Avoid potential side channel when generating RSA primes

Add a new function dedicated to generating RSA primes. Don't test for p.bits() > bits until the very end - rarely happens, and speeds up prime generation quite noticably. Add Miller-Rabin error probabilities for 1/2**128, which again speeds up RSA keygen and DL param gen quite a bit.
author: Jack Lloyd <[email protected]> 2018-04-17 11:12:13 -0400
committer: Jack Lloyd <[email protected]> 2018-04-17 11:36:17 -0400
commit: 83d8a4871750df398e9a0438f70a7df96c13c66c (patch)
tree: fa2b429d8b0612c74125180f46f55527f8ba5923 /src/lib/pubkey
parent: 8e1ac525333fcb09aca9f9f5126e14f8389d82ec (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/lib/pubkey/rsa/rsa.cpp b/src/lib/pubkey/rsa/rsa.cpp
index df639be58..ca0f414f5 100644
--- a/src/lib/pubkey/rsa/rsa.cpp
+++ b/src/lib/pubkey/rsa/rsa.cpp
@@ -143,9 +143,13 @@ RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng,
 
    do
       {
-      m_p = random_prime(rng, (bits + 1) / 2, m_e);
-      m_q = random_prime(rng, bits - m_p.bits(), m_e);
+      const size_t p_bits = (bits + 1) / 2;
+      const size_t q_bits = bits - p_bits;
+
+      m_p = generate_rsa_prime(rng, rng, p_bits, m_e);
+      m_q = generate_rsa_prime(rng, rng, q_bits, m_e);
       m_n = m_p * m_q;
+
       } while(m_n.bits() != bits);
 
    const BigInt phi_n = lcm(m_p - 1, m_q - 1);
author	Jack Lloyd <[email protected]>	2018-04-17 11:12:13 -0400
committer	Jack Lloyd <[email protected]>	2018-04-17 11:36:17 -0400
commit	83d8a4871750df398e9a0438f70a7df96c13c66c (patch)
tree	fa2b429d8b0612c74125180f46f55527f8ba5923 /src/lib/pubkey
parent	8e1ac525333fcb09aca9f9f5126e14f8389d82ec (diff)