diff --git a/CHANGES b/CHANGES index fbcf4220c16eb73dea3a809e91dc59f0d89af71b..4e672597abd960320ebecb7b173b5462b5a6f100 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + *) Use a less unusual form of the Miller-Rabin primality test (it used + a binary algorithm for exponentiation integrated into the Miller-Rabin + loop, our standard modexp algorithms are faster). + [Bodo Moeller] + *) Support for the EBCDIC character set completed. [Martin Kraemer ] diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index e88291d62cb867eb43f751e141a330eeb680e6d9..299873819347713e401e1c50aa1f95e7a60c777e 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -407,8 +407,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add, int BN_is_prime(BIGNUM *p,int nchecks,void (*callback)(int,int,void *), BN_CTX *ctx,void *cb_arg); int BN_is_prime_fasttest(BIGNUM *p,int nchecks, - void (*callback)(int,int,void *), - BN_CTX *ctx,BN_CTX *ctx2,void *cb_arg, + void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg, int do_trial_division); void ERR_load_BN_strings(void ); diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index f6de801263cc410974cffcc7ba313945aaef6a5c..21d49affda6435a3b5110c0d2d8973a53821a499 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -68,8 +68,8 @@ */ #include "bn_prime.h" -static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx,BN_CTX *ctx2, - BN_MONT_CTX *mont); +static int witness(BIGNUM *w, BIGNUM *a, BIGNUM *a1, BIGNUM *a1_odd, int k, + BN_CTX *ctx, BN_MONT_CTX *mont); static int probable_prime(BIGNUM *rnd, int bits); static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem, BN_CTX *ctx); @@ -83,13 +83,11 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add, BIGNUM t; int found=0; int i,j,c1=0; - BN_CTX *ctx,*ctx2=NULL; + BN_CTX *ctx; int checks = BN_prime_checks_for_size(bits); ctx=BN_CTX_new(); if (ctx == NULL) goto err; - ctx2=BN_CTX_new(); - if (ctx2 == NULL) goto err; if (ret == NULL) { if ((rnd=BN_new()) == NULL) goto err; @@ -121,7 +119,7 @@ loop: if (!safe) { - i=BN_is_prime_fasttest(rnd,checks,callback,ctx,ctx2,cb_arg,0); + i=BN_is_prime_fasttest(rnd,checks,callback,ctx,cb_arg,0); if (i == -1) goto err; if (i == 0) goto loop; } @@ -135,11 +133,11 @@ loop: for (i=0; ineg) /* for now, refuse to handle negative numbers */ + return -1; + /* first look for small factors */ if (!BN_is_odd(a)) return(0); if (do_trial_division) @@ -180,32 +185,55 @@ int BN_is_prime_fasttest(BIGNUM *a, int checks, for (i = 1; i < NUMPRIMES; i++) if (BN_mod_word(a, primes[i]) == 0) return 0; - if (callback != NULL) callback(1,-1,cb_arg); + if (callback != NULL) callback(1, -1, cb_arg); } if (ctx_passed != NULL) - ctx=ctx_passed; + ctx = ctx_passed; else - if ((ctx=BN_CTX_new()) == NULL) goto err; - if (ctx2_passed != NULL) - ctx2=ctx2_passed; - else - if ((ctx2=BN_CTX_new()) == NULL) goto err; - - if ((mont=BN_MONT_CTX_new()) == NULL) goto err; - - check= &(ctx->bn[ctx->tos++]); - - /* Setup the montgomery structure */ - if (!BN_MONT_CTX_set(mont,a,ctx2)) goto err; + if ((ctx=BN_CTX_new()) == NULL) + goto err; + a1 = &(ctx->bn[ctx->tos++]); + a1_odd = &(ctx->bn[ctx->tos++]); + check = &(ctx->bn[ctx->tos++]);; + + /* compute a1 := a - 1 */ + if (!BN_copy(a1, a)) + goto err; + if (!BN_sub_word(a1, 1)) + goto err; + if (BN_is_zero(a1)) + { + ret = 0; + goto err; + } - for (i=0; i= 0) - BN_sub(check, check, a); - if (BN_is_zero(check)) BN_one(check); - j=witness(check,a,ctx,ctx2,mont); + if (!BN_pseudo_rand(check, BN_num_bits(a1), 0, 0)) + goto err; + if (BN_cmp(check, a1) >= 0) + if (!BN_sub(check, check, a1)) + goto err; + if (!BN_add_word(check, 1)) + goto err; + /* now 1 <= check < a */ + + j = witness(check, a, a1, a1_odd, k, ctx, mont); if (j == -1) goto err; if (j) { @@ -216,84 +244,38 @@ int BN_is_prime_fasttest(BIGNUM *a, int checks, } ret=1; err: - ctx->tos--; - if ((ctx_passed == NULL) && (ctx != NULL)) + if (ctx_passed != NULL) + ctx_passed->tos -= 3; /* a1, a1_odd, check */ + else if (ctx != NULL) BN_CTX_free(ctx); - if ((ctx2_passed == NULL) && (ctx2 != NULL)) - BN_CTX_free(ctx2); - if (mont != NULL) BN_MONT_CTX_free(mont); - - return(ret); - } + if (mont != NULL) + BN_MONT_CTX_free(mont); -int BN_is_prime(BIGNUM *a, int checks, void (*callback)(int,int,void *), - BN_CTX *ctx_passed, void *cb_arg) - { - return BN_is_prime_fasttest(a, checks, callback, ctx_passed, NULL, cb_arg, 0); + return(ret); } -static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx, BN_CTX *ctx2, - BN_MONT_CTX *mont) +static int witness(BIGNUM *w, BIGNUM *a, BIGNUM *a1, BIGNUM *a1_odd, int k, + BN_CTX *ctx, BN_MONT_CTX *mont) { - int k,i,ret= -1,good; - BIGNUM *d,*dd,*tmp,*d1,*d2,*n1; - BIGNUM *mont_one,*mont_n1,*mont_a; - - d1= &(ctx->bn[ctx->tos]); - d2= &(ctx->bn[ctx->tos+1]); - n1= &(ctx->bn[ctx->tos+2]); - ctx->tos+=3; - - mont_one= &(ctx2->bn[ctx2->tos]); - mont_n1= &(ctx2->bn[ctx2->tos+1]); - mont_a= &(ctx2->bn[ctx2->tos+2]); - ctx2->tos+=3; - - d=d1; - dd=d2; - if (!BN_one(d)) goto err; - if (!BN_sub(n1,n,d)) goto err; /* n1=n-1; */ - k=BN_num_bits(n1); - - if (!BN_to_montgomery(mont_one,BN_value_one(),mont,ctx2)) goto err; - if (!BN_to_montgomery(mont_n1,n1,mont,ctx2)) goto err; - if (!BN_to_montgomery(mont_a,a,mont,ctx2)) goto err; - - BN_copy(d,mont_one); - for (i=k-1; i>=0; i--) + if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */ + return -1; + if (BN_is_one(w)) + return 0; /* probably prime */ + if (BN_cmp(w, a1) == 0) + return 0; /* w == -1 (mod a), 'a' is probably prime */ + while (--k) { - if ( (BN_cmp(d,mont_one) != 0) && - (BN_cmp(d,mont_n1) != 0)) - good=1; - else - good=0; - - BN_mod_mul_montgomery(dd,d,d,mont,ctx2); - - if (good && (BN_cmp(dd,mont_one) == 0)) - { - ret=1; - goto err; - } - if (BN_is_bit_set(n1,i)) - { - BN_mod_mul_montgomery(d,dd,mont_a,mont,ctx2); - } - else - { - tmp=d; - d=dd; - dd=tmp; - } + if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */ + return -1; + if (BN_is_one(w)) + return 1; /* 'a' is composite, otherwise a previous 'w' would + * have been == -1 (mod 'a') */ + if (BN_cmp(w, a1) == 0) + return 0; /* w == -1 (mod a), 'a' is probably prime */ } - if (BN_cmp(d,mont_one) == 0) - i=0; - else i=1; - ret=i; -err: - ctx->tos-=3; - ctx2->tos-=3; - return(ret); + /* If we get here, 'w' is the (a-1)/2-th power of the original 'w', + * and it is neither -1 nor +1 -- so 'a' cannot be prime */ + return 1; } static int probable_prime(BIGNUM *rnd, int bits) @@ -411,76 +393,3 @@ err: ctx->tos-=3; return(ret); } - -#if 0 - -#define RECP_MUL_MOD - -static int witness(BIGNUM *a, BIGNUM *n, BN_CTX *ctx, - BN_CTX *unused, BN_MONT_CTX *unused2) - { - int k,i,ret= -1; - BIGNUM *d,*dd,*tmp; - BIGNUM *d1,*d2,*x,*n1; - BN_RECP_CTX recp; - - d1= &(ctx->bn[ctx->tos]); - d2= &(ctx->bn[ctx->tos+1]); - x= &(ctx->bn[ctx->tos+2]); - n1= &(ctx->bn[ctx->tos+3]); - ctx->tos+=4; - - d=d1; - dd=d2; - if (!BN_one(d)) goto err; - if (!BN_sub(n1,n,d)) goto