mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-25 01:25:33 +00:00
Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to side-channel attacks. As a countermeasure we add exponent blinding in order to prevent combining the results of different measurements. This commits handles the case when the Chinese Remainder Theorem is NOT used to accelerate computations.
This commit is contained in:
parent
98864d5c0b
commit
5d392579c2
|
@ -24,6 +24,11 @@
|
||||||
*
|
*
|
||||||
* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
|
* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
|
||||||
* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
|
* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
|
||||||
|
* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
|
||||||
|
* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
|
||||||
|
* Stefan Mangard
|
||||||
|
* https://arxiv.org/abs/1702.08719v2
|
||||||
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#if !defined(POLARSSL_CONFIG_FILE)
|
#if !defined(POLARSSL_CONFIG_FILE)
|
||||||
|
@ -350,6 +355,27 @@ cleanup:
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Exponent blinding supposed to prevent side-channel attacks using multiple
|
||||||
|
* traces of measurements to recover the RSA key. The more collisions are there,
|
||||||
|
* the more bits of the key can be recovered. See [3].
|
||||||
|
*
|
||||||
|
* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
|
||||||
|
* observations on avarage.
|
||||||
|
*
|
||||||
|
* For example with 28 byte blinding to achieve 2 collisions the adversary has
|
||||||
|
* to make 2^112 observations on avarage.
|
||||||
|
*
|
||||||
|
* (With the currently (as of 2017 April) known best algorithms breaking 2048
|
||||||
|
* bit RSA requires approximately as much time as trying out 2^112 random keys.
|
||||||
|
* Thus in this sense with 28 byte blinding the security is not reduced by
|
||||||
|
* side-channel attacks like the one in [3])
|
||||||
|
*
|
||||||
|
* This countermeasure does not help if the key recovery is possible with a
|
||||||
|
* single trace.
|
||||||
|
*/
|
||||||
|
#define RSA_EXPONENT_BLINDING 28
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Do an RSA private key operation
|
* Do an RSA private key operation
|
||||||
*/
|
*/
|
||||||
|
@ -362,11 +388,23 @@ int rsa_private( rsa_context *ctx,
|
||||||
int ret;
|
int ret;
|
||||||
size_t olen;
|
size_t olen;
|
||||||
mpi T, T1, T2;
|
mpi T, T1, T2;
|
||||||
|
#if defined(POLARSSL_RSA_NO_CRT)
|
||||||
|
mpi P1, Q1;
|
||||||
|
mpi D_blind, R;
|
||||||
|
mpi *D = &ctx->D;
|
||||||
|
#endif
|
||||||
|
|
||||||
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
|
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
|
||||||
|
|
||||||
|
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
|
||||||
|
#if defined(POLARSSL_RSA_NO_CRT)
|
||||||
|
mpi_init( &P1 ); mpi_init( &Q1 );
|
||||||
|
mpi_init( &R ); mpi_init( &D_blind );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
#if defined(POLARSSL_THREADING_C)
|
#if defined(POLARSSL_THREADING_C)
|
||||||
if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
|
if( ( ret = mutex_lock( &ctx->mutex ) ) != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -386,13 +424,32 @@ int rsa_private( rsa_context *ctx,
|
||||||
MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
|
MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
|
||||||
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
|
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
|
||||||
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
|
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
|
||||||
|
|
||||||
|
#if defined(POLARSSL_RSA_NO_CRT)
|
||||||
|
/*
|
||||||
|
* Exponent blinding
|
||||||
|
*/
|
||||||
|
MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
|
||||||
|
MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
|
||||||
|
*/
|
||||||
|
MPI_CHK( mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
|
||||||
|
f_rng, p_rng ) );
|
||||||
|
MPI_CHK( mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
|
||||||
|
MPI_CHK( mpi_mul_mpi( &D_blind, &D_blind, &R ) );
|
||||||
|
MPI_CHK( mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
|
||||||
|
|
||||||
|
D = &D_blind;
|
||||||
|
#endif /* POLARSSL_RSA_NO_CRT */
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(POLARSSL_RSA_NO_CRT)
|
#if defined(POLARSSL_RSA_NO_CRT)
|
||||||
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
|
MPI_CHK( mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
|
||||||
#else
|
#else
|
||||||
/*
|
/*
|
||||||
* faster decryption using the CRT
|
* Faster decryption using the CRT
|
||||||
*
|
*
|
||||||
* T1 = input ^ dP mod P
|
* T1 = input ^ dP mod P
|
||||||
* T2 = input ^ dQ mod Q
|
* T2 = input ^ dQ mod Q
|
||||||
|
@ -434,6 +491,10 @@ cleanup:
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
|
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
|
||||||
|
#if defined(POLARSSL_RSA_NO_CRT)
|
||||||
|
mpi_free( &P1 ); mpi_free( &Q1 );
|
||||||
|
mpi_free( &R ); mpi_free( &D_blind );
|
||||||
|
#endif
|
||||||
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
|
return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
|
||||||
|
|
Loading…
Reference in a new issue