aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/rsa
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-04-04 11:46:01 -0400
committerJack Lloyd <[email protected]>2018-04-04 11:46:01 -0400
commitdb65873a56c75373280c61417332a4d1c466a494 (patch)
treea8b3b5ce09bac04ec0c80e83a97a8f602acd5dd1 /src/lib/pubkey/rsa
parent2a65ff7893e673db33d90401cf7051a2ceae448d (diff)
Add RSA exponent blinding
Additional paranoia never hurt.
Diffstat (limited to 'src/lib/pubkey/rsa')
-rw-r--r--src/lib/pubkey/rsa/rsa.cpp17
1 files changed, 12 insertions, 5 deletions
diff --git a/src/lib/pubkey/rsa/rsa.cpp b/src/lib/pubkey/rsa/rsa.cpp
index bdfafaf07..1cd4a15d3 100644
--- a/src/lib/pubkey/rsa/rsa.cpp
+++ b/src/lib/pubkey/rsa/rsa.cpp
@@ -222,22 +222,29 @@ class RSA_Private_Operation
BigInt private_op(const BigInt& m) const
{
const size_t powm_window = 4;
+ const size_t exp_blinding_bits = 64;
+
+ const BigInt d1_mask(m_blinder.rng(), exp_blinding_bits);
+ const BigInt d2_mask(m_blinder.rng(), exp_blinding_bits);
+
+ const BigInt masked_d1 = m_key.get_d1() + (d1_mask * (m_key.get_p() - 1));
+ const BigInt masked_d2 = m_key.get_d2() + (d2_mask * (m_key.get_q() - 1));
#if defined(BOTAN_TARGET_OS_HAS_THREADS)
- auto future_j1 = std::async(std::launch::async, [this, &m]() {
+ auto future_j1 = std::async(std::launch::async, [this, &m, &masked_d1]() {
auto powm_d1_p = monty_precompute(m_monty_p, m, powm_window);
- return monty_execute(*powm_d1_p, m_key.get_d1());
+ return monty_execute(*powm_d1_p, masked_d1);
});
auto powm_d2_q = monty_precompute(m_monty_q, m, powm_window);
- BigInt j2 = monty_execute(*powm_d2_q, m_key.get_d2());
+ BigInt j2 = monty_execute(*powm_d2_q, masked_d2);
BigInt j1 = future_j1.get();
#else
auto powm_d1_p = monty_precompute(m_monty_p, m, powm_window);
auto powm_d2_q = monty_precompute(m_monty_q, m, powm_window);
- BigInt j1 = monty_execute(*powm_d1_p, m_key.get_d1());
- BigInt j2 = monty_execute(*powm_d2_q, m_key.get_d2());
+ BigInt j1 = monty_execute(*powm_d1_p, masked_d1);
+ BigInt j2 = monty_execute(*powm_d2_q, masked_d2);
#endif
j1 = m_mod_p.reduce(sub_mul(j1, j2, m_key.get_c()));