mitigate timing side-channels in public key cryptography: use powm_sec instead of powm

[hannesm]

RSA optionally uses blinding for mitigation, but DH and DSA do not.

Using powm_sec should be done carefully, since it is different from powm:

• raises an exception if the exponent is negative or zero
• raises an exception if the modulus is even

there are several ways forward:

• document exceptions potentially raised
• validate input before passing it to powm_sec to avoid exceptions
• surround with try .. catch

other questions

• are blinding and powm_sec orthogonal? does it make sense to use both? (@hannesm thinks not since both attempt to mitigate the same issue)
  • after more reading, blinding modifies c (in c ^ d mod n) by multiplication and thus prevents timing information of the reduction to leak secret data
  • powm_sec is concerned about the exponent d
• should powm_sec be used for public data (i.e. verification, c ^ e mod n), @cfcs mentions "c may be private", reference needed

[hannesm]

For a little bit more background on powm_sec, this paper is worth reading, including motivation and some benchmarks (performance drop ~20%). I still don't think that for public key encryption (c = m ^ e mod n) we should use powm_sec since e and n are public.

Another very interesting thread is on the nettle list from 2016, starting with https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html that are basically in the same situation as mirage-crypto. TL;DR: check your inputs, use powm_sec, be aware that it won't save all your timing issues. For input validation, #28 is ready for review (I strongly believe once that is merged, we can more freely use powm_sec without fearing any exceptions (odd modulus, negative or zero exponent).