Fix ecp_gen_keypair()

Too few tries caused failures for some curves (esp. secp224k1)
2024-11-22 05:15:38 +01:00 · 2014-01-28 19:30:56 +01:00 · 2014-01-28 19:30:56 +01:00 · 6e8e34d61e
commit 6e8e34d61e
parent 2cb1a0c400
2 changed files with 15 additions and 1 deletions
--- a/5
+++ b/5
@ -1,5 +1,10 @@
 PolarSSL ChangeLog (Sorted per branch, date)

+= PolarSSL 1.3 branch
+Bugfix
+   * ecp_gen_keypair() does more tries to prevent failure because of
+     statistics
+
 = PolarSSL 1.3.4 released on 2014-01-27
 Features
   * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
--- a/library/ecp.c
+++ b/library/ecp.c
@ -1796,7 +1796,16 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
            MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
            MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );

-            if( count++ > 10 )
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
                return( POLARSSL_ERR_ECP_RANDOM_FAILED );
        }
        while( mpi_cmp_int( d, 1 ) < 0 ||