In recent months, some new RSA functions have been added, from suggestions and work of Nikos. I'd like to hear comments on the interface before release.
Timing resistant decryption function, using RSA blinding:
int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, unsigned *length, uint8_t *message, const mpz_t gibberish);
New signing functions taking a "DigestInfo" as input:
int rsa_pkcs1_sign(const struct rsa_private_key *key, unsigned length, const uint8_t *digest_info, mpz_t s);
int rsa_pkcs1_verify(const struct rsa_public_key *key, unsigned length, const uint8_t *digest_info, const mpz_t signature);
Timing-resistant version of the signing function:
int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func random, unsigned length, const uint8_t *digest_info, mpz_t s);
The _tr fucntions use these internal functions for RSA blinding:
void _rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func random, mpz_t c, mpz_t ri); void _rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri);
Do you think this looks good? I see that there's some inconsistency of using "nettle_random_func random" vs "nettle_random_func *random", the latter variant is the preferred form.
It would be nice with timing resistant versions of the other signing functions, byt I hesitate since we would end up with such a large number of functions. Some redesign (for some later version) may be appropriate.
It's possible to do deterministic RSA blinding, using something like HMAC(encoding of private key, message) to generate the random number. And in similar way, one can do deterministic DSA signatures. That's also for later, but you may want to take that possibility into account when commenting on the interface.
In somewhat related reorganization, the interface of the internal function pkcs1_signature_prefix has changed and is not compatible with the old version. Questions:
1. Is anyone depending on that function?
2. Does a change of this function require a new solib number? (Depends on the answer to previous question).
3. Should I rename it to _pkcs1_signature_prefix, in order to (i) make it more clear it's an internal function, and (ii) make applications depending on the old behaviour break in a more predictable fashion?
Regards, /Niels