Add back in blinding to RSA, RW, ElGamal, and DH.

There are multiple unsatisfactory elements to the current solution,
as compared to how blinding was previously done:

Firstly, blinding is only used in the baseline implementations; the code
using OpenSSL and GMP is not protected by blinding at all.

Secondly, at the point we need to set up blinding, there is no access
to a PRNG. Currently I am going with a quite nasty solution, of using
a private key parameter to seed a simple PRNG constructed as:
  SHA-512(TS1 || private_key_param || public_key_param || TS2)

I really want to fix both of these elements but I'm not sure how to do
so easily.

1 files changed, 51 insertions, 0 deletions

diff --git a/src/pubkey/blinding.h b/src/pubkey/blinding.h
new file mode 100644
index 000000000..d1d9a8875
--- /dev/null
+++ b/src/pubkey/blinding.h
@@ -0,0 +1,51 @@
+/*
+* Blinding for public key operations
+* (C) 1999-2010 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_BLINDER_H__
+#define BOTAN_BLINDER_H__
+
+#include <botan/bigint.h>
+#include <botan/reducer.h>
+
+namespace Botan {
+
+/*
+* Blinding Function Object
+*/
+class BOTAN_DLL Blinder
+   {
+   public:
+      BigInt blind(const BigInt& x) const;
+      BigInt unblind(const BigInt& x) const;
+
+      /**
+      * Choose a nonce to use for blinding
+      * @param x a secret seed value
+      * @param mod the modulus
+      */
+      static BigInt choose_nonce(const BigInt& x, const BigInt& mod);
+
+      Blinder() {}
+
+      /**
+      * Construct a blinder
+      * @param mask the forward (blinding) mask
+      * @param inverse_mask the inverse of mask (depends on algo)
+      * @param modulus of the group operations are performed in
+      */
+      Blinder(const BigInt& mask,
+              const BigInt& inverse_mask,
+              const BigInt& modulus);
+
+   private:
+      Modular_Reducer reducer;
+      mutable BigInt e, d;
+   };
+
+}
+
+#endif