Open habics opened 5 months ago
The reason it's a bit scary to add different types of decryption errors is because the information sidechannel they introduce can potentially be leveraged by an attacker. Example: https://en.wikipedia.org/wiki/Padding_oracle_attack
A modulus size mismatch for the ciphertext is probably ok. We could potentially introduce a new e.g. CiphertextSize
variant to Error
which shouldn't leak any information useful to the attacker since the only property of the private key it relies on is the public modulus.
For example when using a 2048 bits key and call decrypt() on a ciphertext that more than 256 bytes long, we get a generic error message that says
Err value: Decryption
a more appropriate message would also tell that the cipher text is too long for this key.Thank you.