Blinding implementation in OpenSSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Blinding implementation in OpenSSL

Dmitry Belyavsky-3
Hello,

Could you please explain how blinding works in OpenSSL?

EC_KEY structure seems to have an unblinded private key structure and blinded X, Y, Z- coordinates of the public key when blinding is in use. But if I understand correctly, he idea of blinding is protecting the private key from extracting from memory/swap/etc? Am I wrong?

Many thanks in advance!

--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Blinding implementation in OpenSSL

Tomas Mraz-2
On Mon, 2019-04-15 at 10:39 +0300, Dmitry Belyavsky wrote:
> Hello,
>
> Could you please explain how blinding works in OpenSSL?
>
> EC_KEY structure seems to have an unblinded private key structure and
> blinded X, Y, Z- coordinates of the public key when blinding is in
> use. But if I understand correctly, he idea of blinding is protecting
> the private key from extracting from memory/swap/etc? Am I wrong?

No, blinding is done during the private key operations to "randomize"
the computations so timing and other side channels do not leak the
private key. The private key itself is not modified.

--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]


Reply | Threaded
Open this post in threaded view
|

Re: Blinding implementation in OpenSSL

Billy Brumley
> > Could you please explain how blinding works in OpenSSL?
> >
> > EC_KEY structure seems to have an unblinded private key structure and
> > blinded X, Y, Z- coordinates of the public key when blinding is in
> > use. But if I understand correctly, he idea of blinding is protecting
> > the private key from extracting from memory/swap/etc? Am I wrong?
>
> No, blinding is done during the private key operations to "randomize"
> the computations so timing and other side channels do not leak the
> private key. The private key itself is not modified.

Dmitry is correct in that coordinate blinding and scalar blinding are
different things. The question seems to be why doesn't OpenSSL do
coordinate blinding. (Hoping I'm not interpreting too much.)

BBB
Reply | Threaded
Open this post in threaded view
|

Re: Blinding implementation in OpenSSL

Billy Brumley
("OpenSSL doesn't do" _scalar_ blinding! Coordinate blinding is there.
sorry ...)