michael@0: /* michael@0: * mpprime.c michael@0: * michael@0: * Utilities for finding and working with prime and pseudo-prime michael@0: * integers michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include "mpi-priv.h" michael@0: #include "mpprime.h" michael@0: #include "mplogic.h" michael@0: #include michael@0: #include michael@0: michael@0: #define SMALL_TABLE 0 /* determines size of hard-wired prime table */ michael@0: michael@0: #define RANDOM() rand() michael@0: michael@0: #include "primes.c" /* pull in the prime digit table */ michael@0: michael@0: /* michael@0: Test if any of a given vector of digits divides a. If not, MP_NO michael@0: is returned; otherwise, MP_YES is returned and 'which' is set to michael@0: the index of the integer in the vector which divided a. michael@0: */ michael@0: mp_err s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which); michael@0: michael@0: /* {{{ mpp_divis(a, b) */ michael@0: michael@0: /* michael@0: mpp_divis(a, b) michael@0: michael@0: Returns MP_YES if a is divisible by b, or MP_NO if it is not. michael@0: */ michael@0: michael@0: mp_err mpp_divis(mp_int *a, mp_int *b) michael@0: { michael@0: mp_err res; michael@0: mp_int rem; michael@0: michael@0: if((res = mp_init(&rem)) != MP_OKAY) michael@0: return res; michael@0: michael@0: if((res = mp_mod(a, b, &rem)) != MP_OKAY) michael@0: goto CLEANUP; michael@0: michael@0: if(mp_cmp_z(&rem) == 0) michael@0: res = MP_YES; michael@0: else michael@0: res = MP_NO; michael@0: michael@0: CLEANUP: michael@0: mp_clear(&rem); michael@0: return res; michael@0: michael@0: } /* end mpp_divis() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* {{{ mpp_divis_d(a, d) */ michael@0: michael@0: /* michael@0: mpp_divis_d(a, d) michael@0: michael@0: Return MP_YES if a is divisible by d, or MP_NO if it is not. michael@0: */ michael@0: michael@0: mp_err mpp_divis_d(mp_int *a, mp_digit d) michael@0: { michael@0: mp_err res; michael@0: mp_digit rem; michael@0: michael@0: ARGCHK(a != NULL, MP_BADARG); michael@0: michael@0: if(d == 0) michael@0: return MP_NO; michael@0: michael@0: if((res = mp_mod_d(a, d, &rem)) != MP_OKAY) michael@0: return res; michael@0: michael@0: if(rem == 0) michael@0: return MP_YES; michael@0: else michael@0: return MP_NO; michael@0: michael@0: } /* end mpp_divis_d() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* {{{ mpp_random(a) */ michael@0: michael@0: /* michael@0: mpp_random(a) michael@0: michael@0: Assigns a random value to a. This value is generated using the michael@0: standard C library's rand() function, so it should not be used for michael@0: cryptographic purposes, but it should be fine for primality testing, michael@0: since all we really care about there is good statistical properties. michael@0: michael@0: As many digits as a currently has are filled with random digits. michael@0: */ michael@0: michael@0: mp_err mpp_random(mp_int *a) michael@0: michael@0: { michael@0: mp_digit next = 0; michael@0: unsigned int ix, jx; michael@0: michael@0: ARGCHK(a != NULL, MP_BADARG); michael@0: michael@0: for(ix = 0; ix < USED(a); ix++) { michael@0: for(jx = 0; jx < sizeof(mp_digit); jx++) { michael@0: next = (next << CHAR_BIT) | (RANDOM() & UCHAR_MAX); michael@0: } michael@0: DIGIT(a, ix) = next; michael@0: } michael@0: michael@0: return MP_OKAY; michael@0: michael@0: } /* end mpp_random() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* {{{ mpp_random_size(a, prec) */ michael@0: michael@0: mp_err mpp_random_size(mp_int *a, mp_size prec) michael@0: { michael@0: mp_err res; michael@0: michael@0: ARGCHK(a != NULL && prec > 0, MP_BADARG); michael@0: