Optimize RSA blinding by caching-updating values

commit: 8a109f106daa46bc6bd38656e0ed504052a5bd9e [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Sep 10 13:37:26 2013 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Sep 10 13:55:36 2013 +0200
tree: 83a65760956237225e67ecd6238a4a92307df028
parent: ea53a55c0f39a0f5f6b4edf4d733188e88f094a9 [diff]
diff --git a/library/rsa.c b/library/rsa.c
index 0a943c2..c82ffaa 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -255,13 +255,27 @@
 
 #if !defined(POLARSSL_RSA_NO_CRT)
 /*
- * Generate blinding values
+ * Generate or update blinding values, see section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
  */
 static int rsa_prepare_blinding( rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
     int ret;
 
+    if( ctx->Vf.p != NULL )
+    {
+        /* We already have blinding values, just update them by squaring */
+        MPI_CHK( mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MPI_CHK( mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
+        MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+
+        return( 0 );
+    }
+
     /* Unblinding value: Vf = random number */
     MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
commit	8a109f106daa46bc6bd38656e0ed504052a5bd9e	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Sep 10 13:37:26 2013 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Sep 10 13:55:36 2013 +0200
tree	83a65760956237225e67ecd6238a4a92307df028
parent	ea53a55c0f39a0f5f6b4edf4d733188e88f094a9 [diff]