Commit 6ce825c7 authored by Niels Möller's avatar Niels Möller

(_nettle_generate_pocklington_prime): New

function. Rely on mpz_probab_prime_p (for lack of a trial division
function) for trial division.
(nettle_random_prime): Rewritten. Uses the prime table for the
smallest sizes, then trial division using a new set of tables, and
then Maurer's algorithm, calling the new
_nettle_generate_pocklington_prime for the final search.

Rev: nettle/ChangeLog:1.80
Rev: nettle/bignum-random-prime.c:1.4
Rev: nettle/bignum.h:1.5
parent 7c49b0dc
2010-05-26 Niels Mller <nisse@lysator.liu.se>
* bignum-random-prime.c (_nettle_generate_pocklington_prime): New
function. Rely on mpz_probab_prime_p (for lack of a trial division
function) for trial division.
(nettle_random_prime): Rewritten. Uses the prime table for the
smallest sizes, then trial division using a new set of tables, and
then Maurer's algorithm, calling the new
_nettle_generate_pocklington_prime for the final search.
2010-05-25 Niels Mller <nisse@lysator.liu.se>
* testsuite/dsa-test.c (test_main): Updated for dsa testing
changes.
changes.
* testsuite/dsa-keygen-test.c (test_main): Test dsa256.
......
......@@ -45,73 +45,126 @@
#include "macros.h"
/* Use a table of p_2 = 3 to p_{172} = 1021, multiplied to 32-bit or
64-bit size. */
struct sieve_element {
/* Product of some small primes. */
unsigned long prod;
/* Square of the smallest one. */
unsigned long p2;
/* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers
of up to 20 bits. */
#define NPRIMES 171
#define TRIAL_DIV_BITS 20
#define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1)
/* A 20-bit number x is divisible by p iff
((x * inverse) & TRIAL_DIV_MASK) <= limit
*/
struct trial_div_info {
uint32_t inverse; /* p^{-1} (mod 2^20) */
uint32_t limit; /* floor( (2^20 - 1) / p) */
};
static const uint16_t
primes[NPRIMES] = {
3,5,7,11,13,17,19,23,
29,31,37,41,43,47,53,59,
61,67,71,73,79,83,89,97,
101,103,107,109,113,127,131,137,
139,149,151,157,163,167,173,179,
181,191,193,197,199,211,223,227,
229,233,239,241,251,257,263,269,
271,277,281,283,293,307,311,313,
317,331,337,347,349,353,359,367,
373,379,383,389,397,401,409,419,
421,431,433,439,443,449,457,461,
463,467,479,487,491,499,503,509,
521,523,541,547,557,563,569,571,
577,587,593,599,601,607,613,617,
619,631,641,643,647,653,659,661,
673,677,683,691,701,709,719,727,
733,739,743,751,757,761,769,773,
787,797,809,811,821,823,827,829,
839,853,857,859,863,877,881,883,
887,907,911,919,929,937,941,947,
953,967,971,977,983,991,997,1009,
1013,1019,1021,
};
static const uint32_t
prime_square[NPRIMES+1] = {
9,25,49,121,169,289,361,529,
841,961,1369,1681,1849,2209,2809,3481,
3721,4489,5041,5329,6241,6889,7921,9409,
10201,10609,11449,11881,12769,16129,17161,18769,
19321,22201,22801,24649,26569,27889,29929,32041,
32761,36481,37249,38809,39601,44521,49729,51529,
52441,54289,57121,58081,63001,66049,69169,72361,
73441,76729,78961,80089,85849,94249,96721,97969,
100489,109561,113569,120409,121801,124609,128881,134689,
139129,143641,146689,151321,157609,160801,167281,175561,
177241,185761,187489,192721,196249,201601,208849,212521,
214369,218089,229441,237169,241081,249001,253009,259081,
271441,273529,292681,299209,310249,316969,323761,326041,
332929,344569,351649,358801,361201,368449,375769,380689,
383161,398161,410881,413449,418609,426409,434281,436921,
452929,458329,466489,477481,491401,502681,516961,528529,
537289,546121,552049,564001,573049,579121,591361,597529,
619369,635209,654481,657721,674041,677329,683929,687241,
