= p - q diff.ExpandFor(p).Sub(qP, p) } // A tiny bit of leakage is acceptable because it's not adaptive, an // attacker only learns the magnitude of p - q. if diff.BitLenVarTime() <= N.BitLen()/2-100 { return errors.New("crypto/rsa: |p - q| too small") } // Check that d > 2^(nlen/2). // // See section 3 of https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf // for more details about attacks on small d values. // // Likewise, the leakage of the magnitude of d is not adaptive. if priv.d.BitLenVarTime()...