michael@0: if((res = s_mp_pad(a, prec)) != MP_OKAY) michael@0: return res; michael@0: michael@0: return mpp_random(a); michael@0: michael@0: } /* end mpp_random_size() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* {{{ mpp_divis_vector(a, vec, size, which) */ michael@0: michael@0: /* michael@0: mpp_divis_vector(a, vec, size, which) michael@0: michael@0: Determines if a is divisible by any of the 'size' digits in vec. michael@0: Returns MP_YES and sets 'which' to the index of the offending digit, michael@0: if it is; returns MP_NO if it is not. michael@0: */ michael@0: michael@0: mp_err mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which) michael@0: { michael@0: ARGCHK(a != NULL && vec != NULL && size > 0, MP_BADARG); michael@0: michael@0: return s_mpp_divp(a, vec, size, which); michael@0: michael@0: } /* end mpp_divis_vector() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* {{{ mpp_divis_primes(a, np) */ michael@0: michael@0: /* michael@0: mpp_divis_primes(a, np) michael@0: michael@0: Test whether a is divisible by any of the first 'np' primes. If it michael@0: is, returns MP_YES and sets *np to the value of the digit that did michael@0: it. If not, returns MP_NO. michael@0: */ michael@0: mp_err mpp_divis_primes(mp_int *a, mp_digit *np) michael@0: { michael@0: int size, which; michael@0: mp_err res; michael@0: michael@0: ARGCHK(a != NULL && np != NULL, MP_BADARG); michael@0: michael@0: size = (int)*np; michael@0: if(size > prime_tab_size) michael@0: size = prime_tab_size; michael@0: michael@0: res = mpp_divis_vector(a, prime_tab, size, &which); michael@0: if(res == MP_YES) michael@0: *np = prime_tab[which]; michael@0: michael@0: return res; michael@0: michael@0: } /* end mpp_divis_primes() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* {{{ mpp_fermat(a, w) */ michael@0: michael@0: /* michael@0: Using w as a witness, try pseudo-primality testing based on Fermat's michael@0: little theorem. If a is prime, and (w, a) = 1, then w^a == w (mod michael@0: a). So, we compute z = w^a (mod a) and compare z to w; if they are michael@0: equal, the test passes and we return MP_YES. Otherwise, we return michael@0: MP_NO. michael@0: */ michael@0: mp_err mpp_fermat(mp_int *a, mp_digit w) michael@0: { michael@0: mp_int base, test; michael@0: mp_err res; michael@0: michael@0: if((res = mp_init(&base)) != MP_OKAY) michael@0: return res; michael@0: michael@0: mp_set(&base, w); michael@0: michael@0: if((res = mp_init(&test)) != MP_OKAY) michael@0: goto TEST; michael@0: michael@0: /* Compute test = base^a (mod a) */ michael@0: if((res = mp_exptmod(&base, a, a, &test)) != MP_OKAY) michael@0: goto CLEANUP; michael@0: michael@0: michael@0: if(mp_cmp(&base, &test) == 0) michael@0: res = MP_YES; michael@0: else michael@0: res = MP_NO; michael@0: michael@0: CLEANUP: michael@0: mp_clear(&test); michael@0: TEST: michael@0: mp_clear(&base); michael@0: michael@0: return res; michael@0: michael@0: } /* end mpp_fermat() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* michael@0: Perform the fermat test on each of the primes in a list until michael@0: a) one of them shows a is not prime, or michael@0: b) the list is exhausted. michael@0: Returns: MP_YES if it passes tests. michael@0: MP_NO if fermat test reveals it is composite michael@0: Some MP error code if some other error occurs. michael@0: */ michael@0: mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes) michael@0: { michael@0: mp_err rv = MP_YES; michael@0: michael@0: while (nPrimes-- > 0 && rv == MP_YES) { michael@0: rv = mpp_fermat(a, *primes++); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: /* {{{ mpp_pprime(a, nt) */ michael@0: michael@0: /* michael@0: mpp_pprime(a, nt) michael@0: michael@0: Performs nt iteration of the Miller-Rabin probabilistic primality michael@0: test on a. Returns MP_YES if the tests pass, MP_NO if one fails. michael@0: If MP_NO is returned, the number is definitely composite. If MP_YES michael@0: is returned, it is probably prime (but that is not guaranteed). michael@0: */ michael@0: michael@0: mp_err mpp_pprime(mp_int *a, int nt) michael@0: { michael@0: mp_err res; michael@0: mp_int x, amo, m, z; /* "amo" = "a minus one" */ michael@0: int iter; michael@0: unsigned int jx; michael@0: mp_size b; michael@0: michael@0: ARGCHK(a != NULL, MP_BADARG); michael@0: michael@0: MP_DIGITS(&x) = 0; michael@0: MP_DIGITS(&amo) = 0; michael@0: MP_DIGITS(&m) = 0; michael@0: MP_DIGITS(&z) = 0; michael@0: michael@0: /* Initialize temporaries... */ michael@0: MP_CHECKOK( mp_init(&amo)); michael@0: /* Compute amo = a - 1 for what follows... */ michael@0: MP_CHECKOK( mp_sub_d(a, 1, &amo) ); michael@0: michael@0: b = mp_trailing_zeros(&amo); michael@0: if (!b) { /* a was even ? */ michael@0: res = MP_NO; michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: MP_CHECKOK( mp_init_size(&x, MP_USED(a)) ); michael@0: MP_CHECKOK( mp_init(&z) ); michael@0: MP_CHECKOK( mp_init(&m) ); michael@0: MP_CHECKOK( mp_div_2d(&amo, b, &m, 0) ); michael@0: michael@0: /* Do the test nt times... */ michael@0: for(iter = 0; iter < nt; iter++) { michael@0: michael@0: /* Choose a random value for 1 < x < a */ michael@0: s_mp_pad(&x, USED(a)); michael@0: mpp_random(&x); michael@0: MP_CHECKOK( mp_mod(&x, a, &x) ); michael@0: if(mp_cmp_d(&x, 1) <= 0) { michael@0: iter--; /* don't count this iteration */ michael@0: continue; /* choose a new x */ michael@0: } michael@0: michael@0: /* Compute z = (x ** m) mod a */ michael@0: MP_CHECKOK( mp_exptmod(&x, &m, a, &z) ); michael@0: michael@0: if(mp_cmp_d(&z, 1) == 0 || mp_cmp(&z, &amo) == 0) { michael@0: res = MP_YES; michael@0: continue; michael@0: } michael@0: michael@0: res = MP_NO; /* just in case the following for loop never executes. */ michael@0: for (jx = 1; jx < b; jx++) { michael@0: /* z = z^2 (mod a) */ michael@0: MP_CHECKOK( mp_sqrmod(&z, a, &z) ); michael@0: res = MP_NO; /* previous line set res to MP_YES */ michael@0: michael@0: if(mp_cmp_d(&z, 1) == 0) { michael@0: break; michael@0: } michael@0: if(mp_cmp(&z, &amo) == 0) { michael@0: res = MP_YES; michael@0: break; michael@0: } michael@0: } /* end testing loop */ michael@0: michael@0: /* If the test passes, we will continue iterating, but a failed michael@0: test means the candidate is definitely NOT prime, so we will michael@0: immediately break out of this loop michael@0: */ michael@0: if(res == MP_NO) michael@0: break; michael@0: michael@0: } /* end iterations loop */ michael@0: michael@0: CLEANUP: michael@0: mp_clear(&m); michael@0: mp_clear(&z); michael@0: mp_clear(&x); michael@0: mp_clear(&amo); michael@0: return res; michael@0: michael@0: } /* end mpp_pprime() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /* Produce table of composites from list of primes and trial value. michael@0: ** trial must be odd. List of primes must not include 2. michael@0: ** sieve should have dimension >= MAXPRIME/2, where MAXPRIME is largest michael@0: ** prime in list of primes. After this function is finished, michael@0: ** if sieve[i] is non-zero, then (trial + 2*i) is composite. michael@0: ** Each prime used in the sieve costs one division of trial, and eliminates michael@0: ** one or more values from the search space. (3 eliminates 1/3 of