nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-16 18:47:32 -05:00
Code Issues Projects Releases Wiki Activity

Rewrite invent_firstbits().

Browse Source 
Instead of repeatedly looping on the random number generator until it
comes up with two values that have a large enough product, the new
version guarantees only one use of random numbers, by first counting
up all the possible pairs of values that would work, and then
inventing a single random number that's used as an index into that
list.

I've done the selection from the list using constant-time techniques,
not particularly because I think key generation can be made CT in
general, but out of sheer habit after the last few months, and who
knows, it _might_ be useful.

While I'm at it, I've also added an option to make sure the two
firstbits values differ by at least a given value. For RSA, I set that
value to 2, guaranteeing that even if the smaller prime has a very
long string of 1 bits after the firstbits value and the larger has a
long string of 0, they'll still have a relative difference of at least
2^{-12}. Not that there was any serious chance of the primes having
randomly ended up so close together as to make the key in danger of
factoring, but it seems like a silly thing to leave out if I'm
rewriting the function anyway.
This commit is contained in:
Simon Tatham
2019-02-26 07:06:57 +00:00
parent 1a7521a0a7
commit 801ab68eac
4 changed files with 101 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
sshrsag.c
View File

@ -63,8 +63,14 @@ int rsa_generate(RSAKey *key, int bits, progfn_t pfn,
* and e to be coprime, and (q-1) and e to be coprime, but in
* general that's slightly more fiddly to arrange. By choosing
* a prime e, we can simplify the criterion.)
*
* We give a min_separation of 2 to invent_firstbits(), ensuring
* that the two primes won't be very close to each other. (The
* chance of them being _dangerously_ close is negligible - even
* more so than an attacker guessing a whole 256-bit session key -
* but it doesn't cost much to make sure.)
*/
invent_firstbits(&pfirst, &qfirst);
invent_firstbits(&pfirst, &qfirst, 2);
mp_int *p = primegen(bits / 2, RSA_EXPONENT, 1, NULL,
1, pfn, pfnparam, pfirst);
mp_int *q = primegen(bits - bits / 2, RSA_EXPONENT, 1, NULL,