It would be good if we have constant-time modular exponentiation.
Description
Description
Revisions and Commits
Revisions and Commits
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Invalid | • gniibe | T3264 Possible RSA improvement | ||
| Testing | • gniibe | T7490 libgcrypt: constant-time modular exponentiation |
Event Timeline
Comment Actions
I created https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Ft7490/
The commit rC6dffd105e2e2 works for me.
It is a bit of exponent at time Montgomery exponentiation.
I don't put an optimization for the reduction as I don't know if it's OK for patent-wise (looks like expired, though).
Possibly, we can further improve it by fixed-window approach, when we will introduce constant-time table select function.
(We know usual constant-time table select function can be still attacked to distinguish true load and dummy load by some power analysis. It's OK for me ignore this kind of attacks in our threat model.)
Comment Actions
The commit rC58c11aa8 is the improved version by k-ary exponentiation (while rC6dffd105e2e2 is 1-bit at a time) and using heap.
Personally, I don't much like use of heap (prefer use of stack memory), but current limitation of libgcrypt (no automatic variable sized array in main code), it is the way we do currently.
Comment Actions
Pushed the changes by the commit rC2039d93289db: mpi: Add MPI helper modular exponentiation, Least Leak Intended.