AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove bias in EC private key generation

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-01-03 12:35:05 +01:00
parent 217a29c844
commit 79f73b96d9
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
library/ecp.c
View File

@ -1771,17 +1771,26 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
{ {
/* SEC1 3.2.1: Generate d such that 1 <= n < N */ /* SEC1 3.2.1: Generate d such that 1 <= n < N */
int count = 0; int count = 0;
unsigned char rnd[POLARSSL_ECP_MAX_BYTES];
/*
* Match the procedure given in RFC 6979 (deterministic ECDSA):
* - use the same byte ordering;
* - keep the leftmost nbits bits of the generated octet string;
* - try until result is in the desired range.
* This also avoids any biais, which is especially important for ECDSA.
*/
do do
{ {
mpi_fill_random( d, n_size, f_rng, p_rng ); f_rng( p_rng, rnd, n_size );
mpi_read_binary( d, rnd, n_size );
while( mpi_cmp_mpi( d, &grp->N ) >= 0 ) mpi_shift_r( d, 8 * n_size - grp->nbits );
mpi_shift_r( d, 1 );
if( count++ > 10 ) if( count++ > 10 )
return( POLARSSL_ERR_ECP_RANDOM_FAILED ); return( POLARSSL_ERR_ECP_RANDOM_FAILED );
} }
while( mpi_cmp_int( d, 1 ) < 0 ); while( mpi_cmp_int( d, 1 ) < 0 ||
mpi_cmp_mpi( d, &grp->N ) >= 0 );
} }
else else
#endif #endif