bignum-random.c 2.49 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
/* bignum-random.c
 *
 * Generating big random numbers
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2002 Niels Möller
 *  
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 * 
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#if HAVE_CONFIG_H
27
# include "config.h"
Niels Möller's avatar
Niels Möller committed
28 29 30 31 32 33
#endif

#if HAVE_LIBGMP

#include <stdlib.h>

34 35
#include "bignum.h"

Niels Möller's avatar
Niels Möller committed
36 37 38 39 40 41 42 43 44 45
void
nettle_mpz_random_size(mpz_t x,
		       void *ctx, nettle_random_func random,
		       unsigned bits)
{
  unsigned length = (bits + 7) / 8;
  uint8_t *data = alloca(length);

  random(ctx, length, data);

46
  nettle_mpz_set_str_256_u(x, length, data);
Niels Möller's avatar
Niels Möller committed
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

  if (bits % 8)
    mpz_fdiv_r_2exp(x, x, bits);
}

void
nettle_mpz_random(mpz_t x,
		  void *ctx, nettle_random_func random,
		  const mpz_t n)
{
  /* FIXME: This leaves some bias, which may be bad for DSA. A better
   * way might to generate a random number of mpz_sizeinbase(n, 2)
   * bits, and loop until one smaller than n is found. */

  /* From Daniel Bleichenbacher (via coderpunks):
   *
   * There is still a theoretical attack possible with 8 extra bits.
   * But, the attack would need about 2^66 signatures 2^66 memory and
   * 2^66 time (if I remember that correctly). Compare that to DSA,
   * where the attack requires 2^22 signatures 2^40 memory and 2^64
   * time. And of course, the numbers above are not a real threat for
   * PGP. Using 16 extra bits (i.e. generating a 176 bit random number
   * and reducing it modulo q) will defeat even this theoretical
   * attack.
   * 
   * More generally log_2(q)/8 extra bits are enough to defeat my
   * attack. NIST also plans to update the standard.
   */

  /* Add a few bits extra, to decrease the bias from the final modulo
   * operation. */

  nettle_mpz_random_size(x, 
			 ctx, random,
			 mpz_sizeinbase(n, 2) + 16);
  
  mpz_fdiv_r(x, x, n);
}

#endif /* HAVE_LIBGMP */