I think that: This should be applied to libgcrypt master:
(That's because the exposure to side-channel is not only to RSA.)
And then, let us apply exponent blinding patch.
Let's wait the reply from Yarom.
In my opinion, 255-bit of nonce is enough for RSA-2048.
I will backport the changes to 1.7 branch.