- cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.
Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.
Signed-off-by: Marcus Brinkmann <email@example.com>
The problem I see is two-fold:
Comments (and complaints to academic paper :-) were at jabber, yesterday. My point is that their claims are for their community to be accepted as a good paper, I have my own view.
I think that we should port all of related changes to gpg1.4, and possibly improve libgcrypt more.
(1) Apply reducing signal fixes in libgcrypt (of mpi_powm).
(2) While I review the patch, I think that we can reduce the pressure of secure memory as same as before, if we can do that, it would be OK to apply exponent blinding patch. Because:
I mean, we can release the memory of H and RR before calling mpi_powm, if matters.
(3) For libgcrypt, we can also implement fixed-window right-to-left algo for mpi_powm, and fix USE_ALGORITHM_SIMPLE_EXPONENTIATION implementation.
- It gives some people relief as same/similar patch is applied to gpg1.4 (give them the sign of gpg1.4 is maintained still).
I can agree to that reasoning. This is easier that to write lots of mails explaining that we still care about 1.4.
Applied as rG8fd9f72e1b2e: rsa: Add exponent blinding..
Needed rG994d5b707559: rsa: Allow different build directory. for different build directory.
And added rG1b1f44846b5f: rsa: Reduce secmem pressure. to lower the secmem pressure.