From d15a5d071c44029cd39ed5cc644e1239814a2cdd Mon Sep 17 00:00:00 2001
From: Jeff Burdges <address@hidden>
Date: Mon, 22 Aug 2016 17:26:43 +0200
Subject: [PATCH] Additional protection against fault attacks on RSA signatures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Implements the protection against fault attacks recommended in
"Making RSA-PSS Provably Secure Against Non-Random Faults" by
Gilles Barthe, François Dupressoir, Pierre-Alain Fouque,
Benjamin Grégoire, Mehdi Tibouchi and Jean-Christophe Zapalowicz.
  https://eprint.iacr.org/2014/252

There is a substancial literature on provably protecting against
fault attacks, but this seems simpler and faster than say
  http://dl.acm.org/citation.cfm?doid=1873548.1873556
---
 cipher/rsa.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/cipher/rsa.c b/cipher/rsa.c
index b6c7374..69deaff 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1425,6 +1425,8 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   RSA_public_key pk;
   gcry_mpi_t sig = NULL;
   gcry_mpi_t result = NULL;
+  gcry_mpi_t delta = NULL;
+  gcry_mpi_t rnd = NULL;
 
   _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN,
                                    rsa_get_nbits (keyparms));
@@ -1481,6 +1483,25 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
       goto leave;
     }
 
+  /* Protect against fault attacks on the previous conditional
+     See https://eprint.iacr.org/2014/252 */
+  delta = mpi_new (0);
+  mpi_subm(delta, data, result, sk.n);
+  rnd = mpi_new (0);
+  /* Acording to Remark 2 on page 8 of https://eprint.iacr.org/2014/252
+     we only need rho = ctx.nbits/2+200, but ctx.nbits-1 seems safer,
+     as blind signatures need an FDH, not PSS.
+     If we took rho = ctx.nbits, then rnd=1 half the time, which sucks.  */
+  _gcry_mpi_randomize (rnd, ctx.nbits-1, GCRY_STRONG_RANDOM);
+  mpi_mulm(delta, delta, rnd, sk.n);
+  /* We could worry about fault attacks that zeroed ctx.nbits-1 and/or
+     set ctx.flags & PUBKEY_FLAG_NO_BLINDING as well.  In fact, there is
+     a case that a constant like rho=512 and disabling no-blinding at
+     compile time offers better protection. */
+  _gcry_mpi_release(rnd);
+  mpi_addm(sig, sig, delta, sk.n);
+  _gcry_mpi_release(delta);
+
   /* Convert the result.  */
   if ((ctx.flags & PUBKEY_FLAG_FIXEDLEN))
     {
-- 
2.1.4