diff options
Diffstat (limited to 'src/lib/libcrypto/man')
| -rw-r--r-- | src/lib/libcrypto/man/BN_generate_prime.3 | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libcrypto/man/BN_generate_prime.3 b/src/lib/libcrypto/man/BN_generate_prime.3 index 2369b6f24f..7db27fd627 100644 --- a/src/lib/libcrypto/man/BN_generate_prime.3 +++ b/src/lib/libcrypto/man/BN_generate_prime.3 | |||
| @@ -1,6 +1,5 @@ | |||
| 1 | .\" $OpenBSD: BN_generate_prime.3,v 1.17 2019/06/10 14:58:48 schwarze Exp $ | 1 | .\" $OpenBSD: BN_generate_prime.3,v 1.18 2019/08/25 19:24:00 schwarze Exp $ |
| 2 | .\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400 | 2 | .\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200 |
| 3 | .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 | ||
| 4 | .\" | 3 | .\" |
| 5 | .\" This file was written by Ulf Moeller <ulf@openssl.org> | 4 | .\" This file was written by Ulf Moeller <ulf@openssl.org> |
| 6 | .\" Bodo Moeller <bodo@openssl.org>, and Matt Caswell <matt@openssl.org>. | 5 | .\" Bodo Moeller <bodo@openssl.org>, and Matt Caswell <matt@openssl.org>. |
| @@ -51,7 +50,7 @@ | |||
| 51 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 50 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 52 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. | 51 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. |
| 53 | .\" | 52 | .\" |
| 54 | .Dd $Mdocdate: June 10 2019 $ | 53 | .Dd $Mdocdate: August 25 2019 $ |
| 55 | .Dt BN_GENERATE_PRIME 3 | 54 | .Dt BN_GENERATE_PRIME 3 |
| 56 | .Os | 55 | .Os |
| 57 | .Sh NAME | 56 | .Sh NAME |
| @@ -156,6 +155,8 @@ Deprecated: | |||
| 156 | .Fn BN_generate_prime_ex | 155 | .Fn BN_generate_prime_ex |
| 157 | generates a pseudo-random prime number of at least bit length | 156 | generates a pseudo-random prime number of at least bit length |
| 158 | .Fa bits . | 157 | .Fa bits . |
| 158 | The returned number is probably prime, but there is a very small | ||
| 159 | probability of returning a non-prime number. | ||
| 159 | If | 160 | If |
| 160 | .Fa ret | 161 | .Fa ret |
| 161 | is not | 162 | is not |
| @@ -212,8 +213,6 @@ If | |||
| 212 | is true, it will be a safe prime (i.e. a prime p so that (p-1)/2 | 213 | is true, it will be a safe prime (i.e. a prime p so that (p-1)/2 |
| 213 | is also prime). | 214 | is also prime). |
| 214 | .Pp | 215 | .Pp |
| 215 | The prime number generation has a negligible error probability. | ||
| 216 | .Pp | ||
| 217 | .Fn BN_is_prime_ex | 216 | .Fn BN_is_prime_ex |
| 218 | and | 217 | and |
| 219 | .Fn BN_is_prime_fasttest_ex | 218 | .Fn BN_is_prime_fasttest_ex |
| @@ -251,8 +250,21 @@ If | |||
| 251 | .Fa nchecks | 250 | .Fa nchecks |
| 252 | == | 251 | == |
| 253 | .Dv BN_prime_checks , | 252 | .Dv BN_prime_checks , |
| 254 | a number of iterations is used that yields a false positive rate of at | 253 | a number of iterations is used that yields a false positive rate |
| 255 | most 2^-80 for random input. | 254 | of at most 2\(ha-64 for random input. |
| 255 | The error rate depends on the size of the prime | ||
| 256 | and goes down for bigger primes. | ||
| 257 | The rate is 2\(ha-80 starting at 308 bits, 2\(ha-112 at 852 bits, | ||
| 258 | 2\(ha-128 at 1080 bits, 2\(ha-192 at 3747 bits | ||
| 259 | and 2\(ha-256 at 6394 bits. | ||
| 260 | .Pp | ||
| 261 | When the source of the prime is not random or not trusted, the | ||
| 262 | number of checks needs to be much higher to reach the same level | ||
| 263 | of assurance: It should equal half of the targeted security level | ||
| 264 | in bits (rounded up to the next integer if necessary). | ||
| 265 | For instance, to reach the 128 bit security level, | ||
| 266 | .Fa nchecks | ||
| 267 | should be set to 64. | ||
| 256 | .Pp | 268 | .Pp |
| 257 | If | 269 | If |
| 258 | .Fa cb | 270 | .Fa cb |