703921,727609,734449,737881,744769,769129,776161,779689,
786769,822649,829921,844561,863041,877969,885481,896809,
908209,935089,942841,954529,966289,982081,994009,1018081,
1026169,1038361,1042441,1L<<20
};
static const struct sieve_element
sieve_table[] = {
{111546435, 9}, /* 3 -- 23 */
{58642669, 841}, /* 29 -- 43 */
{600662303, 2209}, /* 47 -- 67 */
{33984931, 5041}, /* 71 -- 83 */
{89809099, 7921}, /* 89 -- 103 */
{167375713, 11449}, /* 107 -- 127 */
{371700317, 17161}, /* 131 -- 149 */
{645328247, 22801}, /* 151 -- 167 */
{1070560157, 29929}, /* 173 -- 191 */
{1596463769, 37249}, /* 193 -- 211 */
{11592209, 49729}, /* 223 -- 229 */
{13420567, 54289}, /* 233 -- 241 */
{16965341, 63001}, /* 251 -- 263 */
{20193023, 72361}, /* 269 -- 277 */
{23300239, 78961}, /* 281 -- 293 */
{29884301, 94249}, /* 307 -- 313 */
{35360399, 100489}, /* 317 -- 337 */
{42749359, 120409}, /* 347 -- 353 */
{49143869, 128881}, /* 359 -- 373 */
{56466073, 143641}, /* 379 -- 389 */
{65111573, 157609}, /* 397 -- 409 */
{76027969, 175561}, /* 419 -- 431 */
{84208541, 187489}, /* 433 -- 443 */
{94593973, 201601}, /* 449 -- 461 */
{103569859, 214369}, /* 463 -- 479 */
{119319383, 237169}, /* 487 -- 499 */
{133390067, 253009}, /* 503 -- 521 */
{154769821, 273529}, /* 523 -- 547 */
{178433279, 310249}, /* 557 -- 569 */
{193397129, 326041}, /* 571 -- 587 */
{213479407, 351649}, /* 593 -- 601 */
{229580147, 368449}, /* 607 -- 617 */
{250367549, 383161}, /* 619 -- 641 */
{271661713, 413449}, /* 643 -- 653 */
{293158127, 434281}, /* 659 -- 673 */
{319512181, 458329}, /* 677 -- 691 */
{357349471, 491401}, /* 701 -- 719 */
{393806449, 528529}, /* 727 -- 739 */
{422400701, 552049}, /* 743 -- 757 */
{452366557, 579121}, /* 761 -- 773 */
{507436351, 619369}, /* 787 -- 809 */
{547978913, 657721}, /* 811 -- 823 */
{575204137, 683929}, /* 827 -- 839 */
{627947039, 727609}, /* 853 -- 859 */
{666785731, 744769}, /* 863 -- 881 */
{710381447, 779689}, /* 883 -- 907 */
{777767161, 829921}, /* 911 -- 929 */
{834985999, 877969}, /* 937 -- 947 */
{894826021, 908209}, /* 953 -- 971 */
{951747481, 954529}, /* 977 -- 991 */
{1019050649, 994009}, /* 997 -- 1013 */
{1040399, 1038361}, /* 1019 -- 1021 */
static const struct trial_div_info
trial_div_table[NPRIMES] = {
{699051,349525},{838861,209715},{748983,149796},{953251,95325},
{806597,80659},{61681,61680},{772635,55188},{866215,45590},
{180789,36157},{1014751,33825},{793517,28339},{1023001,25575},
{48771,24385},{870095,22310},{217629,19784},{710899,17772},
{825109,17189},{281707,15650},{502135,14768},{258553,14364},
{464559,13273},{934875,12633},{1001449,11781},{172961,10810},
{176493,10381},{203607,10180},{568387,9799},{788837,9619},
{770193,9279},{1032063,8256},{544299,8004},{619961,7653},
{550691,7543},{182973,7037},{229159,6944},{427445,6678},
{701195,6432},{370455,6278},{90917,6061},{175739,5857},
{585117,5793},{225087,5489},{298817,5433},{228877,5322},
{442615,5269},{546651,4969},{244511,4702},{83147,4619},
{769261,4578},{841561,4500},{732687,4387},{978961,4350},
{133683,4177},{65281,4080},{629943,3986},{374213,3898},
{708079,3869},{280125,3785},{641833,3731},{618771,3705},
{930477,3578},{778747,3415},{623751,3371},{40201,3350},
{122389,3307},{950371,3167},{1042353,3111},{18131,3021},
{285429,3004},{549537,2970},{166487,2920},{294287,2857},
{919261,2811},{636339,2766},{900735,2737},{118605,2695},
{10565,2641},{188273,2614},{115369,2563},{735755,2502},
{458285,2490},{914767,2432},{370513,2421},{1027079,2388},
