summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt/arc4random.h
diff options
context:
space:
mode:
authortb <>2022-07-13 06:32:15 +0000
committertb <>2022-07-13 06:32:15 +0000
commit5ea8d38a139473bb8fbd45e992820e2e6c2cc48a (patch)
tree5531c91a8ea662fd9d7b17a8acb01ef94358e585 /src/lib/libc/crypt/arc4random.h
parent10f62c54fd5691cd09377d5cae11e191ccd1fa4d (diff)
downloadopenbsd-5ea8d38a139473bb8fbd45e992820e2e6c2cc48a.tar.gz
openbsd-5ea8d38a139473bb8fbd45e992820e2e6c2cc48a.tar.bz2
openbsd-5ea8d38a139473bb8fbd45e992820e2e6c2cc48a.zip
Implement the Baillie-PSW primality test
It has long been known that pure Miller-Rabin primality tests are insufficient. "Prime and Prejudice: Primality Testing Under Adversarial Conditions" https://eprint.iacr.org/2018/749 points out severe flaws in many widely used libraries. In particular, they exhibited a method to generate 2048-bit composites that bypass the default OpenSSL (and hence LibreSSL) primality test with a probability of 1/16 (!). As a remedy, the authors recommend switching to using BPSW wherever possible. This possibility has always been there, but someone had to sit down and actually implement a properly licensed piece of code. Fortunately, espie suggested to Martin Grenouilloux to do precisely this after asking us whether we would be interested. Of course we were! After a good first implementation from Martin and a lot of back and forth, we came up with the present version. This implementation is ~50% slower than the current default Miller-Rabin test, but that is a small price to pay given the improvements. Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr> for this awesome work, to espie without whom it wouldn't have happened, and to djm for pointing us at this problem a long time back. ok jsing
Diffstat (limited to 'src/lib/libc/crypt/arc4random.h')
0 files changed, 0 insertions, 0 deletions