Weak timing side-channel due to Exp/Mul/Gcd

[stef]

In go neither of modular exponentiation, multiplication nor gcd are constant time, and thus they can aid an attacker at recovering sensitive information.

In gabi in most instances there is a random element in the functions using the non-const time arithmetic, thus if an attacker is only able to invoke and measure the gabi function (for example over the network), they all have considerable noise due to the random elements and most of the time their sample size is limited to one, since the random element is unique for each invocation. Thus such an attacker has a negligible chance of succeeding. However an attacker that is hosted on the same CPU and can do more precise measurements only targeting the exp/mul/gcd without the added noise around them, has a good chance of exploiting this. It is thus recommended to implement (and possibly upstream) const-time exp/gcd arithmetic.

One instance of timing sensitive mul is when the modulus n is being computed from the issuers secret key q' and p' by multiplying them. Since these two values are not needed for anything else, it is recommended to replace them with the calculated value of n and thus eliminate the multiplication of them and storing them altogether.