Skip to content

Implement implicit rejection for PKCS#1 v1.5 decryption to prevent timing attacks #627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
itsalfredakku wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Implement implicit rejection for PKCS#1 v1.5 decryption to prevent timing attacks #627

itsalfredakku wants to merge 10 commits into from
+652 −3

Conversation

@itsalfredakku
Copy link

@itsalfredakku itsalfredakku commented Jan 9, 2026
edited
Loading

This pull request introduces support for implicit rejection in PKCS#1 v1.5 RSA decryption to mitigate Bleichenbacher/Marvin timing attacks. The main change is the addition of a new feature, implicit-rejection, which uses a deterministic synthetic plaintext on padding errors, preventing attackers from distinguishing valid from invalid ciphertexts based on timing. This involves new cryptographic primitives, trait extensions, and key derivation logic, all gated behind the feature flag.

Implicit Rejection Feature for PKCS#1 v1.5 Decryption:

  • Added a new optional dependency on hmac and updated the feature set in Cargo.toml to support implicit-rejection, which also requires sha2. [1] [2]
  • Introduced the ImplicitRejectionDecryptor trait in src/traits/encryption.rs, providing methods for decryption with implicit rejection and optional blinding, along with documentation and feature gating.
  • Implemented the ImplicitRejectionDecryptor trait for DecryptingKey in src/pkcs1v15/decrypting_key.rs, enabling usage of the new decryption methods. [1] [2]
  • Added the implicit rejection PRF, key derivation, and unpadding logic to src/algorithms/pkcs1v15.rs, providing the cryptographic operations required for the new feature. [1] [2]
  • Re-exported the ImplicitRejectionDecryptor trait in src/traits.rs when the feature is enabled.

Ref: #626

Copilot AI review requested due to automatic review settings January 9, 2026 22:01
@itsalfredakku itsalfredakku mentioned this pull request Jan 9, 2026
Open
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements implicit rejection for PKCS#1 v1.5 RSA decryption to mitigate Bleichenbacher/Marvin timing attacks. Instead of returning errors on invalid padding (which leaks timing information), the implementation returns a deterministic synthetic plaintext derived from the ciphertext using HMAC-SHA256-based PRF keyed by the private key. This prevents attackers from distinguishing valid from invalid ciphertexts based on timing or error responses.

Key changes:

  • Added new ImplicitRejectionDecryptor trait with methods for implicit rejection decryption with optional blinding
  • Implemented cryptographic primitives for key derivation and PRF-based synthetic plaintext generation
  • Added comprehensive test coverage for various edge cases and security properties

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
Cargo.toml Adds optional hmac dependency and new implicit-rejection feature flag
Cargo.lock Updates lock file with hmac dependency
src/traits/encryption.rs Defines ImplicitRejectionDecryptor trait with methods for constant-time decryption
src/traits.rs Re-exports the new trait when feature is enabled
src/pkcs1v15/decrypting_key.rs Implements ImplicitRejectionDecryptor trait for DecryptingKey
src/pkcs1v15.rs Adds decrypt_implicit_rejection function and comprehensive test suite
src/algorithms/pkcs1v15.rs Implements core cryptographic primitives: PRF, key derivation, and constant-time unpadding logic

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@itsalfredakku itsalfredakku marked this pull request as draft January 10, 2026 05:01
@itsalfredakku itsalfredakku marked this pull request as ready for review January 10, 2026 05:38
itsalfredakku and others added 6 commits January 10, 2026 12:11
@itsalfredakku
Update src/algorithms/pkcs1v15.rs
fe6be90 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@itsalfredakku
Update src/algorithms/pkcs1v15.rs
b103cc7 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@itsalfredakku
Update src/algorithms/pkcs1v15.rs
6799f9f 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@itsalfredakku
Refactor key material initialization in derive_implicit_rejection_key…
067f755 
… function
@itsalfredakku
Clarify documentation for decrypt_implicit_rejection methods in Impli…
b2ab6bd 
…citRejectionDecryptor trait
@itsalfredakku
Update README to remove vulnerability notice
fe63e2b 
Removed mention of the Marvin Attack vulnerability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@itsalfredakku