8

Blinding is often used to mask private key operations when the underlying problem is integer factorization. For example, it's used in both RSA and Rabin-Williams signature schemes. This presumes integer operations are not constant time.

I have two questions:

  • Is blinding used in schemes other than integer factorization?
  • Are there other options to guard the private key against timing attacks available to software implementations on commodity hardware?

The reason I ask is Evgeny Sidorov's Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library (a.k.a. CVE-2015-2141). There was a bad interaction with the blinding value and Jacobi requirements on p, q, which resulted in a private key recovery.

One of the suggested remediations was to disable blinding. I'm trying to gauge the impact of doing it in libraries like OpenSSL and Crypto++, and how much needs to change if blinding is optional. (It is already optional in OpenSSL, but not Crypto++).

R1w
  • 1,960
  • 4
  • 23
  • 45

1 Answers1

1

1) Blinding has been used, for example, to design a version of El Gamal encryption that is resilient to certain side-channel attacks --- see [PK] and the references therein.

2) The goal of the field of leakage-resilient cryptography is to model and study (from a theoretical perspective) what security can be guaranteed against side-channel attacks (including e.g., timing attacks). See this recent survey or this excellent blog post for more details on the type of models that are being considered.

[PK]: Pietrzak and Kiltz. Leakage Resilient ElGamal Encryption

ckamath
  • 5,488
  • 2
  • 25
  • 42