Expand description
RSA core operations (RFC 8017 / PKCS#1 v2.2): key generation, raw encrypt / decrypt with the Chinese Remainder Theorem (CRT).
Supports key sizes from 1024 to 4096 bits (tested values
1024 / 2048 / 3072 / 4096). Arbitrary widths are supported by
the super::bigint::BigInt arithmetic but keygen above ~4096
bits gets impractical with the current schoolbook multiplier.
§Side-channel posture
This module is the highest-priority evaluation gap on the classical side as of 2026-04-21:
| Threat | Status | Roadmap item |
|---|---|---|
| Bellcore single-fault on RSA-CRT | vulnerable | T1-C — Aumüller 2002, formally verified Rauzy-Guilley |
| SPA on modular exponentiation | partial | T1-E — bigint CT audit + black_box shielding |
| DPA on Montgomery multiplication | vulnerable | T2-I — message blinding (Coron 1999) |
| Timing on bigint operations | partial | T1-E |
| Padding-oracle (PKCS#1 v1.5) | partial | T2-J — RFC 8017 §7.2.2 CT padding-oracle handling |
The Bellcore attack (Boneh-DeMillo-Lipton 1997 → JoC 2001)
computes gcd(N, S - S') where S' is a CRT-faulted
signature: a single fault on either half-exponentiation
reveals p or q, which factors N and recovers the entire
secret key. Equipment cost: ~1 k€ for a Chipwhisperer voltage
glitcher, days of bench time for a skilled operator.
Aumüller’s countermeasure resists all single-fault attacks
under the formal model of rauzy2013_formal_crt_rsa.
See arcana/doc/sca/countermeasures/rsa.rst for the full
threat model, the implementation route for each item, and the
published references.
§Zeroize-on-Drop
RsaSecretKey currently does not implement Drop with
silentops::ct_zeroize. Callers handling a RsaSecretKey
must zeroize the underlying BigInt storage explicitly when
it leaves scope. Roadmap item T2-E.
Structs§
- RsaPublic
Key - RSA public key.
- RsaSecret
Key - RSA secret key with CRT components.
Functions§
- rsa_
decrypt_ raw - Raw RSA decryption with the Chinese Remainder Theorem:
computes
c^d mod nvia the CRT half-exponentiations - rsa_
encrypt_ raw - Raw RSA encryption:
m^e mod n. - rsa_
keygen - Generate an RSA key pair of the given bit size.