bignum-random.c 2.49 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/* bignum-random.c
 *
 * Generating big random numbers
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2002 Niels Möller
 *  
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 * 
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#if HAVE_CONFIG_H
27
# include "config.h"
Niels Möller's avatar
Niels Möller committed
28
29
30
31
32
33
#endif

#if HAVE_LIBGMP

#include <stdlib.h>

34
35
#include "bignum.h"

Niels Möller's avatar
Niels Möller committed
36
37
38
39
40
41
42
43
44
45
void
nettle_mpz_random_size(mpz_t x,
		       void *ctx, nettle_random_func random,
		       unsigned bits)
{
  unsigned length = (bits + 7) / 8;
  uint8_t *data = alloca(length);

  random(ctx, length, data);

46
  nettle_mpz_set_str_256_u(x, length, data);
Niels Möller's avatar
Niels Möller committed
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

  if (bits % 8)
    mpz_fdiv_r_2exp(x, x, bits);
}

void
nettle_mpz_random(mpz_t x,
		  void *ctx, nettle_random_func random,
		  const mpz_t n)
{
  /* FIXME: This leaves some bias, which may be bad for DSA. A better
   * way might to generate a random number of mpz_sizeinbase(n, 2)
   * bits, and loop until one smaller than n is found. */

  /* From Daniel Bleichenbacher (via coderpunks):
   *
   * There is still a theoretical attack possible with 8 extra bits.
   * But, the attack would need about 2^66 signatures 2^66 memory and
   * 2^66 time (if I remember that correctly). Compare that to DSA,
   * where the attack requires 2^22 signatures 2^40 memory and 2^64
   * time. And of course, the numbers above are not a real threat for
   * PGP. Using 16 extra bits (i.e. generating a 176 bit random number
   * and reducing it modulo q) will defeat even this theoretical
   * attack.
   * 
   * More generally log_2(q)/8 extra bits are enough to defeat my
   * attack. NIST also plans to update the standard.
   */

  /* Add a few bits extra, to decrease the bias from the final modulo
   * operation. */

  nettle_mpz_random_size(x, 
			 ctx, random,
			 mpz_sizeinbase(n, 2) + 16);
  
  mpz_fdiv_r(x, x, n);
}

#endif /* HAVE_LIBGMP */