the values michael@0: ** alone!) Each value left in the search space costs 1 or more modular michael@0: ** exponentations. So, these divisions are a bargain! michael@0: */ michael@0: mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, michael@0: unsigned char *sieve, mp_size nSieve) michael@0: { michael@0: mp_err res; michael@0: mp_digit rem; michael@0: mp_size ix; michael@0: unsigned long offset; michael@0: michael@0: memset(sieve, 0, nSieve); michael@0: michael@0: for(ix = 0; ix < nPrimes; ix++) { michael@0: mp_digit prime = primes[ix]; michael@0: mp_size i; michael@0: if((res = mp_mod_d(trial, prime, &rem)) != MP_OKAY) michael@0: return res; michael@0: michael@0: if (rem == 0) { michael@0: offset = 0; michael@0: } else { michael@0: offset = prime - (rem / 2); michael@0: } michael@0: for (i = offset; i < nSieve ; i += prime) { michael@0: sieve[i] = 1; michael@0: } michael@0: } michael@0: michael@0: return MP_OKAY; michael@0: } michael@0: michael@0: #define SIEVE_SIZE 32*1024 michael@0: michael@0: mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong, michael@0: unsigned long * nTries) michael@0: { michael@0: mp_digit np; michael@0: mp_err res; michael@0: int i = 0; michael@0: mp_int trial; michael@0: mp_int q; michael@0: mp_size num_tests; michael@0: unsigned char *sieve; michael@0: michael@0: ARGCHK(start != 0, MP_BADARG); michael@0: ARGCHK(nBits > 16, MP_RANGE); michael@0: michael@0: sieve = malloc(SIEVE_SIZE); michael@0: ARGCHK(sieve != NULL, MP_MEM); michael@0: michael@0: MP_DIGITS(&trial) = 0; michael@0: MP_DIGITS(&q) = 0; michael@0: MP_CHECKOK( mp_init(&trial) ); michael@0: MP_CHECKOK( mp_init(&q) ); michael@0: /* values taken from table 4.4, HandBook of Applied Cryptography */ michael@0: if (nBits >= 1300) { michael@0: num_tests = 2; michael@0: } else if (nBits >= 850) { michael@0: num_tests = 3; michael@0: } else if (nBits >= 650) { michael@0: num_tests = 4; michael@0: } else if (nBits >= 550) { michael@0: num_tests = 5; michael@0: } else if (nBits >= 450) { michael@0: num_tests = 6; michael@0: } else if (nBits >= 400) { michael@0: num_tests = 7; michael@0: } else if (nBits >= 350) { michael@0: num_tests = 8; michael@0: } else if (nBits >= 300) { michael@0: num_tests = 9; michael@0: } else if (nBits >= 250) { michael@0: num_tests = 12; michael@0: } else if (nBits >= 200) { michael@0: num_tests = 15; michael@0: } else if (nBits >= 150) { michael@0: num_tests = 18; michael@0: } else if (nBits >= 100) { michael@0: num_tests = 27; michael@0: } else michael@0: num_tests = 50; michael@0: michael@0: if (strong) michael@0: --nBits; michael@0: MP_CHECKOK( mpl_set_bit(start, nBits - 1, 1) ); michael@0: MP_CHECKOK( mpl_set_bit(start, 0, 1) ); michael@0: for (i = mpl_significant_bits(start) - 1; i >= nBits; --i) { michael@0: MP_CHECKOK( mpl_set_bit(start, i, 0) ); michael@0: } michael@0: /* start sieveing with prime value of 3. */ michael@0: MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1, michael@0: sieve, SIEVE_SIZE) ); michael@0: michael@0: #ifdef DEBUG_SIEVE michael@0: res = 0; michael@0: for (i = 0; i < SIEVE_SIZE; ++i) { michael@0: if (!sieve[i]) michael@0: ++res; michael@0: } michael@0: fprintf(stderr,"sieve found %d potential primes.