Home

FAQ

Feedback

Licence

Updates

Mirrors

Keys

Links

Team
Download:
Stable
·
Snapshot

Docs

Changes

Wishlist
When PuTTYgen is asked to generate an RSA key with a 2nbit modulus, it does it by generating two nbit primes and multiplying them together. (Adjusted appropriately if the requested length is odd.)
Implemented naïvely, this technique could generate either a (2n−1)bit modulus or a 2nbit one, because if each input prime is between 1/2 and 1 times 2^{n}, then their product could be anywhere between 1/4 and 1 times 2^{2n}, and the bottom half of that range gives a key modulus one bit smaller than the user asked for.
Cryptographically, this is perfectly harmless (there's no significant difference in ease of factoring between a 2048 and 2047bit key). But people often used to complain, so in 0.63 we introduced a check that would control the initial few bits of the primes just enough to guarantee their product was at least 1/2 × 2^{2n}.
Just before the 0.71 release, that checking code was rewritten to improve it in minor ways, and was not quite adequately tested, which reintroduced the bug where keys can be one bit short. In 0.72, that's now fixed again.