Set of blinding parameters for a given RSA key. The RSA modulus is usually unique, so we index by modulus in blindingCache. However, to protect against the unlikely case of two keys sharing the same modulus, we also store the public or the private exponent. This means we cannot cache blinding parameters for multiple keys that share the same modulus, but since sharing moduli is fundamentally broken and insecure, this does not matter.

Parameters (u,v) for RSA Blinding. This is described in the RSA Bulletin#2 (Jan 96) and other places: ftp://ftp.rsa.com/pub/pdfs/bull-2.pdf The standard RSA Blinding decryption requires the public key exponent (e) and modulus (n), and converts ciphertext (c) to plaintext (p). Before the modular exponentiation operation, the input message should be multiplied by (u (mod n)), and afterward the result is corrected by multiplying with (v (mod n)). The system should reject messages equal to (0 (mod n)). That is: 1. Generate r between 0 and n-1, relatively prime to n. 2. Compute x = (c*u) mod n 3. Compute y = (x^d) mod n 4. Compute p = (y*v) mod n The Java APIs allows for either standard RSAPrivateKey or RSAPrivateCrtKey RSA keys. If the public exponent is available to us (e.g. RSAPrivateCrtKey), choose a random r, then let (u, v): u = r ^ e mod n v = r ^ (-1) mod n The proof follows: p = (((c * u) ^ d mod n) * v) mod n = ((c ^ d) * (u ^ d) * v) mod n = ((c ^ d) * (r ^ e) ^ d) * (r ^ (-1))) mod n = ((c ^ d) * (r ^ (e * d)) * (r ^ (-1))) mod n = ((c ^ d) * (r ^ 1) * (r ^ (-1))) mod n (see below) = (c ^ d) mod n because in RSA cryptosystem, d is the multiplicative inverse of e: (r^(e * d)) mod n = (r ^ 1) mod n = r mod n However, if the public exponent is not available (e.g. RSAPrivateKey), we mitigate the timing issue by using a similar random number blinding approach using the private key: u = r v = ((r ^ (-1)) ^ d) mod n This returns the same plaintext because: p = (((c * u) ^ d mod n) * v) mod n = ((c ^ d) * (u ^ d) * v) mod n = ((c ^ d) * (u ^ d) * ((u ^ (-1)) ^d)) mod n = (c ^ d) mod n Computing inverses mod n and random number generation is slow, so it is often not practical to generate a new random (u, v) pair for each new exponentiation. The calculation of parameters might even be subject to timing attacks. However, (u, v) pairs should not be reused since they themselves might be compromised by timing attacks, leaving the private exponent vulnerable. An efficient solution to this problem is update u and v before each modular exponentiation step by computing: u = u ^ 2 v = v ^ 2 The total performance cost is small.