Home Explore Help
Sign In
HSD
/
putty
mirror of https://git.tartarus.org/simon/putty.git
Watch 1
Star 0
Fork 0
Files
Tree: 79ff0d086a
Branches Tags
putty
/
keygen
/
millerrabin.c

millerrabin.c 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289 
  1. /*
    2. 

  2.  * millerrabin.c: Miller-Rabin probabilistic primality testing, as
    3. 

  3.  * declared in sshkeygen.h.
    4. 

  4.  */
    5. 

  5. 

  6. #include <assert.h>
    7. 

  7. #include "ssh.h"
    8. 

  8. #include "sshkeygen.h"
    9. 

  9. #include "mpint.h"
    10. 

  10. #include "mpunsafe.h"
    11. 

  11. 

  12. /*
    13. 

  13.  * The Miller-Rabin primality test is an extension to the Fermat
    14. 

  14.  * test. The Fermat test just checks that a^(p-1) == 1 mod p; this
    15. 

  15.  * is vulnerable to Carmichael numbers. Miller-Rabin considers how
    16. 

  16.  * that 1 is derived as well.
    17. 

  17.  *
    18. 

  18.  * Lemma: if a^2 == 1 (mod p), and p is prime, then either a == 1
    19. 

  19.  * or a == -1 (mod p).
    20. 

  20.  *
    21. 

  21.  *   Proof: p divides a^2-1, i.e. p divides (a+1)(a-1). Hence,
    22. 

  22.  *   since p is prime, either p divides (a+1) or p divides (a-1).
    23. 

  23.  *   But this is the same as saying that either a is congruent to
    24. 

  24.  *   -1 mod p or a is congruent to +1 mod p. []
    25. 

  25.  *
    26. 

  26.  *   Comment: This fails when p is not prime. Consider p=mn, so
    27. 

  27.  *   that mn divides (a+1)(a-1). Now we could have m dividing (a+1)
    28. 

  28.  *   and n dividing (a-1), without the whole of mn dividing either.
    29. 

  29.  *   For example, consider a=10 and p=99. 99 = 9 * 11; 9 divides
    30. 

  30.  *   10-1 and 11 divides 10+1, so a^2 is congruent to 1 mod p
    31. 

  31.  *   without a having to be congruent to either 1 or -1.
    32. 

  32.  *
    33. 

  33.  * So the Miller-Rabin test, as well as considering a^(p-1),
    34. 

  34.  * considers a^((p-1)/2), a^((p-1)/4), and so on as far as it can
    35. 

  35.  * go. In other words. we write p-1 as q * 2^k, with k as large as
    36. 

  36.  * possible (i.e. q must be odd), and we consider the powers
    37. 

  37.  *
    38. 

  38.  *       a^(q*2^0)      a^(q*2^1)          ...  a^(q*2^(k-1))  a^(q*2^k)
    39. 

  39.  * i.e.  a^((n-1)/2^k)  a^((n-1)/2^(k-1))  ...  a^((n-1)/2)    a^(n-1)
    40. 

  40.  *
    41. 

  41.  * If p is to be prime, the last of these must be 1. Therefore, by
    42. 

  42.  * the above lemma, the one before it must be either 1 or -1. And
    43. 

  43.  * _if_ it's 1, then the one before that must be either 1 or -1,
    44. 

  44.  * and so on ... In other words, we expect to see a trailing chain
    45. 

  45.  * of 1s preceded by a -1. (If we're unlucky, our trailing chain of
    46. 

  46.  * 1s will be as long as the list so we'll never get to see what
    47. 

  47.  * lies before it. This doesn't count as a test failure because it
    48. 

  48.  * hasn't _proved_ that p is not prime.)
    49. 

  49.  *
    50. 

  50.  * For example, consider a=2 and p=1729. 1729 is a Carmichael
    51. 

  51.  * number: although it's not prime, it satisfies a^(p-1) == 1 mod p
    52. 

  52.  * for any a coprime to it. So the Fermat test wouldn't have a
    53. 

  53.  * problem with it at all, unless we happened to stumble on an a
    54. 

  54.  * which had a common factor.
    55. 

  55.  *
    56. 

  56.  * So. 1729 - 1 equals 27 * 2^6. So we look at
    57. 

  57.  *
    58. 

  58.  *     2^27 mod 1729 == 645
    59. 

