diff options
| author | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2018-07-04 22:17:20 +0100 |
|---|---|---|
| committer | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2018-07-05 09:18:01 +0100 |
| commit | 61caab8a8c8a4e4239216c861c4d1eba5bcfd76e (patch) | |
| tree | be26e7581f6fecdbb62fbcf7b661bb8ac0ba254b /src/crypto | |
| parent | Merge pull request #4094 (diff) | |
| download | monero-61caab8a8c8a4e4239216c861c4d1eba5bcfd76e.tar.xz | |
crypto: remove slight bias in key generation due to modulo
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/crypto.cpp | 28 | ||||
| -rw-r--r-- | src/crypto/crypto.h | 1 |
2 files changed, 25 insertions, 4 deletions
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp index f4ef751d3..9eafa0e28 100644 --- a/src/crypto/crypto.cpp +++ b/src/crypto/crypto.cpp @@ -93,6 +93,29 @@ namespace crypto { generate_random_bytes_not_thread_safe(N, bytes); } + static inline bool less32(const unsigned char *k0, const unsigned char *k1) + { + for (int n = 31; n >= 0; --n) + { + if (k0[n] < k1[n]) + return true; + if (k0[n] > k1[n]) + return false; + } + return false; + } + + void random32_unbiased(unsigned char *bytes) + { + // l = 2^252 + 27742317777372353535851937790883648493. + // it fits 15 in 32 bytes + static const unsigned char limit[32] = { 0xe3, 0x6a, 0x67, 0x72, 0x8b, 0xce, 0x13, 0x29, 0x8f, 0x30, 0x82, 0x8c, 0x0b, 0xa4, 0x10, 0x39, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0 }; + do + { + generate_random_bytes_thread_safe(32, bytes); + } while (!less32(bytes, limit)); // should be good about 15/16 of the time + sc_reduce32(bytes); + } /* generate a random 32-byte (256-bit) integer and copy it to res */ static inline void random_scalar_not_thread_safe(ec_scalar &res) { unsigned char tmp[64]; @@ -101,10 +124,7 @@ namespace crypto { memcpy(&res, tmp, 32); } static inline void random_scalar(ec_scalar &res) { - unsigned char tmp[64]; - generate_random_bytes_thread_safe(64, tmp); - sc_reduce(tmp); - memcpy(&res, tmp, 32); + random32_unbiased((unsigned char*)res.data); } void hash_to_scalar(const void *data, size_t length, ec_scalar &res) { diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h index 9ea0f2ec0..449af8f6d 100644 --- a/src/crypto/crypto.h +++ b/src/crypto/crypto.h @@ -99,6 +99,7 @@ namespace crypto { #pragma pack(pop) void hash_to_scalar(const void *data, size_t length, ec_scalar &res); + void random32_unbiased(unsigned char *bytes); static_assert(sizeof(ec_point) == 32 && sizeof(ec_scalar) == 32 && sizeof(public_key) == 32 && sizeof(secret_key) == 32 && |