Am Montag, 23. Mai 2016, 12:56:18 schrieb Tudor-Dan Ambarus: Hi Tudor, > Hi Stephan, > > > as I am looking into the RSA countermeasures, I am wondering how much of > > countermeasures are actually applied inside hardware implementations. > > Please point me to the reference RSA countermeasures so that we have > a common point of start. As the entire MPI logic is derived from libgcrypt, I am planning to use the libgcrypt implementation as a basis to implement the blinding defined by the Handbook of Applied Cryptograpy 11.118/11.119. This is the code from libgcrypt: { /* First, we need a random number r between 0 and n - 1, which is relatively prime to n (i.e. it is neither p nor q). The random number needs to be only unpredictable, thus we employ the gcry_create_nonce function by using GCRY_WEAK_RANDOM with gcry_mpi_randomize. */ r = mpi_snew (ctx.nbits); ri = mpi_snew (ctx.nbits); bldata = mpi_snew (ctx.nbits); do { _gcry_mpi_randomize (r, ctx.nbits, GCRY_WEAK_RANDOM); mpi_mod (r, r, sk.n); } while (!mpi_invm (ri, r, sk.n)); /* Do blinding. We calculate: y = (x * r^e) mod n, where r is the random number, e is the public exponent, x is the non-blinded data and n is the RSA modulus. */ mpi_powm (bldata, r, sk.e, sk.n); mpi_mulm (bldata, bldata, data, sk.n); /* Perform decryption. */ secret (plain, bldata, &sk); _gcry_mpi_release (bldata); bldata = NULL; /* Undo blinding. Here we calculate: y = (x * r^-1) mod n, where x is the blinded decrypted data, ri is the modular multiplicative inverse of r and n is the RSA modulus. */ mpi_mulm (plain, plain, ri, sk.n); _gcry_mpi_release (r); r = NULL; _gcry_mpi_release (ri); ri = NULL; } "All we need" in the kernel is mpi_invm and mpi_mulm. > > Thanks, > ta Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html