  59.  *    2^108 mod 1729 == 1065
    60. 

  60.  *    2^216 mod 1729 == 1
    61. 

  61.  *    2^432 mod 1729 == 1
    62. 

  62.  *    2^864 mod 1729 == 1
    63. 

  63.  *   2^1728 mod 1729 == 1
    64. 

  64.  *
    65. 

  65.  * We do have a trailing string of 1s, so the Fermat test would
    66. 

  66.  * have been happy. But this trailing string of 1s is preceded by
    67. 

  67.  * 1065; whereas if 1729 were prime, we'd expect to see it preceded
    68. 

  68.  * by -1 (i.e. 1728.). Guards! Seize this impostor.
    69. 

  69.  *
    70. 

  70.  * (If we were unlucky, we might have tried a=16 instead of a=2;
    71. 

  71.  * now 16^27 mod 1729 == 1, so we would have seen a long string of
    72. 

  72.  * 1s and wouldn't have seen the thing _before_ the 1s. So, just
    73. 

  73.  * like the Fermat test, for a given p there may well exist values
    74. 

  74.  * of a which fail to show up its compositeness. So we try several,
    75. 

  75.  * just like the Fermat test. The difference is that Miller-Rabin
    76. 

  76.  * is not _in general_ fooled by Carmichael numbers.)
    77. 

  77.  *
    78. 

  78.  * Put simply, then, the Miller-Rabin test requires us to:
    79. 

  79.  *
    80. 

  80.  *  1. write p-1 as q * 2^k, with q odd
    81. 

  81.  *  2. compute z = (a^q) mod p.
    82. 

  82.  *  3. report success if z == 1 or z == -1.
    83. 

  83.  *  4. square z at most k-1 times, and report success if it becomes
    84. 

  84.  *     -1 at any point.
    85. 

  85.  *  5. report failure otherwise.
    86. 

  86.  *
    87. 

  87.  * (We expect z to become -1 after at most k-1 squarings, because
    88. 

  88.  * if it became -1 after k squarings then a^(p-1) would fail to be
    89. 

  89.  * 1. And we don't need to investigate what happens after we see a
    90. 

  90.  * -1, because we _know_ that -1 squared is 1 modulo anything at
    91. 

  91.  * all, so after we've seen a -1 we can be sure of seeing nothing
    92. 

  92.  * but 1s.)
    93. 

  93.  */
    94. 

  94. 

  95. struct MillerRabin {
    96. 

  96.     MontyContext *mc;
    97. 

  97. 

  98.     mp_int *pm1, *m_pm1;
    99. 

  99.     mp_int *lowbit, *two;
    100. 

  100. };
    101. 

  101. 

  102. MillerRabin *miller_rabin_new(mp_int *p)
    103. 

  103. {
    104. 

  104.     MillerRabin *mr = snew(MillerRabin);
    105. 

  105. 

  106.     assert(mp_hs_integer(p, 2));
    107. 

  107.     assert(mp_get_bit(p, 0) == 1);
    108. 

  108. 

  109.     mr->pm1 = mp_copy(p);
    110. 

  110.     mp_sub_integer_into(mr->pm1, mr->pm1, 1);
    111. 

  111. 

  112.     /*
    113. 

  113.      * Standard bit-twiddling trick for isolating the lowest set bit
    114. 

  114.      * of a number: x & (-x)
    115. 

  115.      */
    116. 

  116.     mr->lowbit = mp_new(mp_max_bits(mr->pm1));
    117. 

  117.     mp_sub_into(mr->lowbit, mr->lowbit, mr->pm1);
    118. 

  118.     mp_and_into(mr->lowbit, mr->lowbit, mr->pm1);
    119. 

  119. 

  120.     mr->two = mp_from_integer(2);
    121. 

  121. 

  122.     mr->mc = monty_new(p);
    123. 

  123.     mr->m_pm1 = monty_import(mr->mc, mr->pm1);
    124. 

  124. 

  125.     return mr;
    126. 

  126. }
    127. 

  127. 

  128. void miller_rabin_free(MillerRabin *mr)
    129. 

  129. {
    130. 

  130.     mp_free(mr->pm1);
    131. 

  131.     mp_free(mr->m_pm1);
    132. 

  132.     mp_free(mr->lowbit);
    133. 

  133.     mp_free(mr->two);
    134. 

