Sign function should call decryption primitive

[myheroyuki]

I was looking through the RSA key code while working on a multiprime addition and noticed two functions called blinded_encrypt and blinded_decrypt. I looked at where they were used and it turns out that the sign function is calling the blinded_encrypt. This is backwards! The RSA RFC says the signing primitive should be identical to the decryption primitive, so we should call blinded_decrypt there instead like we do in the encryption function. In fact, we have no need for a blinded_encrypt function, and by switching over we will improve the speed of signing.

[sybrenstuvel]

Great find!

Do you have a link for me to follow & read more about this? That'll make this change easier to document as well, as I do want to have such a link to an authoritative source for the changelog anyway.

[myheroyuki]

I sourced my suggestion from RFC 8017 "PKCS#1: RSA Cryptography Specifications Version 2.2."
From the end of section 5.2. "Signature and Verification Primitives":

The main mathematical operation in each primitive is exponentiation,
as in the encryption and decryption primitives of Section 5.1.
RSASP1 and RSAVP1 are the same as RSADP and RSAEP except for the
names of their input and output arguments; they are distinguished as
they are intended for different purposes.