Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
/* bignum-random-prime.c
*
* Generation of random provable primes.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2010 Niels Mller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#ifndef RANDOM_PRIME_VERBOSE
#define RANDOM_PRIME_VERBOSE 0
#endif
#include <assert.h>
#include <stdlib.h>
#if RANDOM_PRIME_VERBOSE
#include <stdio.h>
#define VERBOSE(x) (fputs((x), stderr))
#else
#define VERBOSE(x)
#endif
#include "bignum.h"
#include "macros.h"
/* Use a table of p_2 = 3 to p_{172} = 1021, multiplied to 32-bit or
64-bit size. */
struct sieve_element {
/* Product of some small primes. */
unsigned long prod;
/* Square of the smallest one. */
unsigned long p2;
};
static const struct sieve_element
sieve_table[] = {
{111546435, 9}, /* 3 -- 23 */
{58642669, 841}, /* 29 -- 43 */
{600662303, 2209}, /* 47 -- 67 */
{33984931, 5041}, /* 71 -- 83 */
{89809099, 7921}, /* 89 -- 103 */
{167375713, 11449}, /* 107 -- 127 */
{371700317, 17161}, /* 131 -- 149 */
{645328247, 22801}, /* 151 -- 167 */
{1070560157, 29929}, /* 173 -- 191 */
{1596463769, 37249}, /* 193 -- 211 */
{11592209, 49729}, /* 223 -- 229 */
{13420567, 54289}, /* 233 -- 241 */
{16965341, 63001}, /* 251 -- 263 */
{20193023, 72361}, /* 269 -- 277 */
{23300239, 78961}, /* 281 -- 293 */
{29884301, 94249}, /* 307 -- 313 */
{35360399, 100489}, /* 317 -- 337 */
{42749359, 120409}, /* 347 -- 353 */
{49143869, 128881}, /* 359 -- 373 */
{56466073, 143641}, /* 379 -- 389 */
{65111573, 157609}, /* 397 -- 409 */
{76027969, 175561}, /* 419 -- 431 */
{84208541, 187489}, /* 433 -- 443 */
{94593973, 201601}, /* 449 -- 461 */
{103569859, 214369}, /* 463 -- 479 */
{119319383, 237169}, /* 487 -- 499 */
{133390067, 253009}, /* 503 -- 521 */
{154769821, 273529}, /* 523 -- 547 */
{178433279, 310249}, /* 557 -- 569 */
{193397129, 326041}, /* 571 -- 587 */
{213479407, 351649}, /* 593 -- 601 */
{229580147, 368449}, /* 607 -- 617 */
{250367549, 383161}, /* 619 -- 641 */
{271661713, 413449}, /* 643 -- 653 */
{293158127, 434281}, /* 659 -- 673 */
{319512181, 458329}, /* 677 -- 691 */
{357349471, 491401}, /* 701 -- 719 */
{393806449, 528529}, /* 727 -- 739 */
{422400701, 552049}, /* 743 -- 757 */
{452366557, 579121}, /* 761 -- 773 */
{507436351, 619369}, /* 787 -- 809 */
{547978913, 657721}, /* 811 -- 823 */
{575204137, 683929}, /* 827 -- 839 */
{627947039, 727609}, /* 853 -- 859 */
{666785731, 744769}, /* 863 -- 881 */
{710381447, 779689}, /* 883 -- 907 */
{777767161, 829921}, /* 911 -- 929 */
{834985999, 877969}, /* 937 -- 947 */
{894826021, 908209}, /* 953 -- 971 */
{951747481, 954529}, /* 977 -- 991 */
{1019050649, 994009}, /* 997 -- 1013 */
{1040399, 1038361}, /* 1019 -- 1021 */
};
#define SIEVE_SIZE (sizeof(sieve_table) / sizeof(sieve_table[0]))
/* Combined Miller-Rabin test to the base a, and checking the
conditions from Pocklington's theorem. */
static int
miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
{
mpz_t r;
mpz_t y;
int is_prime = 0;
/* Avoid the mp_bitcnt_t type for compatibility with older GMP
versions. */
unsigned k;
unsigned j;
VERBOSE(".");
if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0)
return 0;
mpz_init(r);
mpz_init(y);
k = mpz_scan1(nm1, 0);
assert(k > 0);
mpz_fdiv_q_2exp (r, nm1, k);
mpz_powm(y, a, r, n);
if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0)
{
passed_miller_rabin:
/* We know that a^{n-1} = 1 (mod n)
Remains to check that gcd(a^{(n-1)/q} - 1, n) == 1 */
VERBOSE("x");
mpz_powm(y, a, nm1dq, n);