  134.     monty_free(mr->mc);
    135. 

  135.     smemclr(mr, sizeof(*mr));
    136. 

  136.     sfree(mr);
    137. 

  137. }
    138. 

  138. 

  139. /*
    140. 

  140.  * The main internal function that implements a single M-R test.
    141. 

  141.  *
    142. 

  142.  * Expects the witness integer to be in Montgomery representation.
    143. 

  143.  * (Since in live use witnesses are invented at random, this imposes
    144. 

  144.  * no extra cost on the callers, and saves effort in here.)
    145. 

  145.  */
    146. 

  146. static struct mr_result miller_rabin_test_inner(MillerRabin *mr, mp_int *mw)
    147. 

  147. {
    148. 

  148.     mp_int *acc = mp_copy(monty_identity(mr->mc));
    149. 

  149.     mp_int *spare = mp_new(mp_max_bits(mr->pm1));
    150. 

  150.     size_t bit = mp_max_bits(mr->pm1);
    151. 

  151. 

  152.     /*
    153. 

  153.      * The obvious approach to Miller-Rabin would be to start by
    154. 

  154.      * calling monty_pow to raise w to the power q, and then square it
    155. 

  155.      * k times ourselves. But that introduces a timing leak that gives
    156. 

  156.      * away the value of k, i.e., how many factors of 2 there are in
    157. 

  157.      * p-1.
    158. 

  158.      *
    159. 

  159.      * Instead, we don't call monty_pow at all. We do a modular
    160. 

  160.      * exponentiation ourselves to compute w^((p-1)/2), using the
    161. 

  161.      * technique that works from the top bit of the exponent
    162. 

  162.      * downwards. That is, in each iteration we compute
    163. 

  163.      * w^floor(exponent/2^i) for i one less than the previous
    164. 

  164.      * iteration, by squaring the value we previously had and then
    165. 

  165.      * optionally multiplying in w if the next exponent bit is 1.
    166. 

  166.      *
    167. 

  167.      * At the end of that process, once i <= k, the division
    168. 

  168.      * (exponent/2^i) yields an integer, so the values we're computing
    169. 

  169.      * are not just w^(floor of that), but w^(exactly that). In other
    170. 

  170.      * words, the last k intermediate values of this modexp are
    171. 

  171.      * precisely the values M-R wants to check against +1 or -1.
    172. 

  172.      *
    173. 

  173.      * So we interleave those checks with the modexp loop itself, and
    174. 

  174.      * to avoid a timing leak, we check _every_ intermediate result
    175. 

  175.      * against (the Montgomery representations of) both +1 and -1. And
    176. 

  176.      * then we do bitwise masking to arrange that only the sensible
    177. 

  177.      * ones of those checks find their way into our final answer.
    178. 

  178.      */
    179. 

  179. 

  180.     unsigned active = 0;
    181. 

  181. 

  182.     struct mr_result result;
    183. 

  183.     result.passed = result.potential_primitive_root = 0;
    184. 

  184. 

  185.     while (bit-- > 1) {
    186. 

  186.         /*
    187. 

  187.          * In this iteration, we're computing w^(2e) or w^(2e+1),
    188. 

  188.          * where we have w^e from the previous iteration. So we square
    189. 

  189.          * the value we had already, and then optionally multiply in
    190. 

  190.          * another copy of w depending on the next bit of the exponent.
    191. 

  191.          */
    192. 

  192.         monty_mul_into(mr->mc, acc, acc, acc);
    193. 

  193.         monty_mul_into(mr->mc, spare, acc, mw);
    194. 

  194.         mp_select_into(acc, acc, spare, mp_get_bit(mr->pm1, bit));
    195. 

  195. 

  196.         /*
    197. 

  197.          * mr->lowbit is a number with only one bit set, corresponding
    198. 

  198.          * to the lowest set bit in p-1. So when that's the bit of the
    199. 

  199.          * exponent we've just processed, we'll detect it by setting
    200. 

  200.          * first_iter to true. That's our indication that we're now
    201. 

  201.          * generating intermediate results useful to M-R, so we also
    202. 

  202.          * set 'active', which stays set from then on.
    203. 

  203.          */
    204. 

  204.         unsigned first_iter = mp_get_bit(mr->lowbit, bit);
    205. 

  205.         active |= first_iter;
    206. 

  206. 

  207.         /*
    208. 

