oss-sec mailing list archives

Re: Data operand dependent timing on Intel and Arm CPUs

From: Mark Hack <markhack () markhack com>
Date: Mon, 30 Jan 2023 13:58:34 -0600


The blinding I have seen was for RSA 
https://www.openssl.org/docs/man1.1.1/man3/RSA_blinding_on.html and at
least for ECDSA signatures

For symmetric keys such as AES which are mostly table lookup and XOR
based, I have not seen any blinding.



Regards

Mark Hack

On Mon, 2023-01-30 at 14:13 -0500, Demi Marie Obenour wrote:

On Mon, Jan 30, 2023 at 10:43:16AM -0600, Mark Hack wrote:

This is a concern, but if you look into the crypto implementations,
data blinding is applied to mitigate both instruction and power
side
channel attacks


Can you provide examples?  I have never seen blinding used for
symmetric
cryptography outside of embedded systems.

Current thread:

Data operand dependent timing on Intel and Arm CPUs Eric Biggers (Jan 25)
- Re: Data operand dependent timing on Intel and Arm CPUs Solar Designer (Jan 25)
  - Re: Data operand dependent timing on Intel and Arm CPUs Eric Biggers (Jan 27)
    - Re: Data operand dependent timing on Intel and Arm CPUs Mark Hack (Jan 30)
    - Re: Data operand dependent timing on Intel and Arm CPUs Demi Marie Obenour (Jan 30)
    - Re: Data operand dependent timing on Intel and Arm CPUs Mark Hack (Jan 30)
- Re: Data operand dependent timing on Intel and Arm CPUs John Runyon (Jan 30)