Periodically reinitialize the blinding sequence instead of always

deriving it by squaring the previous value.

3 files changed, 52 insertions, 15 deletions

diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in
index eaf4181b5..31069f0ae 100644
--- a/src/build-data/buildh.in
+++ b/src/build-data/buildh.in
@@ -71,9 +71,20 @@
 * representation of an ECC point. Set to zero to diable this
 * side-channel countermeasure.
 */
-#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 64
+#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 80
 
-#define BOTAN_CURVE_GFP_USE_MONTGOMERY_LADDER 0
+/*
+* Normally blinding is performed by choosing a random starting point (plus
+* its inverse, of a form appropriate to the algorithm being blinded), and
+* then choosing new blinding operands by successive squaring of both
+* values. This is much faster than computing a new starting point but
+* introduces some possible coorelation
+*
+* To avoid possible leakage problems in long-running processes, the blinder
+* periodically reinitializes the sequence. This value specifies how often
+* a new sequence should be started.
+*/
+#define BOTAN_BLINDING_REINIT_INTERVAL 32
 
 /* PK key consistency checking toggles */
 #define BOTAN_PUBLIC_KEY_STRONG_CHECKS_ON_LOAD 1
diff --git a/src/lib/pubkey/blinding.cpp b/src/lib/pubkey/blinding.cpp
index cd2b3d118..da9def797 100644
--- a/src/lib/pubkey/blinding.cpp
+++ b/src/lib/pubkey/blinding.cpp
@@ -1,6 +1,6 @@
 /*
 * Blinding for public key operations
-* (C) 1999-2010 Jack Lloyd
+* (C) 1999-2010,2015 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -16,24 +16,28 @@
 
 namespace Botan {
 
-// TODO: use Montgomery
-
 Blinder::Blinder(const BigInt& modulus,
-                 std::function<BigInt (const BigInt&)> fwd_func,
-                 std::function<BigInt (const BigInt&)> inv_func)
+                 std::function<BigInt (const BigInt&)> fwd,
+                 std::function<BigInt (const BigInt&)> inv) :
+   m_fwd_fn(fwd), m_inv_fn(inv)
    {
    m_reducer = Modular_Reducer(modulus);
+   m_modulus_bits = modulus.bits();
 
 #if defined(BOTAN_HAS_SYSTEM_RNG)
-   auto& rng = system_rng();
+   m_rng.reset(new System_RNG);
 #else
-   AutoSeeded_RNG rng;
+   m_rng.reset(new AutoSeeded_RNG);
 #endif
 
-   const BigInt k(rng, modulus.bits() - 1);
+   const BigInt k = blinding_nonce();
+   m_e = m_fwd_fn(k);
+   m_d = m_inv_fn(k);
+   }
 
-   m_e = fwd_func(k);
-   m_d = inv_func(k);
+BigInt Blinder::blinding_nonce() const
+   {
+   return BigInt(*m_rng, m_modulus_bits - 1);
    }
 
 BigInt Blinder::blind(const BigInt& i) const
@@ -41,8 +45,20 @@ BigInt Blinder::blind(const BigInt& i) const
    if(!m_reducer.initialized())
       throw std::runtime_error("Blinder not initialized, cannot blind");
 
-   m_e = m_reducer.square(m_e);
-   m_d = m_reducer.square(m_d);
+   ++m_counter;
+
+   if(BOTAN_BLINDING_REINIT_INTERVAL > 0 && (m_counter % BOTAN_BLINDING_REINIT_INTERVAL == 0))
+      {
+      const BigInt k = blinding_nonce();
+      m_e = m_fwd_fn(k);
+      m_d = m_inv_fn(k);
+      }
+   else
+      {
+      m_e = m_reducer.square(m_e);
+      m_d = m_reducer.square(m_d);
+      }
+
    return m_reducer.multiply(i, m_e);
    }
 
diff --git a/src/lib/pubkey/blinding.h b/src/lib/pubkey/blinding.h
index e57c7888e..2525276ca 100644
--- a/src/lib/pubkey/blinding.h
+++ b/src/lib/pubkey/blinding.h
@@ -1,6 +1,6 @@
 /*
 * Blinding for public key operations
-* (C) 1999-2010 Jack Lloyd
+* (C) 1999-2010,2015 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -14,6 +14,8 @@
 
 namespace Botan {
 
+class RandomNumberGenerator;
+
 /**
 * Blinding Function Object
 */
@@ -33,8 +35,16 @@ class BOTAN_DLL Blinder
               std::function<BigInt (const BigInt&)> inv_func);
 
    private:
+      BigInt blinding_nonce() const;
+
       Modular_Reducer m_reducer;
+      std::unique_ptr<RandomNumberGenerator> m_rng;
+      std::function<BigInt (const BigInt&)> m_fwd_fn;
+      std::function<BigInt (const BigInt&)> m_inv_fn;
+      size_t m_modulus_bits = 0;
+
       mutable BigInt m_e, m_d;
+      mutable size_t m_counter = 0;
    };
 
 }