Fault attacks on RSA in libgcrypt

Jeff Burdges burdges at gnunet.org
Tue Aug 23 10:24:24 CEST 2016


On Tue, 2016-08-23 at 07:54 +0200, Stephan Mueller wrote:
> Am Montag, 22. August 2016, 19:42:42 CEST schrieb Jeff Burdges:
> > I implemented the protection against fault attacks recommended in
> > "Making RSA-PSS Provably Secure Against Non-Random Faults" by Gilles
> > Barthe, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire,
> > Mehdi Tibouchi and Jean-Christophe Zapalowicz.
> >   https://eprint.iacr.org/2014/252
> > It worries that a targeted fault attack could subvert the conditional
> > currently used to protect against fault attacks.
> 
> May I ask why that patch is limited to rsa_sign? Shouldn't the decrypt part 
> also be covered with a similar logic considering that it also operates with 
> the private key?

As with Lenstra's attack, a normal decryption operation should not
reveal the result of the secret computation, but a signature operation
does reveal this result. 

All this patch does is expands the existing protections against
Lenstra's attack to the case where an adversary can flip the conditional
used to detect Lenstra's attack by corrupting some memory with rowhammer
or similar. 

Lenstra's attack becomes especially relevant for blind signatures, as in
Taler, because the adversary can make the signer sign anything. 

Jeff




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20160823/ceb43c53/attachment.sig>


More information about the Gcrypt-devel mailing list