From 5172adc35ef2eae3d9c7bfd61485794cd6893295 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Thu, 31 Jan 2013 21:04:06 +0100
Subject: [PATCH] nettle_mpz_random: Increased number of extra bits to 64,
 following FIPS 186-3.

---
 ChangeLog       | 5 +++++
 bignum-random.c | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 90e25e94..c08d7bcb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-01-31  Niels Möller  <nisse@lysator.liu.se>
+
+	* bignum-random.c (nettle_mpz_random): Increased number of extra
+	bits to 64, following FIPS 186-3.
+
 2013-01-12  Niels Möller  <nisse@lysator.liu.se>
 
 	* configure.ac: Use AC_LANG_SOURCE.
diff --git a/bignum-random.c b/bignum-random.c
index ab8c4f14..f305f040 100644
--- a/bignum-random.c
+++ b/bignum-random.c
@@ -75,11 +75,12 @@ nettle_mpz_random(mpz_t x,
    */
 
   /* Add a few bits extra, to decrease the bias from the final modulo
-   * operation. */
+   * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with
+   * DSA. */
 
   nettle_mpz_random_size(x, 
 			 ctx, random,
-			 mpz_sizeinbase(n, 2) + 16);
+			 mpz_sizeinbase(n, 2) + 64);
   
   mpz_fdiv_r(x, x, n);
 }
-- 
GitLab