evangreen
commented
7 years ago Thanks. I will study this one and come back with more info.
Open wbl opened 7 years ago
evangreen
commented
7 years ago Thanks. I will study this one and come back with more info.
The RSA implementation in os/rsa.c uses the Chinese Remainder Theorem without blinding to efficiently decrypt. This introduces a timing attack, slightly different from the published one, where the variance of the runtime as a function of the argument to the reduction leaks the private components of the key. The standard countermeasure is blinding.
Handbook of Applied Cryptography states Barrett reduction potentially requires two subtractions at the end, not just the one performed in the code.