On 04/07/2012 10:47 AM, Niels Möller wrote:
Thanks! I've had a quick look. A few comments: I'm not sure if the low-level rsa_compute_root should be aware of the blinding, or if it should be the responsibility of its callers (using _rsa_blind, _rsa_unblind helper functions, put in rsa_blind.c or so).
As a user of the library I'd prefer a low level function that provides the algorithm operation in constant time, so that I don't need to understand the details of blinding. It might be that in later version nettle doesn't use blinding but something different to achieve constant time, so it would be nice existing applications to change automatically.
Support for blinding is desirable not only for rsa_decrypt, but also for the various rsa_*_sign functions, right?
Indeed. I changed rsa_compute_root() because I don't use the *_sign() functions. They were not very flexible for my needs. I will try updating making a constant time counterpart of them, but it will expand the interface considerably.
The blinding function should probably use nettle_mpz_random, which provides for *almost* uniform distribution mod n by generating a few extra bits before the mpz_fdiv_r.
I'll update it for that.
Not sure if we should have separate functions for operation with and without blidning, or a single function with an optional randomness
source as argument. If we have separate functions, we have to decide on the name (I don't quite like "_timing": If the name is supposed to
describe intended use, it needs to be more verbose, maybe
"_timing_resistant". I think it may be more handy to rather describe what it *does*, something like "_blinding" or "_randomized" or so).
What about _ct for constant time? The _blinding is really specific on the method used to achieve constant time.
regards, Nikos