Crypto++  8.9
Free C++ class library of cryptographic schemes
nbtheory.cpp
1 // nbtheory.cpp - originally written and placed in the public domain by Wei Dai
2 
3 #include "pch.h"
4 
5 #ifndef CRYPTOPP_IMPORTS
6 
7 #include "nbtheory.h"
8 #include "integer.h"
9 #include "modarith.h"
10 #include "algparam.h"
11 #include "smartptr.h"
12 #include "misc.h"
13 #include "stdcpp.h"
14 #include "trap.h"
15 
16 #ifdef _OPENMP
17 # include <omp.h>
18 #endif
19 
20 NAMESPACE_BEGIN(CryptoPP)
21 
22 // Keep sync'd with primetab.cpp
23 const unsigned int maxPrimeTableSize = 3511;
24 const word s_lastSmallPrime = 32719;
25 
26 const word16 * GetPrimeTable(unsigned int &size)
27 {
28  extern const word16 precomputedPrimeTable[maxPrimeTableSize];
29  size = maxPrimeTableSize;
30  return precomputedPrimeTable;
31 }
32 
33 bool IsSmallPrime(const Integer &p)
34 {
35  unsigned int primeTableSize;
36  const word16 * primeTable = GetPrimeTable(primeTableSize);
37 
38  if (p.IsPositive() && p <= primeTable[primeTableSize-1])
39  return std::binary_search(primeTable, primeTable+primeTableSize, (word16)p.ConvertToLong());
40  else
41  return false;
42 }
43 
44 bool TrialDivision(const Integer &p, unsigned bound)
45 {
46  unsigned int primeTableSize;
47  const word16 * primeTable = GetPrimeTable(primeTableSize);
48 
49  CRYPTOPP_ASSERT(primeTable[primeTableSize-1] >= bound);
50 
51  unsigned int i;
52  for (i = 0; primeTable[i]<bound; i++)
53  if ((p % primeTable[i]) == 0)
54  return true;
55 
56  if (bound == primeTable[i])
57  return (p % bound == 0);
58  else
59  return false;
60 }
61 
62 bool SmallDivisorsTest(const Integer &p)
63 {
64  unsigned int primeTableSize;
65  const word16 * primeTable = GetPrimeTable(primeTableSize);
66  return !TrialDivision(p, primeTable[primeTableSize-1]);
67 }
68 
69 bool IsFermatProbablePrime(const Integer &n, const Integer &b)
70 {
71  if (n <= 3)
72  return n==2 || n==3;
73 
74  CRYPTOPP_ASSERT(n>3 && b>1 && b<n-1);
75  return a_exp_b_mod_c(b, n-1, n)==1;
76 }
77 
78 bool IsStrongProbablePrime(const Integer &n, const Integer &b)
79 {
80  if (n <= 3)
81  return n==2 || n==3;
82 
83  CRYPTOPP_ASSERT(n>3 && b>1 && b<n-1);
84 
85  if ((n.IsEven() && n!=2) || GCD(b, n) != 1)
86  return false;
87 
88  Integer nminus1 = (n-1);
89  unsigned int a;
90 
91  // calculate a = largest power of 2 that divides (n-1)
92  for (a=0; ; a++)
93  if (nminus1.GetBit(a))
94  break;
95  Integer m = nminus1>>a;
96 
97  Integer z = a_exp_b_mod_c(b, m, n);
98  if (z==1 || z==nminus1)
99  return true;
100  for (unsigned j=1; j<a; j++)
101  {
102  z = z.Squared()%n;
103  if (z==nminus1)
104  return true;
105  if (z==1)
106  return false;
107  }
108  return false;
109 }
110 
111 bool RabinMillerTest(RandomNumberGenerator &rng, const Integer &n, unsigned int rounds)
112 {
113  if (n <= 3)
114  return n==2 || n==3;
115 
116  CRYPTOPP_ASSERT(n>3);
117 
118  Integer b;
119  for (unsigned int i=0; i<rounds; i++)
120  {
121  b.Randomize(rng, 2, n-2);
122  if (!IsStrongProbablePrime(n, b))
123  return false;
124  }
125  return true;
126 }
127 
128 bool IsLucasProbablePrime(const Integer &n)
129 {
130  if (n <= 1)
131  return false;
132 
133  if (n.IsEven())
134  return n==2;
135 
136  CRYPTOPP_ASSERT(n>2);
137 
138  Integer b=3;
139  unsigned int i=0;
140  int j;
141 
142  while ((j=Jacobi(b.Squared()-4, n)) == 1)
143  {
144  if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
145  return false;
146  ++b; ++b;
147  }
148 
149  if (j==0)
150  return false;
