Class RSACore.BlindingRandomPair

java.lang.Object
es.gob.jmulticard.jse.provider.rsacipher.RSACore.BlindingRandomPair
Enclosing class:
RSACore

private static final class RSACore.BlindingRandomPair extends Object
Parameters (u,v) for RSA Blinding. This is described in the RSA Bulletin#2 (Jan 96) and other places: ftp://ftp.rsa.com/pub/pdfs/bull-2.pdf The standard RSA Blinding decryption requires the key exponent (e) and modulus (n), and converts ciphertext (c) to plaintext (p). Before the modular exponentiation operation, the input message should be multiplied by (u (mod n)), and afterward the result is corrected by multiplying with (v (mod n)). The system should reject messages equal to (0 (mod n)). That is: 1. Generate r between 0 and n-1, relatively prime to n. 2. Compute x = (c*u) mod n 3. Compute y = (x^d) mod n 4. Compute p = (y*v) mod n The Java APIs allows for either standard RSAPrivateKey or RSAPrivateCrtKey RSA keys. If the exponent is available to us (e.g. RSAPrivateCrtKey), choose a random r, then let (u, v): u = r ^ e mod n v = r ^ (-1) mod n The proof follows: p = (((c * u) ^ d mod n) * v) mod n = ((c ^ d) * (u ^ d) * v) mod n = ((c ^ d) * (r ^ e) ^ d) * (r ^ (-1))) mod n = ((c ^ d) * (r ^ (e * d)) * (r ^ (-1))) mod n = ((c ^ d) * (r ^ 1) * (r ^ (-1))) mod n (see below) = (c ^ d) mod n because in RSA cryptosystem, d is the multiplicative inverse of e: (r^(e * d)) mod n = (r ^ 1) mod n = r mod n However, if the exponent is not available (e.g. RSAPrivateKey), we mitigate the timing issue by using a similar random number blinding approach using the private key: u = r v = ((r ^ (-1)) ^ d) mod n This returns the same plaintext because: p = (((c * u) ^ d mod n) * v) mod n = ((c ^ d) * (u ^ d) * v) mod n = ((c ^ d) * (u ^ d) * ((u ^ (-1)) ^d)) mod n = (c ^ d) mod n Computing inverses mod n and random number generation is slow, so it is often not practical to generate a new random (u, v) pair for each new exponentiation. The calculation of parameters might even be subject to timing attacks. However, (u, v) pairs should not be reused since they themselves might be compromised by timing attacks, leaving the private exponent vulnerable. An efficient solution to this problem is update u and v before each modular exponentiation step by computing: u = u ^ 2 v = v ^ 2 The total performance cost is small.