{629619,2366},{462401,2335},{649337,2294},{316165,2274},
{484655,2264},{65115,2245},{326175,2189},{1016279,2153},
{990915,2135},{556859,2101},{462791,2084},{844629,2060},
{404537,2012},{457123,2004},{577589,1938},{638347,1916},
{892325,1882},{182523,1862},{1002505,1842},{624371,1836},
{69057,1817},{210787,1786},{558769,1768},{395623,1750},
{992745,1744},{317855,1727},{384877,1710},{372185,1699},
{105027,1693},{423751,1661},{408961,1635},{908331,1630},
{74551,1620},{36933,1605},{617371,1591},{506045,1586},
{24929,1558},{529709,1548},{1042435,1535},{31867,1517},
{166037,1495},{928781,1478},{508975,1458},{4327,1442},
{779637,1430},{742091,1418},{258263,1411},{879631,1396},
{72029,1385},{728905,1377},{589057,1363},{348621,1356},
{671515,1332},{710453,1315},{84249,1296},{959363,1292},
{685853,1277},{467591,1274},{646643,1267},{683029,1264},
{439927,1249},{254461,1229},{660713,1223},{554195,1220},
{202911,1215},{753253,1195},{941457,1190},{776635,1187},
{509511,1182},{986147,1156},{768879,1151},{699431,1140},
{696417,1128},{86169,1119},{808997,1114},{25467,1107},
{201353,1100},{708087,1084},{1018339,1079},{341297,1073},
{434151,1066},{96287,1058},{950765,1051},{298257,1039},
{675933,1035},{167731,1029},{815445,1027},
};
#define SIEVE_SIZE (sizeof(sieve_table) / sizeof(sieve_table[0]))
/* Element j gives the index of the first prime of size 3+j bits */
static uint8_t
prime_by_size[9] = {
1,3,5,10,17,30,53,96,171
};
/* Combined Miller-Rabin test to the base a, and checking the
conditions from Pocklington's theorem. */
......@@ -176,19 +229,14 @@ miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
return is_prime;
}
/* Generate random prime of a given size. Maurer's algorithm (Alg.
6.42 Handbook of applied cryptography), but with ratio = 1/2 (like
the variant in fips186-3). FIXME: Force primes to start with two
one bits? */
/* The algorithm is based on the following special case of
Pocklington's theorem:
Assume that n = 1 + r q, where q is a prime, q > sqrt(n) - 1. If we
Assume that n = 1 + f q, where q is a prime, q > sqrt(n) - 1. If we
can find an a such that
a^{n-1} = 1 (mod n)
gcd(a^r - 1, n) = 1
gcd(a^f - 1, n) = 1
then n is prime.
......@@ -203,42 +251,98 @@ miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
If n is specified as k bits, we need q of size ceil(k/2) + 1 bits
(or more) to make the theorem apply.
*/
*/
/* Generate a prime number p of size bits with 2 p0q dividing (p-1).
p0 must be of size >= ceil(bits/2) + 1. The extra factor q can be
omitted. */
void
nettle_random_prime(mpz_t p, unsigned bits,
void *ctx, nettle_random_func random)
_nettle_generate_pocklington_prime (mpz_t p, unsigned bits,
void *ctx, nettle_random_func random,
const mpz_t p0,
const mpz_t q,
const mpz_t p0q)
{
assert (bits >= 6);
if (bits < 20)
mpz_t i, r, pm1,a;
assert (2*mpz_sizeinbase (p0, 2) > bits + 1);
mpz_init (i);
mpz_init (r);
mpz_init (pm1);
mpz_init (a);
/* i = floor (2^{bits-2} / p0q) */
mpz_init_set_ui (i, 1);
mpz_mul_2exp (i, i, bits-2);
mpz_fdiv_q (i, i, p0q);
for (;;)
{
unsigned long highbit;
uint8_t buf[3];
unsigned long x;
unsigned j;
uint8_t buf[1];
/* Small cases:
/* Generate r in the range i + 1 <= r <= 2*i */
nettle_mpz_random (r, ctx, random, i);
mpz_add (r, r, i);
mpz_add_ui (r, r, 1);
3 bits: 5 or 7
4 bits: 11, 13, 15
5 bits: 17, 19, 23, 29, 31
/* Set p = 2*r*p0q + 1 */
mpz_mul_2exp(r, r, 1);
mpz_mul (pm1, r, p0q);
mpz_add_ui (p, pm1, 1);
With 3 bits, no sieving is done, since candidates are smaller
than 3^2 = 9 (and this is ok; all odd 3-bit numbers are
prime).
