Potential problems for the paranoid.
For points on an elliptic curve over the base field,
will truncate the input hash until it can represent an x-coordinate in that
field. (PBC then computes a corresponding y-coordinate.) Ideally the hash
length should be smaller than size of the base field and also the size of the
elliptic curve group.
Hashing to elements in field extensions does not take advantage of the fact that the extension has more elements than the base field. I intend to rewrite the code so that for a degree n extension code, PBC splits the hash into n parts and determine each polynomial coefficient from one ofthe pieces. At the moment every coefficient is the same and depends on the whole hash.
This is harmless for the base field, because all the pairing types implemented so far use an integer mod ring as the base field, rather than an extension of some low characteristic field.
Unlike OpenSSL, there are no functions to zero memory locations used in
sensitive computations. To some extent, one can use
On platforms without
/dev/urandom PBC falls back on a deterministic
pseudo-random number generator, except on Windows where it attempts to
use the Microsoft Crypto API.
/dev/urandom differs from
/dev/random. A quote from its manpage:
A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current non-classified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.