cipher: Use ciphertext blinding for Elgamal decryption.
authorWerner Koch <wk@gnupg.org>
Mon, 23 Feb 2015 10:39:58 +0000 (11:39 +0100)
committerWerner Koch <wk@gnupg.org>
Mon, 23 Feb 2015 10:39:58 +0000 (11:39 +0100)
commit410d70bad9a650e3837055e36f157894ae49a57d
treee638c75e8241d52010eebbf41354eb00c884ad6c
parent653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288
cipher: Use ciphertext blinding for Elgamal decryption.

* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA. This patch is a backport of
the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable (i5-2410M CPU @ 2.30GHz TP 220):

  Algorithm         generate  100*priv  100*public
  ------------------------------------------------
  ELG 1024 bit             -     100ms        90ms
  ELG 2048 bit             -     330ms       350ms
  ELG 3072 bit             -     660ms       790ms

  Algorithm         generate  100*priv  100*public
  ------------------------------------------------
  ELG 1024 bit             -     150ms        90ms
  ELG 2048 bit             -     520ms       360ms
  ELG 3072 bit             -    1100ms       800ms

Signed-off-by: Werner Koch <wk@gnupg.org>
cipher/elgamal.c