Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
LSH
lsh
Commits
1859cd02
Commit
1859cd02
authored
Feb 19, 2001
by
Niels Möller
Browse files
*** empty log message ***
Rev: src/bignum.c:1.18
parent
ec570fe1
Changes
1
Hide whitespace changes
Inline
Side-by-side
src/bignum.c
View file @
1859cd02
...
...
@@ -242,6 +242,21 @@ bignum_random(mpz_t x, struct randomness *random, mpz_t n)
* way might to generate a random number of mpz_sizeinbase(n, 2)
* bits, and loop until one smaller than n is found. */
/* From Daniel Bleichenbacher (via coderpunks):
*
* There is still a theoretical attack possible with 8 extra bits.
* But, the attack would need about 2^66 signatures 2^66 memory and
* 2^66 time (if I remember that correctly). Compare that to DSA,
* where the attack requires 2^22 signatures 2^40 memory and 2^64
* time. And of course, the numbers above are not a real threat for
* PGP. Using 16 extra bits (i.e. generating a 176 bit random number
* and reducing it modulo q) will defeat even this theoretical
* attack.
*
* More generally log_2(q)/8 extra bits are enoug to defeat my
* attack. NIST also plans to update the standard.
*/
/* Add a few bits extra, to decrease the bias from the final modulo
* operation. */
bignum_random_size
(
x
,
random
,
mpz_sizeinbase
(
n
,
2
)
+
10
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment