- cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.
Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.
Signed-off-by: Marcus Brinkmann <firstname.lastname@example.org>
marcus on Jul 5 2017, 7:21 PM.Authored by
The problem I see is two-fold:
Comments (and complaints to academic paper :-) were at jabber, yesterday. My point is that their claims are for their community to be accepted as a good paper, I have my own view.
I think that we should port all of related changes to gpg1.4, and possibly improve libgcrypt more.
(1) Apply reducing signal fixes in libgcrypt (of mpi_powm).
I mean, we can release the memory of H and RR before calling mpi_powm, if matters.
I can agree to that reasoning. This is easier that to write lots of mails explaining that we still care about 1.4.
Applied as rG8fd9f72e1b2e: rsa: Add exponent blinding..