aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorluigi1111 <luigi1111w@gmail.com>2018-07-27 14:23:54 -0500
committerluigi1111 <luigi1111w@gmail.com>2018-07-27 14:23:54 -0500
commit3fde902394946281665531abd742c64bdb23be25 (patch)
tree9eab237d53c8cda2c1d5217880b135c02f6f0b61 /src
parentMerge pull request #4091 (diff)
parentcrypto: remove slight bias in key generation due to modulo (diff)
downloadmonero-3fde902394946281665531abd742c64bdb23be25.tar.xz
Merge pull request #4097
61caab8 crypto: remove slight bias in key generation due to modulo (moneromooo-monero)
Diffstat (limited to 'src')
-rw-r--r--src/crypto/crypto.cpp28
-rw-r--r--src/crypto/crypto.h1
-rw-r--r--src/ringct/rctOps.cpp10
3 files changed, 29 insertions, 10 deletions
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp
index 0fd6d9363..0c019938d 100644
--- a/src/crypto/crypto.cpp
+++ b/src/crypto/crypto.cpp
@@ -93,12 +93,32 @@ namespace crypto {
generate_random_bytes_not_thread_safe(N, bytes);
}
+ static inline bool less32(const unsigned char *k0, const unsigned char *k1)
+ {
+ for (int n = 31; n >= 0; --n)
+ {
+ if (k0[n] < k1[n])
+ return true;
+ if (k0[n] > k1[n])
+ return false;
+ }
+ return false;
+ }
+
+ void random32_unbiased(unsigned char *bytes)
+ {
+ // l = 2^252 + 27742317777372353535851937790883648493.
+ // it fits 15 in 32 bytes
+ static const unsigned char limit[32] = { 0xe3, 0x6a, 0x67, 0x72, 0x8b, 0xce, 0x13, 0x29, 0x8f, 0x30, 0x82, 0x8c, 0x0b, 0xa4, 0x10, 0x39, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0 };
+ do
+ {
+ generate_random_bytes_thread_safe(32, bytes);
+ } while (!less32(bytes, limit)); // should be good about 15/16 of the time
+ sc_reduce32(bytes);
+ }
/* generate a random 32-byte (256-bit) integer and copy it to res */
static inline void random_scalar(ec_scalar &res) {
- unsigned char tmp[64];
- generate_random_bytes_thread_safe(64, tmp);
- sc_reduce(tmp);
- memcpy(&res, tmp, 32);
+ random32_unbiased((unsigned char*)res.data);
}
void hash_to_scalar(const void *data, size_t length, ec_scalar &res) {
diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
index 9ea0f2ec0..449af8f6d 100644
--- a/src/crypto/crypto.h
+++ b/src/crypto/crypto.h
@@ -99,6 +99,7 @@ namespace crypto {
#pragma pack(pop)
void hash_to_scalar(const void *data, size_t length, ec_scalar &res);
+ void random32_unbiased(unsigned char *bytes);
static_assert(sizeof(ec_point) == 32 && sizeof(ec_scalar) == 32 &&
sizeof(public_key) == 32 && sizeof(secret_key) == 32 &&
diff --git a/src/ringct/rctOps.cpp b/src/ringct/rctOps.cpp
index 68cc43128..50693bad7 100644
--- a/src/ringct/rctOps.cpp
+++ b/src/ringct/rctOps.cpp
@@ -62,14 +62,13 @@ namespace rct {
//generates a random scalar which can be used as a secret key or mask
void skGen(key &sk) {
- sk = crypto::rand<key>();
- sc_reduce32(sk.bytes);
+ random32_unbiased(sk.bytes);
}
//generates a random scalar which can be used as a secret key or mask
key skGen() {
- key sk = crypto::rand<key>();
- sc_reduce32(sk.bytes);
+ key sk;
+ skGen(sk);
return sk;
}
@@ -79,9 +78,8 @@ namespace rct {
CHECK_AND_ASSERT_THROW_MES(rows > 0, "0 keys requested");
keyV rv(rows);
size_t i = 0;
- crypto::rand(rows * sizeof(key), (uint8_t*)&rv[0]);
for (i = 0 ; i < rows ; i++) {
- sc_reduce32(rv[i].bytes);
+ skGen(rv[i]);
}
return rv;
}