Re: [PATCH v6 0/3] crypto: caam - add support for RSA algorithm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Montag, 23. Mai 2016, 12:56:18 schrieb Tudor-Dan Ambarus:

Hi Tudor,

> Hi Stephan,
> 
> > as I am looking into the RSA countermeasures, I am wondering how much of
> > countermeasures are actually applied inside hardware implementations.
> 
> Please point me to the reference RSA countermeasures so that we have
> a common point of start.

As the entire MPI logic is derived from libgcrypt, I am planning to use the 
libgcrypt implementation as a basis to implement the blinding defined by the 
Handbook of Applied Cryptograpy 11.118/11.119.


This is the code from libgcrypt:

    {
      /* First, we need a random number r between 0 and n - 1, which
         is relatively prime to n (i.e. it is neither p nor q).  The
         random number needs to be only unpredictable, thus we employ
         the gcry_create_nonce function by using GCRY_WEAK_RANDOM with
         gcry_mpi_randomize.  */
      r  = mpi_snew (ctx.nbits);
      ri = mpi_snew (ctx.nbits);
      bldata = mpi_snew (ctx.nbits);

      do
        {
          _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM);
          mpi_mod (r, r, sk.n);
        }
      while (!mpi_invm (ri, r, sk.n));

      /* Do blinding.  We calculate: y = (x * r^e) mod n, where r is
         the random number, e is the public exponent, x is the
         non-blinded data and n is the RSA modulus.  */
      mpi_powm (bldata, r, sk.e, sk.n);
      mpi_mulm (bldata, bldata, data, sk.n);

      /* Perform decryption.  */
      secret (plain, bldata, &sk);
      _gcry_mpi_release (bldata); bldata = NULL;

      /* Undo blinding.  Here we calculate: y = (x * r^-1) mod n,
         where x is the blinded decrypted data, ri is the modular
         multiplicative inverse of r and n is the RSA modulus.  */
      mpi_mulm (plain, plain, ri, sk.n);

      _gcry_mpi_release (r); r = NULL;
      _gcry_mpi_release (ri); ri = NULL;
    }


"All we need" in the kernel is mpi_invm and mpi_mulm.

> 
> Thanks,
> ta


Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux