On Tue, Aug 24, 2021 at 05:03:35PM +0200, Me Self wrote: > When rsa_crpt.c needs to do blinding of the exponent d and doesn't have the > exponent e, it calculates e from d using Euler's phi function (function > rsa_get_public_exp). But what if the original exponents e and d were > generated using Carmichaels lambda function instead of Euler like the ietf > rfc stipulates? Does the Euler based blinding still work? > > https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_crpt.c If the real public exponent used to generate the key is smaller than lambda(n), the result is the same. Public exponets with O(1k) bits are rather uncommon, so if the "real" exponent is small the computed value is the same. In the very unlikely case of a very large public exponent, and and a d-value computed from lambda(n) rather than phi(n), I'd expect blinding to still work, since an e-value computed via phi(n) is conguent mod lambda(n) to the e value computed via lambda(n). However, if the real phi(n)-based public exponent is larger than lambda(n), one must not leak its reduction mod lambda(n), since that would compromise the key. -- Viktor.
