[Cryptech Tech] RSA blinding (was: Re: Fun RSA implementation vulnerability: left-to-right sliding window modexp)

Russ Housley housley at vigilsec.com
Mon Jul 3 21:35:19 UTC 2017


>> If the Verilog is constant-time and constant-power-consumption, then the
>> major side channels are protected.  
> 
> I don't think anyone's ever managed to do a constant-time, constant-power,
> constant-EMI, constant-* implementation of something like that have they?  You
> occasionally get conference papers demonstrating some new side-channel-
> analysis-resistant implementation, but then the following year at the same
> conference you get another paper un-demonstrating it.

Indeed.  I was trying to say that constant-time is the best we can hope to achieve, and then put a tamper boundary around the whole thing to make it difficult to measure anything else.

Russ



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cryptech.is/archives/tech/attachments/20170703/cc0596d3/attachment.html>


More information about the Tech mailing list