Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/* rsa.c
*
* The RSA publickey algorithm.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2001 Niels Mller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
* MA 02111-1307, USA.
*/
#if HAVE_CONFIG_H
#include "config.h"
#endif
#if HAVE_LIBGMP
#include "rsa.h"
#include "bignum.h"
/* FIXME: Perhaps we should split this into several functions, so that
* one can link in the signature functions without also getting the
* verify functions. */
void
rsa_init_public_key(struct rsa_public_key *key)
{
mpz_init(key->n);
mpz_init(key->e);
/* Not really necessary, but it seems cleaner to initialize all the
* storage. */
key->size = 0;
}
void
rsa_clear_public_key(struct rsa_public_key *key)
{
mpz_clear(key->n);
mpz_clear(key->e);
}
/* Computes the size, in octets, of a size BITS modulo.
* Returns 0 if the modulo is too small to be useful. */
static unsigned
rsa_check_size(mpz_t n)
/* Round upwards */
unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
return 0;
return size;
}
int
rsa_prepare_public_key(struct rsa_public_key *key)
{
/* FIXME: Add further sanity checks, like 0 < e < n. */
#if 0
if ( (mpz_sgn(key->e) <= 0)
|| mpz_cmp(key->e, key->n) >= 0)
return 0;
#endif
key->size = rsa_check_size(key->n);
return (key->size > 0);
void
rsa_init_private_key(struct rsa_private_key *key)
{
mpz_init(key->d);
mpz_init(key->p);
mpz_init(key->q);
mpz_init(key->a);
mpz_init(key->b);
mpz_init(key->c);
/* Not really necessary, but it seems cleaner to initialize all the
* storage. */
key->size = 0;
}
void
rsa_clear_private_key(struct rsa_private_key *key)
{
mpz_clear(key->d);
mpz_clear(key->p);
mpz_clear(key->q);
mpz_clear(key->a);
mpz_clear(key->b);
mpz_clear(key->c);
}
rsa_prepare_private_key(struct rsa_private_key *key)
/* FIXME: Add further sanity checks. */
mpz_t n;
/* The size of the product is the sum of the sizes of the factors,
* or sometimes one less. It's possible but tricky to compute the
* size without computing the full product. */
mpz_init(n);
mpz_mul(n, key->p, key->q);
key->size = rsa_check_size(n);
mpz_clear(n);
return (key->size > 0);
}
/* Computing an rsa root. */
rsa_compute_root(struct rsa_private_key *key, mpz_t x, const mpz_t m)
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
mpz_t xp; /* modulo p */
mpz_t xq; /* modulo q */
mpz_init(xp); mpz_init(xq);
/* Compute xq = m^d % q = (m%q)^b % q */
mpz_fdiv_r(xq, m, key->q);
mpz_powm(xq, xq, key->b, key->q);
/* Compute xp = m^d % p = (m%p)^a % p */
mpz_fdiv_r(xp, m, key->p);
mpz_powm(xp, xp, key->a, key->p);
/* Set xp' = (xp - xq) c % p. */
mpz_sub(xp, xp, xq);
mpz_mul(xp, xp, key->c);
mpz_fdiv_r(xp, xp, key->p);
/* Finally, compute x = xq + q xp'
*
* To prove that this works, note that
*
* xp = x + i p,
* xq = x + j q,
* c q = 1 + k p
*
* for some integers i, j and k. Now, for some integer l,
*
* xp' = (xp - xq) c + l p
* = (x + i p - (x + j q)) c + l p
* = (i p - j q) c + l p
* = (i c + l) p - j (c q)
* = (i c + l) p - j (1 + kp)
* = (i c + l - j k) p - j
*
* which shows that xp' = -j (mod p). We get
*
* xq + q xp' = x + j q + (i c + l - j k) p q - j q
* = x + (i c + l - j k) p q
*
* so that
*
* xq + q xp' = x (mod pq)
*
* We also get 0 <= xq + q xp' < p q, because
*
* 0 <= xq < q and 0 <= xp' < p.
*/
mpz_mul(x, key->q, xp);
mpz_add(x, x, xq);
mpz_clear(xp); mpz_clear(xq);