* conservative about that sort of thing.
*/
-again:
if ((rp->p = strongprime("p", MP_NEWSEC, nbits/2, r, n, event, ectx)) == 0)
goto fail_p;
- /* --- Do painful fiddling with GCD steppers --- */
+ /* --- Do painful fiddling with GCD steppers --- *
+ *
+ * Also, arrange that %$q \ge \lceil 2^{N-1}/p \rceil$%, so that %$p q$%
+ * has the right length.
+ */
{
mp *q;
if ((q = strongprime_setup("q", MP_NEWSEC, &g.jp, nbits / 2,
r, n, event, ectx)) == 0)
goto fail_q;
+
g.r = mp_lsr(MP_NEW, rp->p, 1);
g.g = MP_NEW;
g.max = MP_256;
q = pgen("q", q, q, event, ectx, n, pgen_gcdstep, &g,
- rabin_iters(nbits/2), pgen_test, &rb);
+ rabin_iters(nbits/2), pgen_test, &rb);
pfilt_destroy(&g.jp);
mp_drop(g.r);
if (!q) {
mp_drop(g.g);
- if (n)
- goto fail_q;
- mp_drop(rp->p);
- goto again;
+ goto fail_q;
}
rp->q = q;
}
MP_LEN(phi) * 4 < MP_LEN(rp->q) * 3) {
mp_drop(rp->p);
mp_drop(g.g);
- if (n)
- goto fail_q;
- mp_drop(rp->q);
- goto again;
+ goto fail_q;
}
if (MP_NEGP(phi)) {
mp_gcd(&g.g, 0, &rp->d, phi, rp->e);
if (!MP_EQ(g.g, MP_ONE) && MP_LEN(rp->d) * 4 > MP_LEN(rp->n) * 3)
goto fail_e;
+ if (mp_bits(rp->n) != nbits)
+ goto fail_e;
/* --- Work out exponent residues --- */
~mdw / catacomb / blobdiff