On 04/07/2012 03:38 PM, Simon Josefsson wrote:
What about _ct for constant time? The _blinding is really specific on the method used to achieve constant time.
But it's not really constant time, is it? Rather, timing is random but independent of the inputs which are under control of the attacker. While without RSA blinding, timing depends on the secret key and on data provided by the attacker, which is a bad combination.
Maybe a better term to use is "reduced side channel" or something. Not easy to shorten though. The generic problem adressed here is side channels.
Indeed, but side channels also contain the issues due to power analysis, and I don't know if the same techniques that make an algorithm timing analysis resistant, also apply for power analysis.
regards, Nikos