Merge GH #1523 RSA optimizations and exponent blinding

author: Jack Lloyd <[email protected]> 2018-04-04 15:08:04 -0400
committer: Jack Lloyd <[email protected]> 2018-04-04 15:08:04 -0400
commit: b223736c7dbf4f76593bdf4840dac33c32d09b96 (patch)
tree: 31b9e32fd0f77d58d2b1cbcc4fc613c1b383f669 /doc
parent: 67633e52bf4837b35fe95ec0befb9df8262fe1a2 (diff)
parent: f1d4e126bf929a3ed2a509059d054f8aaef865f0 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst
index 6d6bd74bb..cf5f26003 100644
--- a/doc/manual/side_channels.rst
+++ b/doc/manual/side_channels.rst
@@ -13,13 +13,17 @@ RSA
 ----------------------
 
 Blinding is always used to protect private key operations (there is no way to
-turn it off). As an optimization, instead of choosing a new random mask and
+turn it off). Both base blinding and exponent blinding are used.
+
+For base blinding, as an optimization, instead of choosing a new random mask and
 inverse with each decryption, both the mask and its inverse are simply squared
 to choose the next blinding factor. This is much faster than computing a fresh
 value each time, and the additional relation is thought to provide only minimal
 useful information for an attacker. Every BOTAN_BLINDING_REINIT_INTERVAL
 (default 32) operations, a new starting point is chosen.
 
+Exponent blinding uses new values for each signature.
+
 RSA signing uses the CRT optimization, which is much faster but vulnerable to
 trivial fault attacks [RsaFault] which can result in the key being entirely
 compromised. To protect against this (or any other computational error which
author	Jack Lloyd <[email protected]>	2018-04-04 15:08:04 -0400
committer	Jack Lloyd <[email protected]>	2018-04-04 15:08:04 -0400
commit	b223736c7dbf4f76593bdf4840dac33c32d09b96 (patch)
tree	31b9e32fd0f77d58d2b1cbcc4fc613c1b383f669 /doc
parent	67633e52bf4837b35fe95ec0befb9df8262fe1a2 (diff)
parent	f1d4e126bf929a3ed2a509059d054f8aaef865f0 (diff)