diff options
author | Niels Möller <nisse@lysator.liu.se> | 2002-10-09 23:10:27 +0200 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2002-10-09 23:10:27 +0200 |
commit | b25c45a35deac5334ce3a14e39d7ecda164a146f (patch) | |
tree | 314a7898a4615e14de20567cdac24b58987157d9 /bignum-random.c | |
parent | 2e69e26a5d4b0f6cc96dc0d069bebf0d4d4a01ea (diff) | |
download | nettle-b25c45a35deac5334ce3a14e39d7ecda164a146f.tar.gz |
* bignum-random.c: New file.
(nettle_mpz_random): New function.
(nettle_mpz_random_size): New function, renamed and moved here
from...
* rsa-keygen.c (bignum_random_size): ... here. Updated all
callers.
Rev: src/nettle/bignum-random.c:1.1
Rev: src/nettle/rsa-keygen.c:1.4
Diffstat (limited to 'bignum-random.c')
-rw-r--r-- | bignum-random.c | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/bignum-random.c b/bignum-random.c new file mode 100644 index 00000000..24dd7c21 --- /dev/null +++ b/bignum-random.c @@ -0,0 +1,86 @@ +/* bignum-random.c + * + * Generating big random numbers + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#if HAVE_LIBGMP + +#include "bignum.h" + +#include <stdlib.h> + +void +nettle_mpz_random_size(mpz_t x, + void *ctx, nettle_random_func random, + unsigned bits) +{ + unsigned length = (bits + 7) / 8; + uint8_t *data = alloca(length); + + random(ctx, length, data); + + nettle_mpz_set_str_256(x, length, data); + + if (bits % 8) + mpz_fdiv_r_2exp(x, x, bits); +} + +void +nettle_mpz_random(mpz_t x, + void *ctx, nettle_random_func random, + const mpz_t n) +{ + /* FIXME: This leaves some bias, which may be bad for DSA. A better + * way might to generate a random number of mpz_sizeinbase(n, 2) + * bits, and loop until one smaller than n is found. */ + + /* From Daniel Bleichenbacher (via coderpunks): + * + * There is still a theoretical attack possible with 8 extra bits. + * But, the attack would need about 2^66 signatures 2^66 memory and + * 2^66 time (if I remember that correctly). Compare that to DSA, + * where the attack requires 2^22 signatures 2^40 memory and 2^64 + * time. And of course, the numbers above are not a real threat for + * PGP. Using 16 extra bits (i.e. generating a 176 bit random number + * and reducing it modulo q) will defeat even this theoretical + * attack. + * + * More generally log_2(q)/8 extra bits are enough to defeat my + * attack. NIST also plans to update the standard. + */ + + /* Add a few bits extra, to decrease the bias from the final modulo + * operation. */ + + nettle_mpz_random_size(x, + ctx, random, + mpz_sizeinbase(n, 2) + 16); + + mpz_fdiv_r(x, x, n); +} + +#endif /* HAVE_LIBGMP */ |