OpenSSL RSA blinding assumes Euler to derive e?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Aug 24 15:49:28 UTC 2021


On Tue, Aug 24, 2021 at 05:03:35PM +0200, Me Self wrote:

> When rsa_crpt.c needs to do blinding of the exponent d and doesn't have the
> exponent e, it calculates e from d using Euler's phi function (function
> rsa_get_public_exp). But what if the original exponents e and d were
> generated using Carmichaels lambda function instead of Euler like the ietf
> rfc stipulates?  Does the Euler based blinding still work?
> 
> https://github.com/openssl/openssl/blob/master/crypto/rsa/rsa_crpt.c

If the real public exponent used to generate the key is smaller than
lambda(n), the result is the same.  Public exponets with O(1k) bits
are rather uncommon, so if the "real" exponent is small the computed
value is the same.

In the very unlikely case of a very large public exponent, and and a
d-value computed from lambda(n) rather than phi(n), I'd expect blinding
to still work, since an e-value computed via phi(n) is conguent mod
lambda(n) to the e value computed via lambda(n).

However, if the real phi(n)-based public exponent is larger than
lambda(n), one must not leak its reduction mod lambda(n), since
that would compromise the key.

-- 
    Viktor.


More information about the openssl-users mailing list