Fix BN_prime_checks_for_validation to align with false-positive rate. This doesn't affect RSA key generation, which uses BN_prime_checks_for_generation. Change-Id: Ibf32c0c4bc9fed369e8f8a1efea72c5bd39185a9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49426 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/bn.h b/include/openssl/bn.h index 295ca62..5ca8b85 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h
@@ -687,9 +687,9 @@ // BN_prime_checks_for_validation can be used as the |checks| argument to the // primarily testing functions when validating an externally-supplied candidate // prime. It gives a false positive rate of at most 2^{-128}. (The worst case -// false positive rate for a single iteration is 1/4, so we perform 32 -// iterations.) -#define BN_prime_checks_for_validation 32 +// false positive rate for a single iteration is 1/4 per +// https://eprint.iacr.org/2018/749. (1/4)^64 = 2^{-128}.) +#define BN_prime_checks_for_validation 64 // BN_prime_checks_for_generation can be used as the |checks| argument to the // primality testing functions when generating random primes. It gives a false