Am Montag, 23. Mai 2016, 12:56:18 schrieb Tudor-Dan Ambarus:
Hi Tudor,
> Hi Stephan,
>
> > as I am looking into the RSA countermeasures, I am wondering how much of
> > countermeasures are actually applied inside hardware implementations.
>
> Please point me to the reference RSA countermeasures so that we have
> a common point of start.
As the entire MPI logic is derived from libgcrypt, I am planning to use the
libgcrypt implementation as a basis to implement the blinding defined by the
Handbook of Applied Cryptograpy 11.118/11.119.
This is the code from libgcrypt:
{
/* First, we need a random number r between 0 and n - 1, which
is relatively prime to n (i.e. it is neither p nor q). The
random number needs to be only unpredictable, thus we employ
the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
gcry_mpi_randomize. */
r = mpi_snew (ctx.nbits);
ri = mpi_snew (ctx.nbits);
bldata = mpi_snew (ctx.nbits);
do
{
_gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
mpi_mod (r, r, sk.n);
}
while (!mpi_invm (ri, r, sk.n));
/* Do blinding. We calculate: y = (x * r^e) mod n, where r is
the random number, e is the public exponent, x is the
non-blinded data and n is the RSA modulus. */
mpi_powm (bldata, r, sk.e, sk.n);
mpi_mulm (bldata, bldata, data, sk.n);
/* Perform decryption. */
secret (plain, bldata, &sk);
_gcry_mpi_release (bldata); bldata = NULL;
/* Undo blinding. Here we calculate: y = (x * r^-1) mod n,
where x is the blinded decrypted data, ri is the modular
multiplicative inverse of r and n is the RSA modulus. */
mpi_mulm (plain, plain, ri, sk.n);
_gcry_mpi_release (r); r = NULL;
_gcry_mpi_release (ri); ri = NULL;
}
"All we need" in the kernel is mpi_invm and mpi_mulm.
>
> Thanks,
> ta
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
