[Cryptech Tech] RSA blinding (was: Re: Fun RSA implementation vulnerability: left-to-right sliding window modexp)

Warren Kumari warren at kumari.net
Mon Jul 3 21:43:16 UTC 2017

On Mon, Jul 3, 2017 at 4:48 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Rob Austein <sra at hactrn.net> writes:
>>We've left RSA blinding enabled unconditionally in all cases for now, out of
>>paranoia, but would be interested in opinions from wider heads about how
>>necessary this really is.
> Definitely a good idea in any case.  Most of the side-channel attacks require
> repeated sampling of an operation and then statistical analysis to break out
> the details of interest, with randomisation each time you're making that a lot
> harder.
> Russ Housley <housley at vigilsec.com> writes:
>>If the Verilog is constant-time and constant-power-consumption, then the
>>major side channels are protected.
> I don't think anyone's ever managed to do a constant-time, constant-power,
> constant-EMI, constant-* implementation of something like that have they?  You
> occasionally get conference papers demonstrating some new side-channel-
> analysis-resistant implementation, but then the following year at the same
> conference you get another paper un-demonstrating it.
> The thing is, for hardware you don't actually need to have a side-channel-
> resistant implementation.  For software you do because the person writing the
> conference paper can give themselves whatever privileges they need to perform
> the attack (hostile code running on the same CPU with insight into the cache
> or memory access patterns or whatever), but with an HSM you define how far
> they can go, and that's the outside of the HSM.
> There's a twenty-year-old HSM, IBM's 4758, that was resistant to pretty much
> all of the side-channel attacks that came along after it was developed, not
> because the developers were magically aware of them but because they used good
> engineering practice, power supply decoupling, filtering, etc (I asked them
> about how they managed it and that was their explanation, we designed it
> properly from the outset).

Wow, the 4758 brings back memories -- after reading
https://www.cl.cam.ac.uk/~rnc1/descrack/ I spent many hours on eBay
and similar trying to find an inexpensive one to play with.

I eventually found one which someone had previously poked at and
destroyed, and spent many happy hours unpotting it... I think I still
have bits of it lurking in a box somewhere...


> So worst case all you need to worry about is timing attacks, which is what you
> have blinding for.  If you're still worried then given that you're building an
> HSM rather than a crypto accelerator, so security is more important than
> throughput, quantise the production of results.  That can eventually be
> defeated too with enough samples, but since you're blinding as well you're
> making it pretty difficult for the attacker.
> Peter.
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the Tech mailing list