Commit 736e642b authored by Nikos Mavrogiannopoulos's avatar Nikos Mavrogiannopoulos Committed by Niels Möller
Browse files

Enhanced rsa_pkcs1_sign_tr() to protect against HW/software errors

That verifies the output of the timing-resistant version of the
signing function, to make it also fault-resistant.
parent 4b90268a
......@@ -34,11 +34,31 @@
# include "config.h"
#include "rsa.h"
#include "pkcs1.h"
/* Checks for any errors done in the RSA computation. That avoids
* attacks which rely on faults on hardware, or even software MPI
* implementation. */
static int
rsa_verify_res(const struct rsa_public_key *pub,
mpz_t s, mpz_t m)
mpz_t t;
int res;
mpz_powm(t, s, pub->e, pub->n);
res = !mpz_cmp(m, t);
return res;
/* Side-channel resistant version of rsa_pkcs1_sign() */
rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
......@@ -46,23 +66,34 @@ rsa_pkcs1_sign_tr(const struct rsa_public_key *pub,
size_t length, const uint8_t *digest_info,
mpz_t s)
mpz_t ri;
mpz_t ri, m;
int ret;
if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info))
if (pkcs1_rsa_digest_encode (m, key->size, length, digest_info))
mpz_init (ri);
_rsa_blind (pub, random_ctx, random, s, ri);
rsa_compute_root(key, s, s);
_rsa_unblind (pub, s, ri);
_rsa_blind (pub, random_ctx, random, m, ri);
rsa_compute_root(key, s, m);
mpz_clear (ri);
if (rsa_verify_res(pub, s, m) == 0)
mpz_set_ui(s, 0);
ret = 0;
ret = 1;
return 1;
_rsa_unblind (pub, s, ri);
mpz_clear (ri);
mpz_set_ui(s, 0);
return 0;
ret = 0;
return ret;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment