Closed myheroyuki closed 11 months ago
sybrenstuvel
commented
1 year ago Great find!
Do you have a link for me to follow & read more about this? That'll make this change easier to document as well, as I do want to have such a link to an authoritative source for the changelog anyway.
myheroyuki
commented
1 year ago I sourced my suggestion from RFC 8017 "PKCS#1: RSA Cryptography Specifications Version 2.2." From the end of section 5.2. "Signature and Verification Primitives":
The main mathematical operation in each primitive is exponentiation, as in the encryption and decryption primitives of Section 5.1. RSASP1 and RSAVP1 are the same as RSADP and RSAEP except for the names of their input and output arguments; they are distinguished as they are intended for different purposes.
I was looking through the RSA key code while working on a multiprime addition and noticed two functions called
blinded_encryptandblinded_decrypt. I looked at where they were used and it turns out that the sign function is calling theblinded_encrypt. This is backwards! The RSA RFC says the signing primitive should be identical to the decryption primitive, so we should callblinded_decryptthere instead like we do in the encryption function. In fact, we have no need for ablinded_encryptfunction, and by switching over we will improve the speed of signing.