1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

My comment about RSA blinding was talking slight tosh. Fixed in case

anyone ever actually reads it :-)

[originally from svn r2942]
This commit is contained in:
Simon Tatham 2003-03-15 18:39:10 +00:00
parent 8ba003b9a0
commit 64e9abcbb1

View File

@ -147,15 +147,16 @@ static Bignum rsa_privkey_op(Bignum input, struct RSAKey *key)
/* /*
* RSA blinding relies on the fact that (xy)^d mod n is equal * RSA blinding relies on the fact that (xy)^d mod n is equal
* to (x^d mod n) * (y^d mod n) mod n. We invent a random pair * to (x^d mod n) * (y^d mod n) mod n. We invent a random pair
* y and y^d; then we multiply x by y, raise to the power e mod * y and y^d; then we multiply x by y, raise to the power d mod
* n as usual, and divide by y^d to recover x^d. Thus the * n as usual, and divide by y^d to recover x^d. Thus an
* timing of the modpow does not reveal information about x, * attacker can't correlate the timing of the modpow with the
* but only about xy, which is unpredictable to an attacker. * input, because they don't know anything about the number
* that was input to the actual modpow.
* *
* The clever bit is that we don't have to do a huge modpow to * The clever bit is that we don't have to do a huge modpow to
* get y and y^d; we will use the number we just invented as * get y and y^d; we will use the number we just invented as
* _y^d_, and use the RSA public exponent to compute y from it, * _y^d_, and use the _public_ exponent to compute (y^d)^e = y
* which is much faster. * from it, which is much faster to do.
*/ */
random_encrypted = modpow(random, key->exponent, key->modulus); random_encrypted = modpow(random, key->exponent, key->modulus);
random_inverse = modinv(random, key->modulus); random_inverse = modinv(random, key->modulus);