Use variable-time inversion in blind()

Author: fjarri

src/algorithms/rsa.rs

@@ -3,7 +3,7 @@
 use core::cmp::Ordering;
 
 use crypto_bigint::modular::{BoxedMontyForm, BoxedMontyParams};
-use crypto_bigint::{BoxedUint, Gcd, NonZero, Odd, RandomMod};
+use crypto_bigint::{BoxedUint, Gcd, Inverter, NonZero, Odd, PrecomputeInverter, RandomMod};
 use rand_core::TryCryptoRng;
 use zeroize::Zeroize;
 
@@ -200,14 +200,20 @@ fn blind<R: TryCryptoRng + ?Sized, K: PublicKeyParts>(
 
     let mut r: BoxedUint = BoxedUint::one_with_precision(bits);
     let mut ir: Option<BoxedUint> = None;
+
+    // TODO: may be included into the precomputed values.
+    let inverter = Odd::new(key.n().as_ref().clone())
+        .unwrap()
+        .precompute_inverter();
+
     while ir.is_none() {
         r = BoxedUint::try_random_mod(rng, key.n()).map_err(|_| Error::Rng)?;
         if r.is_zero().into() {
             r = BoxedUint::one_with_precision(bits);
         }
 
         // r^-1 (mod n)
-        ir = r.inv_mod(key.n()).into();
+        ir = inverter.invert_vartime(&r).into();
     }
 
     let blinded = {