1

What is the protocol for choosing blinding factor when RSA is applied with key blinding?

(Related question: How would you find the Blinding factor R in RSA blind signature algorithm?)

  1. Since blinding factor R should be randomly chosen, who has control over how R is chosen - the client (public key user), or the server (private key user)? If the client has control over the choice, the client can defult to the same value of R every time & thus defeat the purpose of choosing a random R.
  2. Given that R must be a shared value for every encrypt/decrypt operation (sort of an IV like parameter for symmetric ciphers), which protocols supported the transmission of a blinding factor?
user13311
  • 75
  • 5

1 Answers1

3

First of all, you need to understand what's the point of key blinding in the first place.

First of all, you have a server (who has a private key, and who is willing to decrypt messages), and you have a client (who has a value who he wants decrypted, but is unwilling to tell the server what that value is). The client might not want to tell the server what the value is to preserve anonymity (e.g. Chaum's ecoin idea, which uses a similar idea with signatures), or perhaps because he is afraid that the server might leak that info (e.g. through a side-channel).

So, what the client does is pick a random value $R$ (and keeps it to himself); the encrypted message $C$, and computes $R^e \cdot C \bmod N$ (where $e, N$ are from the server's public key); we then asks the server to do an RSA decryption of that.

Then, the server computes $(R^e \cdot C)^d \bmod N = R \cdot C^d \bmod N $ ($d$ is server's private key), and sends that back to the client.

Then, the client computes $R^{-1} \bmod N$, and then $R^{-1} \cdot (R \cdot C^d) = C^d$, which is the decrypted (padded) message $P$.

Because we allow $R$ to be any value (relatively prime to $N$), then $R^e \cdot C$ can also be any value, and so the server gets no information about what he's decrypting.

With that background in mind, let us go through your questions:

  1. Who has control over how $R$ is chosen?

As you can see from the above example, the client does.

If it's the client, what's preventing him from picking the same value of $R$ every time.

Absolutely nothing. There's also nothing preventing him from publishing the value $P$ in the Times, if he were so minded. $R$ is there to protect the client's data; if he doesn't do things correctly, it's his own data that suffers.

  1. Given that R must be a shared value for every encrypt/decrypt operation

Actually, if you go through the above, $R$ is used only during the decrypt operation (or the signature operation); the original encryptor (the guy who created $C = P^e$ in the first place) need not know it (or even if RSA blinding was being used). The client needs to use the same $R$ to compute both $R^e \cdot C$ and $R^{-1} \cdot (R \cdot C^d)$, however that's both in the decryption process, and the client never needs to give $R$ to anyone else (in fact, that would rather mess up what $R$ is trying to do)

lovesh
  • 512
  • 2
  • 10
poncho
  • 147,019
  • 11
  • 229
  • 360
  • 1
    Addition: a "blinding factor" is sometime used as a countermeasure against side-channel leakage. In that usage, the blinding factor is chosen and known only by the party using the RSA private key; other parties are not concerned. – fgrieu Jan 11 '18 at 11:05
  • RSA key blinding appears to be a low-hanging approach for preventing side channel attacks, with the additional expense of one public key operation for (R^e), one modular multiplication (R^e.C) and one modular inverse R^(-1).(R.C^d) plus multiplication. Is this a proven method of proofing against side channel attacks? Or, why is it not popular, (given that all the three additional operations are light weight operations, compared to RSA decrypt)? – user13311 Oct 23 '18 at 21:53
  • @user13311: I suspect it's not common, because it doesn't protect the right thing. RSA blinding protects the data; however RSA side channel attacks more often attempt to recover the private exponent, and other than randomizing the data, blinding doesn't do anything to protect that – poncho Oct 24 '18 at 15:27