ecdsa-modified: fix getBigRandom()

this replaces the previously remainder-based limiting of the random number which caused bias toward small numbers and excluded zero altogether by simple filtering as proposed frequently in kjur#221 and because the performance in most cases is actually faster than in the present implementation; also, an adaptation of swiftlang/swift#39143 has been considered but it performed significantly slower for large integers;
tvogel · Nov 14, 2024 · 4c12028 · 4c12028
1 parent 58bb241
commit 4c12028
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/src/ecdsa-modified-1.0.js b/src/ecdsa-modified-1.0.js
@@ -95,11 +95,15 @@ KJUR.crypto.ECDSA = function(params) {
     //===========================
     // PUBLIC METHODS
     //===========================
+    /*
+     * Generate uniformly distributed big random integer in 0 <= x < limit
+     */
     this.getBigRandom = function (limit) {
-	return new _BigInteger(limit.bitLength(), rng)
-	.mod(limit.subtract(_BigInteger.ONE))
-	.add(_BigInteger.ONE)
-	;
+        var bitLength = limit.subtract(_BigInteger.ONE).bitLength();
+        do {
+            var result = new _BigInteger(bitLength, rng);
+        } while (result.compareTo(limit) >= 0);
+        return result;
     };
 
     this.setNamedCurve = function(curveName) {