//    definitely observe all earlier writes, but we still have no guarantee that done() would see
  //    the initial write (just stronger guarantees if it does).
  //
  // See: http://cs.oswego.edu/pipermail/concurrency-interest/2015-January/013800.html
  // For a (long) discussion about this specific issue and the general futility of life.
  //

because it's not adaptive, an // attacker only learns the magnitude of p - q. if diff.BitLenVarTime() <= N.BitLen()/2-100 { return errors.New("crypto/rsa: |p - q| too small") } // Check that d > 2^(nlen/2). // // See section 3 of https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf // for more details about attacks on small d values. // // Likewise, the leakage of the magnitude of d is not adaptive. if priv.d.BitLenVarTime() <= N.BitLen()/2 { return errors.New("crypto/rsa: d too small") } return nil...

because it's not adaptive, an // attacker only learns the magnitude of p - q. if diff.BitLenVarTime() <= N.BitLen()/2-100 { return errors.New("crypto/rsa: |p - q| too small") } // Check that d > 2^(nlen/2). // // See section 3 of https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf // for more details about attacks on small d values. // // Likewise, the leakage of the magnitude of d is not adaptive. if priv.d.BitLenVarTime() <= N.BitLen()/2 { return errors.New("crypto/rsa: d too small") } return nil...