diff --git a/ChangeLog b/ChangeLog
index 2d17fbf5f37b6d923d597a6ce82c2a11f163ea57..60e75ba106311cb53184c932a22e0b8231d4d0c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2018-11-25  Niels Möller  <nisse@lysator.liu.se>
 
+	* rsa-decrypt-tr.c (rsa_decrypt_tr): Use
+	NETTLE_OCTET_SIZE_TO_LIMB_SIZE.
+
 	* testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
 	valgrind marking, and document potential leakage of lowest and
 	highest bits of p and q.
diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c
index dc47f8fb3d74235934f6d92fff38baee159d6aea..8fbe847e4ea0d25db21b6d3bddcb4d513226d98d 100644
--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -49,16 +49,19 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
 {
   TMP_GMP_DECL (m, mp_limb_t);
   TMP_GMP_DECL (em, uint8_t);
+  mp_size_t key_limb_size;
   int res;
 
-  TMP_GMP_ALLOC (m, mpz_size(pub->n));
+  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+
+  TMP_GMP_ALLOC (m, key_limb_size);
   TMP_GMP_ALLOC (em, key->size);
 
   res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
                                  mpz_limbs_read(gibberish),
                                  mpz_size(gibberish));
 
-  mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+  mpn_get_base256 (em, key->size, m, key_limb_size);
 
   res &= _pkcs1_sec_decrypt_variable (length, message, key->size, em);