chiark / gitweb /
pub/dh-kcdsa.c: Retry or fail if we don't get the target sizes.
Following the usual convention, we retry unless the caller gave us a
bounded number of steps, and otherwise fail.
I think failure is fairly unlikely now. To find an N-bit prime, we
expect to take about 4 N steps (see analysis in `math/strongprime.c').
But we're trying to find two primes simultaneously, one of N bits, and
one of M bits, so this will take about 16 M N steps in total. We start
with v < 2^{N-M-1}, and choose 2^{M-1} <= q_0 < 2^M such that 2^{N-1} <
p_0 = 2 q_0 v + 1 < 2^N (nearly true). We'll fail if 2^M - q_0 < 16 M N,
which seems unlikely, or if 2^N - p_0 < 32 M N v, i.e., 2^M - p_0/(2 v) <
16 M N, which is basically the same condition.