See commit d15a7f3 for the reason why.

Use as many constant-time comparisons as practical in the
`rsa.pkcs1.decrypt` function.

`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
alternative would be to iterate over all the data byte by byte in
Python, which is several orders of magnitude slower. Given that a
perfect constant-time implementation is very hard or even impossible to
do in Python [1], I chose the more performant option here.

[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/

According to PKCS#1 v1.5, the padding should be at least 8 bytes long.
See https://tools.ietf.org/html/rfc8017#section-7.2.2 step 3 for more info.

Use `bytes.find()` instead of `bytes.index()`, as the former doesn't raise
an exception when the to-be-found byte doesn't exist.

Crypto length and blocksize are public info, so don't need side-channel
free comparison.

Store blinding factor + its inverse, so that they can be reused & updated
on every blinding operation. This avoids expensive computations.

The reuse of the previous blinding factor is done via squaring (mod n), as
per section 9 of 'A Timing Attack against RSA with the Chinese Remainder
Theorem' by Werner Schindler, https://tls.mbed.org/public/WSchindler-RSA_Timing_Attack.pdf

Strings need to be encoded into bytes before the RSA module can operate
on them.