Class RSACore.BlindingRandomPair

  • Enclosing class:
    RSACore

    private static final class RSACore.BlindingRandomPair
    extends java.lang.Object
    Parameters (u,v) for RSA Blinding. This is described in the RSA Bulletin#2 (Jan 96) and other places: ftp://ftp.rsa.com/pub/pdfs/bull-2.pdf The standard RSA Blinding decryption requires the key exponent (e) and modulus (n), and converts ciphertext (c) to plaintext (p). Before the modular exponentiation operation, the input message should be multiplied by (u (mod n)), and afterward the result is corrected by multiplying with (v (mod n)). The system should reject messages equal to (0 (mod n)). That is: 1. Generate r between 0 and n-1, relatively prime to n. 2. Compute x = (c*u) mod n 3. Compute y = (x^d) mod n 4. Compute p = (y*v) mod n The Java APIs allows for either standard RSAPrivateKey or RSAPrivateCrtKey RSA keys. If the exponent is available to us (e.g. RSAPrivateCrtKey), choose a random r, then let (u, v): u = r ^ e mod n v = r ^ (-1) mod n The proof follows: p = (((c * u) ^ d mod n) * v) mod n = ((c ^ d) * (u ^ d) * v) mod n = ((c ^ d) * (r ^ e) ^ d) * (r ^ (-1))) mod n = ((c ^ d) * (r ^ (e * d)) * (r ^ (-1))) mod n = ((c ^ d) * (r ^ 1) * (r ^ (-1))) mod n (see below) = (c ^ d) mod n because in RSA cryptosystem, d is the multiplicative inverse of e: (r^(e * d)) mod n = (r ^ 1) mod n = r mod n However, if the exponent is not available (e.g. RSAPrivateKey), we mitigate the timing issue by using a similar random number blinding approach using the private key: u = r v = ((r ^ (-1)) ^ d) mod n This returns the same plaintext because: p = (((c * u) ^ d mod n) * v) mod n = ((c ^ d) * (u ^ d) * v) mod n = ((c ^ d) * (u ^ d) * ((u ^ (-1)) ^d)) mod n = (c ^ d) mod n Computing inverses mod n and random number generation is slow, so it is often not practical to generate a new random (u, v) pair for each new exponentiation. The calculation of parameters might even be subject to timing attacks. However, (u, v) pairs should not be reused since they themselves might be compromised by timing attacks, leaving the private exponent vulnerable. An efficient solution to this problem is update u and v before each modular exponentiation step by computing: u = u ^ 2 v = v ^ 2 The total performance cost is small.
    • Field Summary

      Fields 
      Modifier and Type Field Description
      (package private) java.math.BigInteger u  
      (package private) java.math.BigInteger v  
    • Constructor Summary

      Constructors 
      Constructor Description
      BlindingRandomPair​(java.math.BigInteger pairU, java.math.BigInteger pairV)  
    • Method Summary

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • u

        final java.math.BigInteger u
      • v

        final java.math.BigInteger v
    • Constructor Detail

      • BlindingRandomPair

        BlindingRandomPair​(java.math.BigInteger pairU,
                           java.math.BigInteger pairV)