err; /* n1=n-1; */ - k=BN_num_bits(n1); - - /* i=BN_num_bits(n); */ -#ifdef RECP_MUL_MOD - BN_RECP_CTX_init(&recp); - if (BN_RECP_CTX_set(&recp,n,ctx) <= 0) goto err; -#endif - - for (i=k-1; i>=0; i--) - { - if (BN_copy(x,d) == NULL) goto err; -#ifndef RECP_MUL_MOD - if (!BN_mod_mul(dd,d,d,n,ctx)) goto err; -#else - if (!BN_mod_mul_reciprocal(dd,d,d,&recp,ctx)) goto err; -#endif - if ( BN_is_one(dd) && - !BN_is_one(x) && - (BN_cmp(x,n1) != 0)) - { - ret=1; - goto err; - } - if (BN_is_bit_set(n1,i)) - { -#ifndef RECP_MUL_MOD - if (!BN_mod_mul(d,dd,a,n,ctx)) goto err; -#else - if (!BN_mod_mul_reciprocal(d,dd,a,&recp,ctx)) goto err; -#endif - } - else - { - tmp=d; - d=dd; - dd=tmp; - } - } - if (BN_is_one(d)) - i=0; - else i=1; - ret=i; -err: - ctx->tos-=4; -#ifdef RECP_MUL_MOD - BN_RECP_CTX_free(&recp); -#endif - return(ret); - } -#endif diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 710a4faa66bd996d0d559d48246607b5337644dd..b3248401804c2cd07e25317146c990441400f658 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -93,7 +93,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, int k,n=0,i,b,m=0; int counter=0; int r=0; - BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL,*ctx4=NULL; + BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL; unsigned int h=2; DSA *ret=NULL; @@ -111,7 +111,6 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if ((ctx=BN_CTX_new()) == NULL) goto err; if ((ctx2=BN_CTX_new()) == NULL) goto err; if ((ctx3=BN_CTX_new()) == NULL) goto err; - if ((ctx4=BN_CTX_new()) == NULL) goto err; if ((ret=DSA_new()) == NULL) goto err; if ((mont=BN_MONT_CTX_new()) == NULL) goto err; @@ -167,7 +166,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err; /* step 4 */ - r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, ctx4, cb_arg, seed_is_random); + r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random); if (r > 0) break; if (r != 0) @@ -228,7 +227,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (BN_cmp(p,test) >= 0) { /* step 11 */ - r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, ctx4, cb_arg, 1); + r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1); if (r > 0) goto end; /* found it */ if (r != 0) @@ -283,7 +282,6 @@ err: if (ctx != NULL) BN_CTX_free(ctx); if (ctx2 != NULL) BN_CTX_free(ctx2); if (ctx3 != NULL) BN_CTX_free(ctx3); - if (ctx4 != NULL) BN_CTX_free(ctx4); if (mont != NULL) BN_MONT_CTX_free(mont); return(ok?ret:NULL); } diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index c2cc151cf6f8cc4aea5327af76fd879942c80371..ab84d3fcfccddea754174db77a2e87d0d379a4e8 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -15,8 +15,7 @@ BN_generate_prime, BN_is_prime, BN_is_prime_fasttest - Generate primes and test void *), BN_CTX *ctx, void *cb_arg); int BN_is_prime_fasttest(BIGNUM *a, int checks, void (*callback)(int, - int, void *), BN_CTX *ctx, BN_CTX *ctx2, void *cb_arg, - int do_trial_division); + int, void *), BN_CTX *ctx, void *cb_arg, int do_trial_division); =head1 DESCRIPTION @@ -76,10 +75,7 @@ yields a false positive rate of at most 2^-80 for random input. If B is not B, B is called after the j-th iteration (j = 0, 1, ...). B is a pre-allocated B (to save the overhead of allocating and -freeing the structure in a loop), or B. For -BN_is_prime_fasttest(), B is a second pre-allocated B or -B (lacking this parameter, BN_is_prime() always has to allocate -an additional B). +freeing the structure in a loop), or B. =head1 RETURN VALUES