Cryptography and the Open Source Security Debate

lrk crypto at ovillatx.sytes.net
Fri Aug 27 14:44:17 EDT 2004


On Wed, Aug 25, 2004 at 03:17:15PM +0100, Ben Laurie wrote:
> lrk wrote:
> 
> >My examination of RSAREF and OpenSSL code was more toward understanding how
> >they handled big numbers. It appears both generate prime numbers which are
> >half the length of the required N and with both of the two most significant
> >bits set to one. This means the ratio R=P/Q (P being the larger prime) is
> >limited to 1<R<(4/3). The actual maximum R is less and can be determined
> >by examining N.
> 
> This doesn't sound right to me - OpenSSL, IIRC, sets the top and bottom 
> bits to 1. Of course, all large primes have the bottom bit set to one.

The source of OpenSSL I looked at was part of the FreeBSD distribution.

    int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);

    BN_rand() generates a cryptographically strong pseudo-random number of
    bits bits in length and stores it in rnd. If top is -1, the most
    significant bit of the random number can be zero. If top is 0, it is
    set to 1, and if top is 1, the two most significant bits of the number
    will be set to 1, so that the product of two such random numbers will
    always have 2*bits length. If bottom is true, the number will be odd.


It appears this is called with top=1 for RSA primes. OpenSSL may not use
it that way.



-- 
crypto at ovillatx.sytes.net

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list