assert(mpz_sizeinbase(p, 2) == bits);
/* Should use GMP trial division interface when that
materializes, we don't need any testing beyond trial
division. */
if (!mpz_probab_prime_p (p, 1))
continue;
random(ctx, sizeof(buf), buf);
mpz_set_ui (a, buf[0] + 2);
if (q)
mpz_mul (r, r, q);
if (miller_rabin_pocklington(p, pm1, r, a))
break;
}
mpz_clear (i);
mpz_clear (r);
mpz_clear (pm1);
mpz_clear (a);
}
With 4 bits, sieving with the first value, 3*5*...*23 doesn't
work, since this includes the primes 11 and 13 in the
interval. Of the odd numbers in the interval, 9, 11, 13, 15,
only the factors of three need be discarded.
/* Generate random prime of a given size. Maurer's algorithm (Alg.
6.42 Handbook of applied cryptography), but with ratio = 1/2 (like
the variant in fips186-3). FIXME: Force primes to start with two
one bits? */
void
nettle_random_prime(mpz_t p, unsigned bits,
void *ctx, nettle_random_func random)
{
assert (bits >= 3);
if (bits <= 10)
{
unsigned first;
unsigned choices;
uint8_t buf;
With 5 bits, we still sieve with only the first value, which
includes three of the primes in the interval. Of the odd
numbers in the interval, 17, 19, (21), 23, (25), (27), 29,
31, we need to discard multiples of 3 and 5 only.
random (ctx, sizeof(buf), &buf);
With 6 bits, we sieve with only the first value (since 63 <
29^2), and there's no problem.
*/
first = prime_by_size[bits-3];
choices = prime_by_size[bits-2] - first;
mpz_set_ui (p, primes[first + buf % choices]);
}
else if (bits <= 20)
{
unsigned long highbit;
uint8_t buf[3];
unsigned long x;
unsigned j;
highbit = 1L << (bits - 1);
......@@ -248,69 +352,28 @@ nettle_random_prime(mpz_t p, unsigned bits,
x &= (highbit - 1);
x |= highbit | 1;
mpz_set_ui (p, x);
for (j = 0; j < SIEVE_SIZE && x >= sieve_table[j].p2; j++)
if (mpz_gcd_ui (NULL, p, sieve_table[j].prod) != 1)
goto again;
for (j = 0; prime_square[j] <= x; j++)
{
unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK;
if (q <= trial_div_table[j].limit)
goto again;
}
mpz_set_ui (p, x);
}
else
{
mpz_t q, r, nm1, t, a, i;
unsigned j;
mpz_t q;
mpz_init (q);
mpz_init (r);
mpz_init (nm1);
mpz_init (t);
mpz_init (a);
mpz_init (i);
/* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62
in Handbook of Applied Cryptography (which seems to be
incorrect for odd k). */
nettle_random_prime (q, (bits+3)/2, ctx, random);
/* i = floor (2^{bits-2} / q) */
mpz_init_set_ui (i, 1);
mpz_mul_2exp (i, i, bits-2);
mpz_fdiv_q (i, i, q);
for (;;)
{
uint8_t buf[1];
/* Generate r in the range i + 1 <= r <= 2*i */
nettle_mpz_random (r, ctx, random, i);
mpz_add (r, r, i);
mpz_add_ui (r, r, 1);
/* Set p = 2*r*q + 1 */
mpz_mul_2exp(r, r, 1);
mpz_mul (nm1, r, q);
mpz_add_ui (p, nm1, 1);
assert(mpz_sizeinbase(p, 2) == bits);
for (j = 0; j < SIEVE_SIZE; j++)
{
if (mpz_gcd_ui (NULL, p, sieve_table[j].prod) != 1)
goto composite;
}
random(ctx, sizeof(buf), buf);
mpz_set_ui (a, buf[0] + 2);
if (miller_rabin_pocklington(p, nm1, r, a))
break;
composite:
;
}
_nettle_generate_pocklington_prime (p, bits, ctx, random,
q, NULL, q);
mpz_clear (q);
mpz_clear (r);
mpz_clear (nm1);
mpz_clear (t);
mpz_clear (a);
mpz_clear (i);
}
}
......@@ -89,6 +89,13 @@ void
nettle_random_prime(mpz_t p, unsigned bits,
void *ctx, nettle_random_func random);
void
_nettle_generate_pocklington_prime (mpz_t p, unsigned bits,
void *ctx, nettle_random_func random,
const mpz_t p0,
const mpz_t q,
const mpz_t p0q);
/* sexp parsing */
struct sexp_iterator;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment