[Crypto] RSA blinding

What if you want to compute some data on remote server/cloud, but you don't trust sysadmins? Can you encrypt your data, compute something on remote server, download it and decrypt?

This is what is called homomorphic encryption. Not practical (yet?)

One little-known fact about RSA is that it's homomorphic if you use only modular multiplication operation. Say, you have two messages: m1 and m2. You encrypt m1*m2. Result is actually c1*c2. For more RSA theory, see my book.

Now imagine you have a server that can decrypt data using RSA. But you don't want the server to know plaintext. How it is this possible? Compute random 'blinding factor'. Multiply ciphertext by it. Send the product to the server. Get the result and divide it by 'blinding factor'. All this I've shown in this Jupyter notebook.

Why would you do this in practice? There is one reason, actually. Decryption happens using 'power' function. Which is susceptible to 'timing attacks'. So it's recommended to use blinding. Using 'random blinding factor', timing each time would be different.

It's so important so that OpenSSL use RSA blinding by default: 1, 2.

(the post first published at 20230122.)


List of my other blog posts.

Yes, I know about these lousy Disqus ads. Please use adblocker. I would consider to subscribe to 'pro' version of Disqus if the signal/noise ratio in comments would be good enough.