diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-16 17:30:50 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-16 17:30:50 +0700 |
| commit | 0ef76b44b5df337a56f02b0bfa3ed6e3a73c6116 (patch) | |
| tree | d9a31e381c97875c5fe1173dd97ca74fdf76422b | |
| parent | Check for low-weight numbers in DH parameter generation and RSA key generation (diff) | |
| download | BouncyCastle.NET-ed25519-0ef76b44b5df337a56f02b0bfa3ed6e3a73c6116.tar.xz | |
Add low-weight guard to ECKeyPairGenerator
| -rw-r--r-- | crypto/src/crypto/generators/ECKeyPairGenerator.cs | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/crypto/src/crypto/generators/ECKeyPairGenerator.cs b/crypto/src/crypto/generators/ECKeyPairGenerator.cs index 301349a9b..6e777c74c 100644 --- a/crypto/src/crypto/generators/ECKeyPairGenerator.cs +++ b/crypto/src/crypto/generators/ECKeyPairGenerator.cs @@ -98,12 +98,26 @@ namespace Org.BouncyCastle.Crypto.Generators { BigInteger n = parameters.N; BigInteger d; + int minWeight = n.BitLength >> 2; - do + for (;;) { d = new BigInteger(n.BitLength, random); + + if (d.CompareTo(BigInteger.Two) < 0 || d.CompareTo(n) >= 0) + continue; + + /* + * Require a minimum weight of the NAF representation, since low-weight primes may be + * weak against a version of the number-field-sieve for the discrete-logarithm-problem. + * + * See "The number field sieve for integers of low weight", Oliver Schirokauer. + */ + if (WNafUtilities.GetNafWeight(d) < minWeight) + continue; + + break; } - while (d.SignValue == 0 || (d.CompareTo(n) >= 0)); ECPoint q = CreateBasePointMultiplier().Multiply(parameters.G, d); |