Struct ring::signature::RSASigningState
[−]
[src]
pub struct RSASigningState { /* fields omitted */ }State used for RSA Signing. Feature: rsa_signing.
Performance Considerations
Every time sign is called, some internal state is updated. Usually the
state update is relatively cheap, but the first time, and periodically, a
relatively expensive computation (computing the modular inverse of a random
number modulo the public key modulus, for blinding the RSA exponentiation)
will be done. Reusing the same RSASigningState when generating multiple
signatures improves the computational efficiency of signing by minimizing
the frequency of the expensive computations.
RSASigningState is not Sync; i.e. concurrent use of an sign() on the
same RSASigningState from multiple threads is not allowed. An
RSASigningState can be wrapped in a Mutex to be shared between threads;
this would maximize the computational efficiency (as explained above) and
minimizes memory usage, but it also minimizes concurrency because all the
calls to sign() would be serialized. To increases concurrency one could
create multiple RSASigningStates that share the same RSAKeyPair; the
number of RSASigningState in use at once determines the concurrency
factor. This increases memory usage, but only by a small amount, as each
RSASigningState is much smaller than the RSAKeyPair that they would
share. Using multiple RSASigningState per RSAKeyPair may also decrease
computational efficiency by increasing the frequency of the expensive
modular inversions; managing a pool of RSASigningStates in a
most-recently-used fashion would improve the computational efficiency.
Methods
impl RSASigningState[src]
fn new(key_pair: Arc<RSAKeyPair>) -> Result<Self, Unspecified>[src]
Construct an RSASigningState for the given RSAKeyPair.
fn key_pair(&self) -> &RSAKeyPair[src]
The RSAKeyPair. This can be used, for example, to access the key
pair's public key through the RSASigningState.
fn sign(
&mut self,
padding_alg: &'static RSAEncoding,
rng: &SecureRandom,
msg: &[u8],
signature: &mut [u8]
) -> Result<(), Unspecified>[src]
&mut self,
padding_alg: &'static RSAEncoding,
rng: &SecureRandom,
msg: &[u8],
signature: &mut [u8]
) -> Result<(), Unspecified>
Sign msg. msg is digested using the digest algorithm from
padding_alg and the digest is then padded using the padding algorithm
from padding_alg. The signature it written into signature;
signature's length must be exactly the length returned by
public_modulus_len(). rng is used for blinding the message during
signing, to mitigate some side-channel (e.g. timing) attacks.
Many other crypto libraries have signing functions that takes a
precomputed digest as input, instead of the message to digest. This
function does not take a precomputed digest; instead, sign
calculates the digest itself.
Lots of effort has been made to make the signing operations close to constant time to protect the private key from side channel attacks. On x86-64, this is done pretty well, but not perfectly. On other platforms, it is done less perfectly. To help mitigate the current imperfections, and for defense-in-depth, base blinding is always done. Exponent blinding is not done, but it may be done in the future.