mirror of
https://github.com/golang/go
synced 2024-09-29 22:24:33 -06:00
crypto/elliptic: resample private keys if out of range.
The orders of the curves in crypto/elliptic are all very close to a power of two. None the less, there is a tiny bias in the private key selection. This change makes the distribution uniform by resampling in the case that a private key is >= to the order of the curve. (It also switches from using BitSize to Params().N.BitLen() because, although they're the same value here, the latter is technically the correct thing to do.) The private key sampling and nonce sampling in crypto/ecdsa don't have this issue. Fixes #11082. Change-Id: Ie2aad563209a529fa1cab522abaf5fd505c7269a Reviewed-on: https://go-review.googlesource.com/17460 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
This commit is contained in:
parent
aa487e66f8
commit
f740d717bd
@ -274,7 +274,8 @@ var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}
|
||||
// GenerateKey returns a public/private key pair. The private key is
|
||||
// generated using the given reader, which must return random data.
|
||||
func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err error) {
|
||||
bitSize := curve.Params().BitSize
|
||||
N := curve.Params().N
|
||||
bitSize := N.BitLen()
|
||||
byteLen := (bitSize + 7) >> 3
|
||||
priv = make([]byte, byteLen)
|
||||
|
||||
@ -289,6 +290,12 @@ func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err e
|
||||
// This is because, in tests, rand will return all zeros and we don't
|
||||
// want to get the point at infinity and loop forever.
|
||||
priv[1] ^= 0x42
|
||||
|
||||
// If the scalar is out of range, sample another random number.
|
||||
if new(big.Int).SetBytes(priv).Cmp(N) >= 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
x, y = curve.ScalarBaseMult(priv)
|
||||
}
|
||||
return
|
||||
|
Loading…
Reference in New Issue
Block a user