Home GnuPG

cipher: Use ciphertext blinding for Elgamal decryption.
d482948ac417Unpublished

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

cipher: Use ciphertext blinding for Elgamal decryption.

* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption. This
is similar to what we are doing with RSA. This patch is a backport of
the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable (i5-2410M CPU @ 2.30GHz TP 220):

Algorithm         generate  100*priv  100*public
------------------------------------------------
ELG 1024 bit             -     100ms        90ms
ELG 2048 bit             -     330ms       350ms
ELG 3072 bit             -     660ms       790ms

Algorithm         generate  100*priv  100*public
------------------------------------------------
ELG 1024 bit             -     150ms        90ms
ELG 2048 bit             -     520ms       360ms
ELG 3072 bit             -    1100ms       800ms

(cherry picked from commit 410d70bad9a650e3837055e36f157894ae49a57d)

  • Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Provenance
wernerAuthored on Feb 23 2015, 11:39 AM
Parents
rC0c2d1443124d: Fix prime test for 2 and lower and add check command to mpicalc.
Branches
Unknown
Tags
Unknown

Event Timeline