Re: [TLS] Issue #12: RSA/DSA/DH timing attacks

[Bodo Moeller <bmoeller at acm.org>]

On Fri, Jun 08, 2007 at 01:15:52PM +0200, Bodo Moeller wrote:

> Having said that, here's how you could try to add blinding to DSA
> exponentiations -- either base and exponent blinding or just exponent
> blinding:
> 
> - Compute  g^k  as  g'^k'  where  g' = g^m  (m random) is a blinded
>   base value, and where  k' = m'*k mod q.  (Just as with RSA, you
>   could keep the blinding parameters for a number of cryptographic
>   operations for better performance.)

Er,  k' = k/m' mod q,  of course.  (I.e., you need a mod-q inversion.)

> - Compute  g^k  as  g^(k + m*q + m') * g^(q - m'),  where blinding
>   parameters  m  and  m'  both can be quite short.


Bodo

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls