Describe RSA improvements in NEWS.

diff --git a/NEWS b/NEWS
index a5cf5d47d3f213253f1d36912efc1138831928e9..12811d5020e981d58f5d71b7223d6287e385477a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,46 @@
 NEWS for the Nettle 3.4.1 release
 
-       This is a bugfix release.
+       This release fixes a few bugs, and makes the RSA private key
+       operations side channel silent. The RSA improvements are
+       contributed by Simo Sorce and Red Hat, and includes one new
+       public function.
+
+       All functions handling RSA private keys are now side-channel
+       silent, meaning that they try hard to avoid any branches or
+       memory accesses depending on secret data. This applies both to
+       the bignum calculations, which now use GMP's mpn_sec_* family
+       of functions, and the processing of pkcs#1 padding.
+
+       Nettle's ECC functions were already side-channel silent, while
+       the DSA functions still aren't. There's also one caveat
+       regarding the improved RSA functions: due to small table
+       lookups in relevant mpn_sec_* functions in GMP-6.1.2, the
+       lowest and highest few bits of the secret factors p and q may
+       leak. I'm not aware of any attacks on RSA where knowing a few
+       bits of the factors makes a significant difference. This leak
+       will likely be plugged in later GMP versions).
+
+       Changes in behavior:
+
+       * The old rsa_decrypt_tr may now clobber all of the provided
+         message buffer, independent of the actual message length. It
+         is side-channel silent, in that branches and memory accesses
+         don't depend on the validity or length of the message.
+         Side-channel leakage from the caller's use of length and
+         return value may still provide an oracle useable for a
+         Bleichenbacher-style chosen ciphertext attack. Which is why
+         the new function rsa_sec_decrypt, see below, is recommended.
+
+       New features:
+
+       * New function rsa_sec_decrypt. It differs from rsa_decrypt_tr
+         in that the length of the decrypted message is given a
+         priori, and pkcs#1 padding indicating a different length is
+         treated as an error. For applications that may be subject to
+         chosen ciphertext attacks, it is recommended to initialize
+         the message area with random data, call this function, and
+         ignore the return value. This applies in particular to
+         RSA-based key exchange in the TLS protocol.
 
        Bug fixes:
 
@@ -138,7 +178,7 @@ NEWS for the Nettle 3.3 release
        This release fixes a couple of bugs, and improves resistance
        to side-channel attacks on RSA and DSA private key operations.
 
-       Changes in behavoir:
+       Changes in behavior:
 
        * Invalid private RSA keys, with an even modulo, are now
          rejected by rsa_private_key_prepare. (Earlier versions