fixup keypair gen

dsa/src/generate.rs

@@ -15,8 +15,6 @@ pub use self::keypair::keypair;
 /// Calculate the upper and lower bounds for generating values like p or q
 #[inline]
 fn calculate_bounds(size: u32) -> (BoxedUint, BoxedUint) {
-    let lower = two().shl(size - 1);
-    let upper = two().shl(size);
     let lower = BoxedUint::one().widen(size + 1).shl(size - 1);
     let upper = BoxedUint::one().widen(size + 1).shl(size);
 

dsa/src/generate/components.rs

@@ -37,14 +37,15 @@ pub fn common(
         for _ in 0..4096 {
             let m = 'gen_m: loop {
                 let m = BoxedUint::random_bits(rng, l);
+
                 if m > p_min && m < p_max {
                     break 'gen_m m;
                 }
             };
             let rem = NonZero::new((two() * &*q).widen(m.bits_precision())).unwrap();
+
             let mr = &m % &rem;
             let p = m - mr + BoxedUint::one();
-            let p = p.shorten(q.bits_precision());
             let p = NonZero::new(p).unwrap();
 
             if crypto_primes::is_prime_with_rng(rng, &*p) {
@@ -53,9 +54,10 @@ pub fn common(
         }
     };
 
+    let q = q.widen(l);
+
     // Generate g using the unverifiable method as defined by Appendix A.2.1
     let e = (&*p - &BoxedUint::one()) / &q;
-    let mut h = BoxedUint::one();
     let mut h = BoxedUint::one().widen(q.bits_precision());
     let g = loop {
         let params = BoxedMontyParams::new_vartime(Odd::new((*p).clone()).unwrap());
@@ -69,6 +71,8 @@ pub fn common(
         h = h + BoxedUint::one();
     };
 
+    let q = NonZero::new(q.shorten(n)).unwrap();
+
     (p, q, g)
 }
 

dsa/src/generate/secret_number.rs

@@ -65,12 +65,15 @@ pub fn secret_number(
 ) -> Option<(BoxedUint, BoxedUint)> {
     let q = components.q();
     let n = q.bits();
+    let q = q.widen(n + 64);
+    let q = &q;
 
     // Attempt to try a fitting secret number
     // Give up after 4096 tries
     for _ in 0..4096 {
         let c = BoxedUint::random_bits(rng, n + 64);
-        let k = (c % NonZero::new(&**q - &BoxedUint::one()).unwrap()) + BoxedUint::one();
+        let rem = NonZero::new((&**q - &BoxedUint::one()).widen(c.bits_precision())).unwrap();
+        let k = (c % rem) + BoxedUint::one();
 
         if let Some(inv_k) = k.inv_mod(q).into() {
             // `k` and `k^-1` both have to be in the range `[1, q-1]`

dsa/src/verifying_key.rs

@@ -67,25 +67,35 @@ impl VerifyingKey {
         if signature.r() >= q || signature.s() >= q {
             return Some(false);
         }
+        let q = q.widen(s.bits_precision());
+        let q = &q;
 
-        let w = Option::from(s.inv_mod(q))?;
+        let w: BoxedUint = Option::from(s.inv_mod(q))?;
 
         let n = q.bits() / 8;
         let block_size = hash.len(); // Hash function output size
 
         let z_len = min(n as usize, block_size);
         let z = BoxedUint::from_be_slice(&hash[..z_len], z_len as u32 * 8).unwrap();
 
+        let z = z.widen(q.bits_precision());
+
         let u1 = (&z * &w) % q;
         let u2 = r.mul_mod(&w, q);
 
-        let u1_params = BoxedMontyParams::new(Odd::new(u1).unwrap());
-        let u2_params = BoxedMontyParams::new(Odd::new(u2).unwrap());
+        let p1_params = BoxedMontyParams::new(Odd::new(p.as_ref().clone()).unwrap());
+        let p2_params = BoxedMontyParams::new(Odd::new(p.as_ref().clone()).unwrap());
 
-        let g_form = BoxedMontyForm::new((**g).clone(), u1_params);
-        let y_form = BoxedMontyForm::new((**y).clone(), u2_params);
+        let g_form = BoxedMontyForm::new((**g).clone(), p1_params);
+        let y_form = BoxedMontyForm::new((**y).clone(), p2_params);
 
-        let v = (g_form.pow(p).retrieve() * y_form.pow(p).retrieve() % p) % q;
+        let v1 = g_form.pow(&u1).retrieve();
+        let v2 = y_form.pow(&u2).retrieve();
+        let v3 = v1 * v2;
+        let p = p.widen(v3.bits_precision());
+        let q = q.widen(v3.bits_precision());
+        let v4 = v3 % p;
+        let v = v4 % q;
 
         Some(v == **r)
     }