[Cryptech Core] modexp optimization plans (was: Re: teleconf?)

Rob Austein sra at hactrn.net
Sat Jun 20 15:02:44 UTC 2015


At Sat, 20 Jun 2015 11:45:46 +0200, Peter Stuge wrote:
> 
> Joachim Strömbergson wrote:
> > 4.2 Implement support for short exponent. Currently the size of the
> > exponent is ignored. This means that an operation with a public exponent
> > (such as 65537) takes as long time as if the exponent is as big as the
> > modulus. This fix is easy to do and will drastically reduce the time to
> > do operations with short exponents.
> 
> It also introduces a timing artefact based on input data. Like
> operation skippin I think this needs to be configurable, if possible
> at all.

Er, at least for RSA, the short public exponent is, um, public, and
it's pretty obvious which operations use the public exponent and which
ones use the private exponent, so letting it run fast for the public
exponent doesn't leak anything your adversary didn't already know.



More information about the Core mailing list