Add more workfactor estimate helpers.

Specifically a named one for integer factorization (despite using same
formula as DL calc) which incorporates the k value from RFC 3766. Also
adds dl_exponent_size which returns the exponent size, this one ignores
k thus using a ~10 bit larger exponent than strictly necessary.

Adding in k downgrades 1024 bit RSA to exactly 80 bits, which is probably
about right.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp
index 5bcdd5689..4ff3cc47a 100644
--- a/src/lib/pubkey/elgamal/elgamal.cpp
+++ b/src/lib/pubkey/elgamal/elgamal.cpp
@@ -34,7 +34,7 @@ ElGamal_PrivateKey::ElGamal_PrivateKey(RandomNumberGenerator& rng,
    x = x_arg;
 
    if(x == 0)
-      x.randomize(rng, 2 * dl_work_factor(group_p().bits()));
+      x.randomize(rng, dl_exponent_size(group_p().bits()));
 
    y = power_mod(group_g(), x, group_p());
 
@@ -112,7 +112,7 @@ ElGamal_Encryption_Operation::raw_encrypt(const byte msg[], size_t msg_len,
    if(m >= p)
       throw Invalid_Argument("ElGamal encryption: Input is too large");
 
-   BigInt k(rng, 2 * dl_work_factor(p.bits()));
+   BigInt k(rng, dl_exponent_size(p.bits()));
 
    BigInt a = powermod_g_p(k);
    BigInt b = mod_p.multiply(m, powermod_y_p(k));