  208.          * Check the intermediate result against both +1 and -1.
    209. 

  209.          */
    210. 

  210.         unsigned is_plus_1 = mp_cmp_eq(acc, monty_identity(mr->mc));
    211. 

  211.         unsigned is_minus_1 = mp_cmp_eq(acc, mr->m_pm1);
    212. 

  212. 

  213.         /*
    214. 

  214.          * M-R must report success iff either: the first of the useful
    215. 

  215.          * intermediate results (which is w^q) is 1, or _any_ of them
    216. 

  216.          * (from w^q all the way up to w^((p-1)/2)) is -1.
    217. 

  217.          *
    218. 

  218.          * So we want to pass the test if is_plus_1 is set on the
    219. 

  219.          * first iteration, or if is_minus_1 is set on any iteration.
    220. 

  220.          */
    221. 

  221.         result.passed |= (first_iter & is_plus_1);
    222. 

  222.         result.passed |= (active & is_minus_1);
    223. 

  223. 

  224.         /*
    225. 

  225.          * In the final iteration, is_minus_1 is also used to set the
    226. 

  226.          * 'potential primitive root' flag, because we haven't found
    227. 

  227.          * any exponent smaller than p-1 for which w^(that) == 1.
    228. 

  228.          */
    229. 

  229.         if (bit == 1)
    230. 

  230.             result.potential_primitive_root = is_minus_1;
    231. 

  231.     }
    232. 

  232. 

  233.     mp_free(acc);
    234. 

  234.     mp_free(spare);
    235. 

  235. 

  236.     return result;
    237. 

  237. }
    238. 

  238. 

  239. /*
    240. 

  240.  * Wrapper on miller_rabin_test_inner for the convenience of
    241. 

  241.  * testcrypt. Expects the witness integer to be literal, so we
    242. 

  242.  * monty_import it before running the real test.
    243. 

  243.  */
    244. 

  244. struct mr_result miller_rabin_test(MillerRabin *mr, mp_int *w)
    245. 

  245. {
    246. 

  246.     mp_int *mw = monty_import(mr->mc, w);
    247. 

  247.     struct mr_result result = miller_rabin_test_inner(mr, mw);
    248. 

  248.     mp_free(mw);
    249. 

  249.     return result;
    250. 

  250. }
    251. 

  251. 

  252. bool miller_rabin_test_random(MillerRabin *mr)
    253. 

  253. {
    254. 

  254.     mp_int *mw = mp_random_in_range(mr->two, mr->pm1);
    255. 

  255.     struct mr_result result = miller_rabin_test_inner(mr, mw);
    256. 

  256.     mp_free(mw);
    257. 

  257.     return result.passed;
    258. 

  258. }
    259. 

  259. 

  260. mp_int *miller_rabin_find_potential_primitive_root(MillerRabin *mr)
    261. 

  261. {
    262. 

  262.     while (true) {
    263. 

  263.         mp_int *mw = mp_unsafe_shrink(mp_random_in_range(mr->two, mr->pm1));
    264. 

  264.         struct mr_result result = miller_rabin_test_inner(mr, mw);
    265. 

  265. 

  266.         if (result.passed && result.potential_primitive_root) {
    267. 

  267.             mp_int *pr = monty_export(mr->mc, mw);
    268. 

  268.             mp_free(mw);
    269. 

  269.             return pr;
    270. 

  270.         }
    271. 

  271. 

  272.         mp_free(mw);
    273. 

  273. 

  274.         if (!result.passed) {
    275. 

  275.             return NULL;
    276. 

  276.         }
    277. 

  277.     }
    278. 

  278. }
    279. 

  279. 

  280. unsigned miller_rabin_checks_needed(unsigned bits)
    281. 

  281. {
    282. 

  282.     /* Table 4.4 from Handbook of Applied Cryptography */
    283. 

  283.     return (bits >= 1300 ?  2 : bits >= 850 ?  3 : bits >= 650 ?  4 :
    284. 

  284.             bits >=  550 ?  5 : bits >= 450 ?  6 : bits >= 400 ?  7 :
    285. 

  285.             bits >=  350 ?  8 : bits >= 300 ?  9 : bits >= 250 ? 12 :
    286. 

  286.             bits >=  200 ? 15 : bits >= 150 ? 18 : 27);
    287. 

  287. }
    288. 

  288. 

  289.