Class RSACore.BlindingRandomPair
java.lang.Object
es.gob.jmulticard.jse.provider.rsacipher.RSACore.BlindingRandomPair
- Enclosing class:
RSACore
Parameters (u,v) for RSA Blinding. This is described in the RSA
Bulletin#2 (Jan 96) and other places:
ftp://ftp.rsa.com/pub/pdfs/bull-2.pdf
The standard RSA Blinding decryption requires the key exponent
(e) and modulus (n), and converts ciphertext (c) to plaintext (p).
Before the modular exponentiation operation, the input message should
be multiplied by (u (mod n)), and afterward the result is corrected
by multiplying with (v (mod n)). The system should reject messages
equal to (0 (mod n)). That is:
1. Generate r between 0 and n-1, relatively prime to n.
2. Compute x = (c*u) mod n
3. Compute y = (x^d) mod n
4. Compute p = (y*v) mod n
The Java APIs allows for either standard RSAPrivateKey or
RSAPrivateCrtKey RSA keys.
If the exponent is available to us (e.g. RSAPrivateCrtKey),
choose a random r, then let (u, v):
u = r ^ e mod n
v = r ^ (-1) mod n
The proof follows:
p = (((c * u) ^ d mod n) * v) mod n
= ((c ^ d) * (u ^ d) * v) mod n
= ((c ^ d) * (r ^ e) ^ d) * (r ^ (-1))) mod n
= ((c ^ d) * (r ^ (e * d)) * (r ^ (-1))) mod n
= ((c ^ d) * (r ^ 1) * (r ^ (-1))) mod n (see below)
= (c ^ d) mod n
because in RSA cryptosystem, d is the multiplicative inverse of e:
(r^(e * d)) mod n
= (r ^ 1) mod n
= r mod n
However, if the exponent is not available (e.g. RSAPrivateKey),
we mitigate the timing issue by using a similar random number blinding
approach using the private key:
u = r
v = ((r ^ (-1)) ^ d) mod n
This returns the same plaintext because:
p = (((c * u) ^ d mod n) * v) mod n
= ((c ^ d) * (u ^ d) * v) mod n
= ((c ^ d) * (u ^ d) * ((u ^ (-1)) ^d)) mod n
= (c ^ d) mod n
Computing inverses mod n and random number generation is slow, so
it is often not practical to generate a new random (u, v) pair for
each new exponentiation. The calculation of parameters might even be
subject to timing attacks. However, (u, v) pairs should not be
reused since they themselves might be compromised by timing attacks,
leaving the private exponent vulnerable. An efficient solution to
this problem is update u and v before each modular exponentiation
step by computing:
u = u ^ 2
v = v ^ 2
The total performance cost is small.
-
Field Summary
FieldsModifier and TypeFieldDescription(package private) final BigInteger
(package private) final BigInteger
-
Constructor Summary
Constructors -
Method Summary
-
Field Details
-
u
-
v
-
-
Constructor Details
-
BlindingRandomPair
BlindingRandomPair(BigInteger pairU, BigInteger pairV)
-