Use bounded exponentiation to improve encrypt/verify performance (#662)

Limit exponentiation to the bit length of e to reduce computation time. 
This is safe since e is public.

Improves encrypt/verify performance by over 2x on my laptop. 

rsa_2048_pkcsv1_encrypt time:   [17.822 µs 17.849 µs 17.877 µs]
                        change: [-80.899% -80.786% -80.697%] (p = 0.00 < 0.05)
                        Performance has improved.
rsa_4096_pkcsv1_encrypt time:   [149.74 µs 150.04 µs 150.37 µs]
                        change: [-63.132% -61.496% -60.140%] (p = 0.00 < 0.05)
                        Performance has improved.
                        
                        
aws_lc_rs_2048_pkcs1_encrypt
                        time:   [10.682 µs 10.714 µs 10.747 µs]
aws_lc_rs_4096_pkcs1_encrypt
                        time:   [31.771 µs 31.826 µs 31.879 µs]

Author: lubux

src/algorithms/rsa.rs

@@ -18,7 +18,8 @@ use crate::traits::keys::{PrivateKeyParts, PublicKeyParts};
 /// or signature scheme. See the [module-level documentation][crate::hazmat] for more information.
 #[inline]
 pub fn rsa_encrypt<K: PublicKeyParts>(key: &K, m: &BoxedUint) -> Result<BoxedUint> {
-    let res = pow_mod_params(m, key.e(), key.n_params());
+    let e = key.e();
+    let res = pow_mod_params_vartime_exp_bits(m, e, e.bits(), key.n_params());
     Ok(res)
 }
 
@@ -195,7 +196,8 @@ fn blind<R: TryCryptoRng + ?Sized, K: PublicKeyParts>(
 
     let blinded = {
         // r^e (mod n)
-        let mut rpowe = pow_mod_params(&r, key.e(), n_params);
+        let e = key.e();
+        let mut rpowe = pow_mod_params_vartime_exp_bits(&r, e, e.bits(), n_params);
         // c * r^e (mod n)
         let c = c.mul_mod(&rpowe, n_params.modulus().as_nz_ref());
         rpowe.zeroize();
@@ -234,6 +236,19 @@ fn pow_mod_params(base: &BoxedUint, exp: &BoxedUint, n_params: &BoxedMontyParams
     base.pow(exp).retrieve()
 }
 
+/// Computes `base.pow_mod(exp, n)` with a bounded exponent and precomputed `n_params`.
+///
+/// The exponent bit length `exp_bits` may be leaked in the time pattern.
+fn pow_mod_params_vartime_exp_bits(
+    base: &BoxedUint,
+    exp: &BoxedUint,
+    exp_bits: u32,
+    n_params: &BoxedMontyParams,
+) -> BoxedUint {
+    let base = reduce_vartime(base, n_params);
+    base.pow_bounded_exp(exp, exp_bits).retrieve()
+}
+
 fn reduce_vartime(n: &BoxedUint, p: &BoxedMontyParams) -> BoxedMontyForm {
     let modulus = p.modulus().as_nz_ref().clone();
     let n_reduced = n.rem_vartime(&modulus).resize_unchecked(p.bits_precision());