Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Niels, what about the rest of the functions? They can protect from neither timing nor fault attacks.
I'm considering adding _tr versions on all of them (currently 8 functions). They're going to be just a few lines each, if they use a common helper function like (untested)
int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { int res; mpz_t t, c, ri;
mpz_init (t); mpz_init (c);
_rsa_blind (pub, random_ctx, random, c, t, m);
rsa_compute_root (key, c, c);
mpz_powm(t, c, pub->e, pub->n); res = (mpz_cmp(m, t) == 0);
if (res) _rsa_unblind (pub, x, t, c); else mpz_set_ui (x, 0);
mpz_clear (c); mpz_clear (ri);
return res; }
(possibly zeroing of x on failure could be left to the caller, current signature functions also have the error case of pkcs1_rsa_*_encode failing, and set the result to zero in that case. Another reasonable alternative could be to simply leave the result variable unchanged on failure, but I think that requires an additional mpz temporary).
To make it neater, the _rsa_blind and _rsa_unblind functions need an additional argument, but they are clearly marked as internal so I don't think that should cause any problems.
What do you think?
Regards, /Niels