came along after it was developed, not because the developers were magically aware of them but because they used good engineering practice, power supply decoupling, filtering, etc (I asked them about how they managed it and that was their explanation, we designed it properly from the outset). So worst case all you need to worry about is timing attacks, which is what you have blinding for. If you're still worried then given that you're building an HSM rather than a crypto accelerator, so security is more important than throughput, quantise the production of results. That can eventually be defeated too with enough samples, but since you're blinding as well you're making it pretty difficult for the attacker. Peter. _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