mpz_sub_ui(y, y, 1);
mpz_gcd(y, y, n);
is_prime = mpz_cmp_ui (y, 1) == 0;
VERBOSE(is_prime ? "\n" : "");
}
for (j = 1; j < k; j++)
{
mpz_powm_ui (y, y, 2, n);
if (mpz_cmp_ui (y, 1) == 0)
break;
if (mpz_cmp (y, nm1) == 0)
goto passed_miller_rabin;
}
mpz_clear(r);
mpz_clear(y);
return is_prime;
}
#if 0
/* Single Miller-Rabin test to base 2. */
static int
miller_rabin_2(mpz_t n)
{
mpz_t nm1;
mpz_t r;
mpz_t y;
/* Avoid the mp_bitcnt_t type for compatibility with older GMP
versions. */
unsigned k;
unsigned j;
// gmp_fprintf(stderr, "n = %Zd\n", n);
if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0)
return 0;
mpz_init(nm1);
mpz_init(r);
mpz_init_set_ui(y, 2);
mpz_sub_ui(nm1, n, 1);
k = mpz_scan1(nm1, 0);
assert(k > 0);
mpz_fdiv_q_2exp (r, nm1, k);
mpz_powm(y, y, r, n);
// gmp_fprintf (stderr, "r = %Zd, y = %Zd\n", r,y);
if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0)
return 1;
for (j = 1; j < k; j++)
{
mpz_powm_ui (y, y, 2, n);
// gmp_fprintf (stderr, "j = %d, y = %Zd\n", j, y);
if (mpz_cmp_ui (y, 1) == 0)
return 0;
if (mpz_cmp (y, nm1) == 0)
return 1;
}
return 0;
}
#endif
/* Generate random prime of a given size. Maurer's algorithm (Alg.
6.42 Handbook of applied cryptography), but with ratio = 1/2 (like
the variant in fips186-3). FIXME: Force primes to start with two
one bits? */
void
nettle_random_prime(mpz_t p, unsigned bits,
void *ctx, nettle_random_func random)
{
assert (bits >= 6);
if (bits < 20)
{
unsigned long highbit;
uint8_t buf[3];
unsigned long x;
unsigned j;
/* Small cases:
3 bits: 5 or 7
4 bits: 11, 13, 15
5 bits: 17, 19, 23, 29, 31
With 3 bits, no sieving is done, since candidates are smaller
than 3^2 = 9 (and this is ok; all odd 3-bit numbers are
prime).
With 4 bits, sieving with the first value, 3*5*...*23 doesn't
work, since this includes the primes 11 and 13 in the
interval. Of the odd numbers in the interval, 9, 11, 13, 15,
only the factors of three need be discarded.
With 5 bits, we still sieve with only the first value, which
includes three of the primes in the interval. Of the odd
numbers in the interval, 17, 19, (21), 23, (25), (27), 29,
31, we need to discard multiples of 3 and 5 only.
With 6 bits, we sieve with only the first value (since 63 <
29^2), and there's no problem.
*/
highbit = 1L << (bits - 1);
again:
random (ctx, sizeof(buf), buf);
x = READ_UINT24(buf);
x &= (highbit - 1);
x |= highbit | 1;
mpz_set_ui (p, x);
for (j = 0; j < SIEVE_SIZE && x >= sieve_table[j].p2; j++)
if (mpz_gcd_ui (NULL, p, sieve_table[j].prod) != 1)
goto again;
}
else
{
mpz_t q, r, nm1, t, a, i;
unsigned j;
mpz_init (q);
mpz_init (r);
mpz_init (nm1);
mpz_init (t);
mpz_init (a);
mpz_init (i);
/* Bit size ceil(k/2) + 1, slightly larger than used in Alg.
4.62. */
nettle_random_prime (q, (bits+3)/2, ctx, random);
/* i = floor (2^{bits-2} / q) */
mpz_init_set_ui (i, 1);
mpz_mul_2exp (i, i, bits-2);
mpz_fdiv_q (i, i, q);
for (;;)
{
uint8_t buf[1];
/* Generate r in the range i + 1 <= r <= 2*i */
nettle_mpz_random (r, ctx, random, i);
mpz_add (r, r, i);
mpz_add_ui (r, r, 1);
/* Set p = 2*r*q + 1 */
mpz_mul_2exp(r, r, 1);
mpz_mul (nm1, r, q);
mpz_add_ui (p, nm1, 1);
assert(mpz_sizeinbase(p, 2) == bits);
for (j = 0; j < SIEVE_SIZE; j++)
{
if (mpz_gcd_ui (NULL, p, sieve_table[j].prod) != 1)
goto composite;
}
random(ctx, sizeof(buf), buf);
mpz_set_ui (a, buf[0] + 2);
if (miller_rabin_pocklington(p, nm1, r, a))
break;
composite:
;
}
mpz_clear (q);
mpz_clear (r);
mpz_clear (nm1);
mpz_clear (t);
mpz_clear (a);
mpz_clear (i);
}
}