On 04/07/2012 03:30 PM, Niels Möller wrote:
What about _ct for constant time? The _blinding is really specific on the method used to achieve constant time.
But it's not really constant time, is it? Rather, timing is random but independent of the inputs which are under control of the attacker. While without RSA blinding, timing depends on the secret key and on data provided by the attacker, which is a bad combination.
Indeed. So is _timing_resistant or _tr better?
BTW, what's a good reference for the recommendation to use RSA blinding? Is it in Handbook of applied cryptography? (I think pointers to papers on attacks have been posted previously, but that's describing the problem, not the solution...).
I've seen it there: ftp://ftp.rsasecurity.com/pub/pdfs/bull-2.pdf
regards, Nikos