diff --git a/ChangeLog b/ChangeLog
index 90e25e943f5ba796e0f672df57e19b76ad9d85dc..c08d7bcb004d75b5f3777e39e90c66b47920c80c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-01-31  Niels Möller  <nisse@lysator.liu.se>
+
+	* bignum-random.c (nettle_mpz_random): Increased number of extra
+	bits to 64, following FIPS 186-3.
+
 2013-01-12  Niels Möller  <nisse@lysator.liu.se>
 
 	* configure.ac: Use AC_LANG_SOURCE.
diff --git a/bignum-random.c b/bignum-random.c
index ab8c4f148e48289c9f159546c2f2af0c115ed07a..f305f0404d6696b6c7ded05ca9bcaf91aeefd9f6 100644
--- a/bignum-random.c
+++ b/bignum-random.c
@@ -75,11 +75,12 @@ nettle_mpz_random(mpz_t x,
    */
 
   /* Add a few bits extra, to decrease the bias from the final modulo
-   * operation. */
+   * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with
+   * DSA. */
 
   nettle_mpz_random_size(x, 
 			 ctx, random,
-			 mpz_sizeinbase(n, 2) + 16);
+			 mpz_sizeinbase(n, 2) + 64);
   
   mpz_fdiv_r(x, x, n);
 }