src/crypto · f740d717bd31e1a4b8281072b5cb3dfeb26f3273 · go / golang

crypto/elliptic: resample private keys if out of range. · f740d717

Adam Langley authored Dec 04, 2015

The orders of the curves in crypto/elliptic are all very close to a
power of two. None the less, there is a tiny bias in the private key
selection.

This change makes the distribution uniform by resampling in the case
that a private key is >= to the order of the curve. (It also switches
from using BitSize to Params().N.BitLen() because, although they're the
same value here, the latter is technically the correct thing to do.)

The private key sampling and nonce sampling in crypto/ecdsa don't have
this issue.

Fixes #11082.

Change-Id: Ie2aad563209a529fa1cab522abaf5fd505c7269a
Reviewed-on: https://go-review.googlesource.com/17460Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

f740d717

Name	Last commit	Last update
..
aes		Loading commit data...
cipher		Loading commit data...
des		Loading commit data...
dsa		Loading commit data...
ecdsa		Loading commit data...
elliptic		Loading commit data...
hmac		Loading commit data...
md5		Loading commit data...
rand		Loading commit data...
rc4		Loading commit data...
rsa		Loading commit data...
sha1		Loading commit data...
sha256		Loading commit data...
sha512		Loading commit data...
subtle		Loading commit data...
tls		Loading commit data...
x509		Loading commit data...
crypto.go		Loading commit data...