bignum-random.c 2.57 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1 2 3 4 5 6 7
/* bignum-random.c
 *
 * Generating big random numbers
 */

/* nettle, low-level cryptographics library
 *
Niels Möller's avatar
Niels Möller committed
8
 * Copyright (C) 2002 Niels Möller
Niels Möller's avatar
Niels Möller committed
9 10 11 12 13 14 15 16 17 18 19 20 21
 *  
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 * 
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
22 23
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02111-1301, USA.
Niels Möller's avatar
Niels Möller committed
24 25 26
 */

#if HAVE_CONFIG_H
27
# include "config.h"
Niels Möller's avatar
Niels Möller committed
28 29 30 31
#endif

#include <stdlib.h>

32
#include "bignum.h"
33
#include "nettle-internal.h"
34

Niels Möller's avatar
Niels Möller committed
35 36
void
nettle_mpz_random_size(mpz_t x,
37
		       void *ctx, nettle_random_func *random,
Niels Möller's avatar
Niels Möller committed
38 39 40
		       unsigned bits)
{
  unsigned length = (bits + 7) / 8;
41
  TMP_DECL(data, uint8_t, NETTLE_MAX_BIGNUM_SIZE);
42
  TMP_ALLOC(data, length);
Niels Möller's avatar
Niels Möller committed
43 44 45

  random(ctx, length, data);

46
  nettle_mpz_set_str_256_u(x, length, data);
Niels Möller's avatar
Niels Möller committed
47 48 49 50 51

  if (bits % 8)
    mpz_fdiv_r_2exp(x, x, bits);
}

52
/* Returns a random number x, 0 <= x < n */
Niels Möller's avatar
Niels Möller committed
53 54
void
nettle_mpz_random(mpz_t x,
55
		  void *ctx, nettle_random_func *random,
Niels Möller's avatar
Niels Möller committed
56 57
		  const mpz_t n)
{
Niels Möller's avatar
Niels Möller committed
58 59
  /* NOTE: This leaves some bias, which may be bad for DSA. A better
   * way might be to generate a random number of mpz_sizeinbase(n, 2)
Niels Möller's avatar
Niels Möller committed
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
   * bits, and loop until one smaller than n is found. */

  /* From Daniel Bleichenbacher (via coderpunks):
   *
   * There is still a theoretical attack possible with 8 extra bits.
   * But, the attack would need about 2^66 signatures 2^66 memory and
   * 2^66 time (if I remember that correctly). Compare that to DSA,
   * where the attack requires 2^22 signatures 2^40 memory and 2^64
   * time. And of course, the numbers above are not a real threat for
   * PGP. Using 16 extra bits (i.e. generating a 176 bit random number
   * and reducing it modulo q) will defeat even this theoretical
   * attack.
   * 
   * More generally log_2(q)/8 extra bits are enough to defeat my
   * attack. NIST also plans to update the standard.
   */

  /* Add a few bits extra, to decrease the bias from the final modulo
   * operation. */

  nettle_mpz_random_size(x, 
			 ctx, random,
			 mpz_sizeinbase(n, 2) + 16);
  
  mpz_fdiv_r(x, x, n);
}