Function rsa_decrypt_raw 

pub fn rsa_decrypt_raw(sk: &RsaSecretKey, c: &BigInt) -> BigInt

Raw RSA decryption with the Chinese Remainder Theorem: computes c^d mod n via the CRT half-exponentiations

  m_p = c^{dp} mod p,   m_q = c^{dq} mod q,
  m   = m_q + q * (qinv * (m_p - m_q) mod p)

⚠ Side-channel surface (evaluation-critical)

This is the function targeted by the Bellcore attack (Boneh-DeMillo-Lipton 1997): a single fault on either m_p or m_q produces a faulted signature S' such that gcd(N, S - S') reveals p or q, which factors N and breaks the key. Aumüller’s countermeasure (aumuller2002rsa_crt) is the standard fix and is NOT yet implemented in arcana — roadmap item T1-C (see arcana/doc/sca/countermeasures/rsa.rst).

Additional gaps tracked in the same document:

• T1-E: bigint CT audit (pow_mod, Montgomery multiply, cmp early-exit).
• T2-I: message blinding (r^e * c) against DPA on the per-iteration Montgomery multiplications inside pow_mod.

Until these countermeasures land, this function should not be used in deployments where a level-2 (observational) or level-3 (active fault) attacker is in scope.