Nikos Mavrogiannopoulos nmav@gnutls.org writes:
What about _ct for constant time? The _blinding is really specific on the method used to achieve constant time.
But it's not really constant time, is it? Rather, timing is random but independent of the inputs which are under control of the attacker. While without RSA blinding, timing depends on the secret key and on data provided by the attacker, which is a bad combination.
The function mpz_powm_sec in recent GMP is supposed to really be "constant time" (assuming the underlying multiply-instruction doesn't have data-dependent timing). I.e., the instructions executed and the memory access pattern should depend only on the sizes of the input operands, not on the actual values. Hence it should be resistant both to timing attacks, and attacks manipulating or observing the memory cache hit rate.
But RSA operations uses a couple of additional functions, which doesn't yet have constant-time counterparts, so I don't yet use that function yet.
BTW, what's a good reference for the recommendation to use RSA blinding? Is it in Handbook of applied cryptography? (I think pointers to papers on attacks have been posted previously, but that's describing the problem, not the solution...).
Regards, /Niels