diff options
author | Werner Koch <wk@gnupg.org> | 2015-02-23 11:39:58 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2015-02-23 11:39:58 +0100 |
commit | 410d70bad9a650e3837055e36f157894ae49a57d (patch) | |
tree | e638c75e8241d52010eebbf41354eb00c884ad6c /mpi | |
parent | 653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288 (diff) | |
download | libgcrypt-410d70bad9a650e3837055e36f157894ae49a57d.tar.gz |
cipher: Use ciphertext blinding for Elgamal decryption.
* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--
CVE-id: CVE-2014-3591
As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption. This
is similar to what we are doing with RSA. This patch is a backport of
the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.
Unfortunately, the performance impact of Elgamal blinding is quite
noticeable (i5-2410M CPU @ 2.30GHz TP 220):
Algorithm generate 100*priv 100*public
------------------------------------------------
ELG 1024 bit - 100ms 90ms
ELG 2048 bit - 330ms 350ms
ELG 3072 bit - 660ms 790ms
Algorithm generate 100*priv 100*public
------------------------------------------------
ELG 1024 bit - 150ms 90ms
ELG 2048 bit - 520ms 360ms
ELG 3072 bit - 1100ms 800ms
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'mpi')
0 files changed, 0 insertions, 0 deletions