diff options
Diffstat (limited to 'src/lib/pubkey')
-rw-r--r-- | src/lib/pubkey/blinding.h | 2 | ||||
-rw-r--r-- | src/lib/pubkey/rsa/rsa.cpp | 17 |
2 files changed, 14 insertions, 5 deletions
diff --git a/src/lib/pubkey/blinding.h b/src/lib/pubkey/blinding.h index 1c3fb1444..1bdd235f0 100644 --- a/src/lib/pubkey/blinding.h +++ b/src/lib/pubkey/blinding.h @@ -58,6 +58,8 @@ class BOTAN_PUBLIC_API(2,0) Blinder final Blinder& operator=(const Blinder&) = delete; + RandomNumberGenerator& rng() const { return m_rng; } + private: BigInt blinding_nonce() const; diff --git a/src/lib/pubkey/rsa/rsa.cpp b/src/lib/pubkey/rsa/rsa.cpp index bdfafaf07..1cd4a15d3 100644 --- a/src/lib/pubkey/rsa/rsa.cpp +++ b/src/lib/pubkey/rsa/rsa.cpp @@ -222,22 +222,29 @@ class RSA_Private_Operation BigInt private_op(const BigInt& m) const { const size_t powm_window = 4; + const size_t exp_blinding_bits = 64; + + const BigInt d1_mask(m_blinder.rng(), exp_blinding_bits); + const BigInt d2_mask(m_blinder.rng(), exp_blinding_bits); + + const BigInt masked_d1 = m_key.get_d1() + (d1_mask * (m_key.get_p() - 1)); + const BigInt masked_d2 = m_key.get_d2() + (d2_mask * (m_key.get_q() - 1)); #if defined(BOTAN_TARGET_OS_HAS_THREADS) - auto future_j1 = std::async(std::launch::async, [this, &m]() { + auto future_j1 = std::async(std::launch::async, [this, &m, &masked_d1]() { auto powm_d1_p = monty_precompute(m_monty_p, m, powm_window); - return monty_execute(*powm_d1_p, m_key.get_d1()); + return monty_execute(*powm_d1_p, masked_d1); }); auto powm_d2_q = monty_precompute(m_monty_q, m, powm_window); - BigInt j2 = monty_execute(*powm_d2_q, m_key.get_d2()); + BigInt j2 = monty_execute(*powm_d2_q, masked_d2); BigInt j1 = future_j1.get(); #else auto powm_d1_p = monty_precompute(m_monty_p, m, powm_window); auto powm_d2_q = monty_precompute(m_monty_q, m, powm_window); - BigInt j1 = monty_execute(*powm_d1_p, m_key.get_d1()); - BigInt j2 = monty_execute(*powm_d2_q, m_key.get_d2()); + BigInt j1 = monty_execute(*powm_d1_p, masked_d1); + BigInt j2 = monty_execute(*powm_d2_q, masked_d2); #endif j1 = m_mod_p.reduce(sub_mul(j1, j2, m_key.get_c())); |