lör 2012-04-07 klockan 20:30 +0200 skrev Nikos Mavrogiannopoulos:
On 04/07/2012 03:38 PM, Simon Josefsson wrote:
What about _ct for constant time? The _blinding is really specific on the method used to achieve constant time.
But it's not really constant time, is it? Rather, timing is random but independent of the inputs which are under control of the attacker. While without RSA blinding, timing depends on the secret key and on data provided by the attacker, which is a bad combination.
Maybe a better term to use is "reduced side channel" or something. Not easy to shorten though. The generic problem adressed here is side channels.
Indeed, but side channels also contain the issues due to power analysis, and I don't know if the same techniques that make an algorithm timing analysis resistant, also apply for power analysis.
Right, but maybe the API name could be general so that it could implement mitigation against power analysis as well in the future, if needed. Or some other side channel attack (cache misses, etc).
/Simon