On Friday, 25 August 2023 14:02:51 CEST, Niels Möller wrote:
Hubert Kario writes:
On Friday, 25 August 2023 07:51:10 CEST, Niels Möller wrote:
Thus, I think it's more of a documentation issue than code issue:
it will be much better to just say that mpz_powm_sec() is not usable
On Friday, 25 August 2023 07:51:10 CEST, Niels Möller wrote:
Hubert Kario writes:
I was able to confirm that the low-level functions, like the
mpn_sec_powm()
function have no timing leakage with regards to operands or result
(exactly like section 8.1 of the manual[2] states).
And that's
hat should be performed by upper level code, as how
you do blinding depends on the algorithm and operation you're performing
like, both RSA signing and decryption mathematically perform the exact same
operation, but what constitutes side-channel free for them is very
different
--
Regards,
Hubert Kario
On Friday, 25 August 2023 14:02:51 CEST, Niels Möller wrote:
Hubert Kario writes:
On Friday, 25 August 2023 07:51:10 CEST, Niels Möller wrote:
And that's for all inputs? Nice.
Well, not all, I mostly tested ones that had obvious patterns, like
zero to power zero, 0xff to power 0xff, full
d I miss the methods to ensure that the objects are not clamped, or
should
the mpz_powm_sec() interface be marked as _not_ secure for cryptographic
purposes?
1 -
https://gmplib.org/manual/Integer-Exponentiation#index-mpz_005fpowm_005fsec
2 - https://gmplib.org/manual/Low_002dlevel-Functions
--
R