\n", res); michael@0: #define FPUTC(x,y) fputc(x,y) michael@0: #else michael@0: #define FPUTC(x,y) michael@0: #endif michael@0: michael@0: res = MP_NO; michael@0: for(i = 0; i < SIEVE_SIZE; ++i) { michael@0: if (sieve[i]) /* this number is composite */ michael@0: continue; michael@0: MP_CHECKOK( mp_add_d(start, 2 * i, &trial) ); michael@0: FPUTC('.', stderr); michael@0: /* run a Fermat test */ michael@0: res = mpp_fermat(&trial, 2); michael@0: if (res != MP_OKAY) { michael@0: if (res == MP_NO) michael@0: continue; /* was composite */ michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: FPUTC('+', stderr); michael@0: /* If that passed, run some Miller-Rabin tests */ michael@0: res = mpp_pprime(&trial, num_tests); michael@0: if (res != MP_OKAY) { michael@0: if (res == MP_NO) michael@0: continue; /* was composite */ michael@0: goto CLEANUP; michael@0: } michael@0: FPUTC('!', stderr); michael@0: michael@0: if (!strong) michael@0: break; /* success !! */ michael@0: michael@0: /* At this point, we have strong evidence that our candidate michael@0: is itself prime. If we want a strong prime, we need now michael@0: to test q = 2p + 1 for primality... michael@0: */ michael@0: MP_CHECKOK( mp_mul_2(&trial, &q) ); michael@0: MP_CHECKOK( mp_add_d(&q, 1, &q) ); michael@0: michael@0: /* Test q for small prime divisors ... */ michael@0: np = prime_tab_size; michael@0: res = mpp_divis_primes(&q, &np); michael@0: if (res == MP_YES) { /* is composite */ michael@0: mp_clear(&q); michael@0: continue; michael@0: } michael@0: if (res != MP_NO) michael@0: goto CLEANUP; michael@0: michael@0: /* And test with Fermat, as with its parent ... */ michael@0: res = mpp_fermat(&q, 2); michael@0: if (res != MP_YES) { michael@0: mp_clear(&q); michael@0: if (res == MP_NO) michael@0: continue; /* was composite */ michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: /* And test with Miller-Rabin, as with its parent ... */ michael@0: res = mpp_pprime(&q, num_tests); michael@0: if (res != MP_YES) { michael@0: mp_clear(&q); michael@0: if (res == MP_NO) michael@0: continue; /* was composite */ michael@0: goto CLEANUP; michael@0: } michael@0: michael@0: /* If it passed, we've got a winner */ michael@0: mp_exch(&q, &trial); michael@0: mp_clear(&q); michael@0: break; michael@0: michael@0: } /* end of loop through sieved values */ michael@0: if (res == MP_YES) michael@0: mp_exch(&trial, start); michael@0: CLEANUP: michael@0: mp_clear(&trial); michael@0: mp_clear(&q); michael@0: if (nTries) michael@0: *nTries += i; michael@0: if (sieve != NULL) { michael@0: memset(sieve, 0, SIEVE_SIZE); michael@0: free (sieve); michael@0: } michael@0: return res; michael@0: } michael@0: michael@0: /*========================================================================*/ michael@0: /*------------------------------------------------------------------------*/ michael@0: /* Static functions visible only to the library internally */ michael@0: michael@0: /* {{{ s_mpp_divp(a, vec, size, which) */ michael@0: michael@0: /* michael@0: Test for divisibility by members of a vector of digits. Returns michael@0: MP_NO if a is not divisible by any of them; returns MP_YES and sets michael@0: 'which' to the index of the offender, if it is. Will stop on the michael@0: first digit against which a is divisible. michael@0: */ michael@0: michael@0: mp_err s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which) michael@0: { michael@0: mp_err res; michael@0: mp_digit rem; michael@0: michael@0: int ix; michael@0: michael@0: for(ix = 0; ix < size; ix++) { michael@0: if((res = mp_mod_d(a, vec[ix], &rem)) != MP_OKAY) michael@0: return res; michael@0: michael@0: if(rem == 0) { michael@0: if(which) michael@0: *which = ix; michael@0: return MP_YES; michael@0: } michael@0: } michael@0: michael@0: return MP_NO; michael@0: michael@0: } /* end s_mpp_divp() */ michael@0: michael@0: /* }}} */ michael@0: michael@0: /*------------------------------------------------------------------------*/ michael@0: /* HERE THERE BE DRAGONS */