151  else
152  return Lucas(n+1, b, n)==2;
153 }
154 
155 bool IsStrongLucasProbablePrime(const Integer &n)
156 {
157  if (n <= 1)
158  return false;
159 
160  if (n.IsEven())
161  return n==2;
162 
163  CRYPTOPP_ASSERT(n>2);
164 
165  Integer b=3;
166  unsigned int i=0;
167  int j;
168 
169  while ((j=Jacobi(b.Squared()-4, n)) == 1)
170  {
171  if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
172  return false;
173  ++b; ++b;
174  }
175 
176  if (j==0)
177  return false;
178 
179  Integer n1 = n+1;
180  unsigned int a;
181 
182  // calculate a = largest power of 2 that divides n1
183  for (a=0; ; a++)
184  if (n1.GetBit(a))
185  break;
186  Integer m = n1>>a;
187 
188  Integer z = Lucas(m, b, n);
189  if (z==2 || z==n-2)
190  return true;
191  for (i=1; i<a; i++)
192  {
193  z = (z.Squared()-2)%n;
194  if (z==n-2)
195  return true;
196  if (z==2)
197  return false;
198  }
199  return false;
200 }
201 
202 struct NewLastSmallPrimeSquared
203 {
204  Integer * operator()() const
205  {
206  return new Integer(Integer(s_lastSmallPrime).Squared());
207  }
208 };
209 
210 bool IsPrime(const Integer &p)
211 {
212  if (p <= s_lastSmallPrime)
213  return IsSmallPrime(p);
214  else if (p <= Singleton<Integer, NewLastSmallPrimeSquared>().Ref())
215  return SmallDivisorsTest(p);
216  else
217  return SmallDivisorsTest(p) && IsStrongProbablePrime(p, 3) && IsStrongLucasProbablePrime(p);
218 }
219 
220 bool VerifyPrime(RandomNumberGenerator &rng, const Integer &p, unsigned int level)
221 {
222  bool pass = IsPrime(p) && RabinMillerTest(rng, p, 1);
223  if (level >= 1)
224  pass = pass && RabinMillerTest(rng, p, 10);
225  return pass;
226 }
227 
228 unsigned int PrimeSearchInterval(const Integer &max)
229 {
230  return max.BitCount();
231 }
232 
233 static inline bool FastProbablePrimeTest(const Integer &n)
234 {
235  return IsStrongProbablePrime(n,2);
236 }
237 
238 AlgorithmParameters MakeParametersForTwoPrimesOfEqualSize(unsigned int productBitLength)
239 {
240  if (productBitLength < 16)
241  throw InvalidArgument("invalid bit length");
242 
243  Integer minP, maxP;
244 
245  if (productBitLength%2==0)
246  {
247  minP = Integer(182) << (productBitLength/2-8);
248  maxP = Integer::Power2(productBitLength/2)-1;
249  }
250  else
251  {
252  minP = Integer::Power2((productBitLength-1)/2);
253  maxP = Integer(181) << ((productBitLength+1)/2-8);
254  }
255 
256  return MakeParameters("RandomNumberType", Integer::PRIME)("Min", minP)("Max", maxP);
257 }
258 
259 class PrimeSieve
260 {
261 public:
262  // delta == 1 or -1 means double sieve with p = 2*q + delta
263  PrimeSieve(const Integer &first, const Integer &last, const Integer &step, signed int delta=0);
264  bool NextCandidate(Integer &c);
265 
266  void DoSieve();
267  static void SieveSingle(std::vector<bool> &sieve, word16 p, const Integer &first, const Integer &step, word16 stepInv);
268 
269  Integer m_first, m_last, m_step;
270  signed int m_delta;
271  word m_next;
272  std::vector<bool> m_sieve;
273 };
274 
275 PrimeSieve::PrimeSieve(const Integer &first, const Integer &last, const Integer &step, signed int delta)
276  : m_first(first), m_last(last), m_step(step), m_delta(delta), m_next(0)
277 {
278  DoSieve();
279 }
280 
281 bool PrimeSieve::NextCandidate(Integer &c)
282 {
283  bool safe = SafeConvert(std::find(m_sieve.begin()+m_next, m_sieve.end(), false) - m_sieve.begin(), m_next);
284  CRYPTOPP_UNUSED(safe); CRYPTOPP_ASSERT(safe);
285  if (m_next == m_sieve.size())
286  {
