Add low-weight guard to ECKeyPairGenerator

1 files changed, 16 insertions, 2 deletions

diff --git a/crypto/src/crypto/generators/ECKeyPairGenerator.cs b/crypto/src/crypto/generators/ECKeyPairGenerator.cs
index 301349a9b..6e777c74c 100644
--- a/crypto/src/crypto/generators/ECKeyPairGenerator.cs
+++ b/crypto/src/crypto/generators/ECKeyPairGenerator.cs
@@ -98,12 +98,26 @@ namespace Org.BouncyCastle.Crypto.Generators
         {
             BigInteger n = parameters.N;
             BigInteger d;
+            int minWeight = n.BitLength >> 2;
 
-            do
+            for (;;)
             {
                 d = new BigInteger(n.BitLength, random);
+
+                if (d.CompareTo(BigInteger.Two) < 0 || d.CompareTo(n) >= 0)
+                    continue;
+
+                /*
+                 * Require a minimum weight of the NAF representation, since low-weight primes may be
+                 * weak against a version of the number-field-sieve for the discrete-logarithm-problem.
+                 * 
+                 * See "The number field sieve for integers of low weight", Oliver Schirokauer.
+                 */
+                if (WNafUtilities.GetNafWeight(d) < minWeight)
+                    continue;
+
+                break;
             }
-            while (d.SignValue == 0 || (d.CompareTo(n) >= 0));
 
             ECPoint q = CreateBasePointMultiplier().Multiply(parameters.G, d);