diff options
-rw-r--r-- | src/lib/pubkey/dh/dh.cpp | 4 | ||||
-rw-r--r-- | src/lib/pubkey/dl_group/dl_group.cpp | 11 | ||||
-rw-r--r-- | src/lib/pubkey/dl_group/dl_group.h | 12 | ||||
-rw-r--r-- | src/lib/pubkey/elgamal/elgamal.cpp | 5 |
4 files changed, 25 insertions, 7 deletions
diff --git a/src/lib/pubkey/dh/dh.cpp b/src/lib/pubkey/dh/dh.cpp index fc1e6236a..daa876538 100644 --- a/src/lib/pubkey/dh/dh.cpp +++ b/src/lib/pubkey/dh/dh.cpp @@ -7,7 +7,6 @@ #include <botan/dh.h> #include <botan/internal/pk_ops_impl.h> -#include <botan/workfactor.h> #include <botan/pow_mod.h> #include <botan/blinding.h> @@ -41,8 +40,7 @@ DH_PrivateKey::DH_PrivateKey(RandomNumberGenerator& rng, if(x_arg == 0) { - const BigInt& p = group_p(); - m_x.randomize(rng, dl_exponent_size(p.bits())); + m_x.randomize(rng, grp.exponent_bits()); } else { diff --git a/src/lib/pubkey/dl_group/dl_group.cpp b/src/lib/pubkey/dl_group/dl_group.cpp index 7a35c6362..e3c7ac65b 100644 --- a/src/lib/pubkey/dl_group/dl_group.cpp +++ b/src/lib/pubkey/dl_group/dl_group.cpp @@ -26,7 +26,8 @@ class DL_Group_Data final m_monty_params(std::make_shared<Montgomery_Params>(m_p, m_mod_p)), m_monty(monty_precompute(m_monty_params, m_g, /*window bits=*/4)), m_p_bits(p.bits()), - m_estimated_strength(dl_work_factor(m_p_bits)) + m_estimated_strength(dl_work_factor(m_p_bits)), + m_exponent_bits(dl_exponent_size(m_p_bits)) {} ~DL_Group_Data() = default; @@ -53,6 +54,8 @@ class DL_Group_Data final size_t estimated_strength() const { return m_estimated_strength; } + size_t exponent_bits() const { return m_exponent_bits; } + BigInt power_g_p(const BigInt& k) const { return monty_execute(*m_monty, k); } private: @@ -64,6 +67,7 @@ class DL_Group_Data final std::shared_ptr<const Montgomery_Exponentation_State> m_monty; size_t m_p_bits; size_t m_estimated_strength; + size_t m_exponent_bits; }; //static @@ -414,6 +418,11 @@ size_t DL_Group::estimated_strength() const return data().estimated_strength(); } +size_t DL_Group::exponent_bits() const + { + return data().exponent_bits(); + } + BigInt DL_Group::inverse_mod_p(const BigInt& x) const { // precompute?? diff --git a/src/lib/pubkey/dl_group/dl_group.h b/src/lib/pubkey/dl_group/dl_group.h index 921b4060e..131151072 100644 --- a/src/lib/pubkey/dl_group/dl_group.h +++ b/src/lib/pubkey/dl_group/dl_group.h @@ -211,6 +211,18 @@ class BOTAN_PUBLIC_API(2,0) DL_Group final size_t p_bytes() const; /** + * Return size in bits of a secret exponent + * + * This attempts to balance between the attack costs of NFS + * (which depends on the size of the modulus) and Pollard's rho + * (which depends on the size of the exponent). + * + * It may vary over time for a particular group, if the attack + * costs change. + */ + size_t exponent_bits() const; + + /** * Return an estimate of the strength of this group against * discrete logarithm attacks (eg NFS). Warning: since this only * takes into account known attacks it is by necessity an diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp index e03fd0bb6..5aeeabc6c 100644 --- a/src/lib/pubkey/elgamal/elgamal.cpp +++ b/src/lib/pubkey/elgamal/elgamal.cpp @@ -10,7 +10,6 @@ #include <botan/keypair.h> #include <botan/reducer.h> #include <botan/blinding.h> -#include <botan/workfactor.h> #include <botan/pow_mod.h> namespace Botan { @@ -35,7 +34,7 @@ ElGamal_PrivateKey::ElGamal_PrivateKey(RandomNumberGenerator& rng, if(m_x.is_zero()) { - m_x.randomize(rng, dl_exponent_size(group_p().bits())); + m_x.randomize(rng, group.exponent_bits()); } m_y = m_group.power_g_p(m_x); @@ -101,7 +100,7 @@ ElGamal_Encryption_Operation::raw_encrypt(const uint8_t msg[], size_t msg_len, if(m >= m_group.get_p()) throw Invalid_Argument("ElGamal encryption: Input is too large"); - const size_t k_bits = dl_exponent_size(m_group.p_bits()); + const size_t k_bits = m_group.exponent_bits(); const BigInt k(rng, k_bits); const BigInt a = m_group.power_g_p(k); |