287  m_first += long(m_sieve.size())*m_step;
288  if (m_first > m_last)
289  return false;
290  else
291  {
292  m_next = 0;
293  DoSieve();
294  return NextCandidate(c);
295  }
296  }
297  else
298  {
299  c = m_first + long(m_next)*m_step;
300  ++m_next;
301  return true;
302  }
303 }
304 
305 void PrimeSieve::SieveSingle(std::vector<bool> &sieve, word16 p, const Integer &first, const Integer &step, word16 stepInv)
306 {
307  if (stepInv)
308  {
309  size_t sieveSize = sieve.size();
310  size_t j = (word32(p-(first%p))*stepInv) % p;
311  // if the first multiple of p is p, skip it
312  if (first.WordCount() <= 1 && first + step*long(j) == p)
313  j += p;
314  for (; j < sieveSize; j += p)
315  sieve[j] = true;
316  }
317 }
318 
319 void PrimeSieve::DoSieve()
320 {
321  unsigned int primeTableSize;
322  const word16 * primeTable = GetPrimeTable(primeTableSize);
323 
324  const unsigned int maxSieveSize = 32768;
325  unsigned int sieveSize = STDMIN(Integer(maxSieveSize), (m_last-m_first)/m_step+1).ConvertToLong();
326 
327  m_sieve.clear();
328  m_sieve.resize(sieveSize, false);
329 
330  if (m_delta == 0)
331  {
332  for (unsigned int i = 0; i < primeTableSize; ++i)
333  SieveSingle(m_sieve, primeTable[i], m_first, m_step, (word16)m_step.InverseMod(primeTable[i]));
334  }
335  else
336  {
337  CRYPTOPP_ASSERT(m_step%2==0);
338  Integer qFirst = (m_first-m_delta) >> 1;
339  Integer halfStep = m_step >> 1;
340  for (unsigned int i = 0; i < primeTableSize; ++i)
341  {
342  word16 p = primeTable[i];
343  word16 stepInv = (word16)m_step.InverseMod(p);
344  SieveSingle(m_sieve, p, m_first, m_step, stepInv);
345 
346  word16 halfStepInv = 2*stepInv < p ? 2*stepInv : 2*stepInv-p;
347  SieveSingle(m_sieve, p, qFirst, halfStep, halfStepInv);
348  }
349  }
350 }
351 
352 bool FirstPrime(Integer &p, const Integer &max, const Integer &equiv, const Integer &mod, const PrimeSelector *pSelector)
353 {
354  CRYPTOPP_ASSERT(!equiv.IsNegative() && equiv < mod);
355 
356  Integer gcd = GCD(equiv, mod);
357  if (gcd != Integer::One())
358  {
359  // the only possible prime p such that p%mod==equiv where GCD(mod,equiv)!=1 is GCD(mod,equiv)
360  if (p <= gcd && gcd <= max && IsPrime(gcd) && (!pSelector || pSelector->IsAcceptable(gcd)))
361  {
362  p = gcd;
363  return true;
364  }
365  else
366  return false;
367  }
368 
369  unsigned int primeTableSize;
370  const word16 * primeTable = GetPrimeTable(primeTableSize);
371 
372  if (p <= primeTable[primeTableSize-1])
373  {
374  const word16 *pItr;
375 
376  --p;
377  if (p.IsPositive())
378  pItr = std::upper_bound(primeTable, primeTable+primeTableSize, (word)p.ConvertToLong());
379  else
380  pItr = primeTable;
381 
382  while (pItr < primeTable+primeTableSize && !(*pItr%mod == equiv && (!pSelector || pSelector->IsAcceptable(*pItr))))
383  ++pItr;
384 
385  if (pItr < primeTable+primeTableSize)
386  {
387  p = *pItr;
388  return p <= max;
389  }
390 
391  p = primeTable[primeTableSize-1]+1;
392  }
393 
394  CRYPTOPP_ASSERT(p > primeTable[primeTableSize-1]);
395 
396  if (mod.IsOdd())
397  return FirstPrime(p, max, CRT(equiv, mod, 1, 2, 1), mod<<1, pSelector);
398 
399  p += (equiv-p)%mod;
400 
401  if (p>max)
402  return false;
403 
404  PrimeSieve sieve(p, max, mod);
405 
406  while (sieve.NextCandidate(p))
407  {
408  if ((!pSelector || pSelector->IsAcceptable(p)) && FastProbablePrimeTest(p) && IsPrime(p))
409  return true;
410  }
411 
412  return false;
413 }
414 
415 // the following two functions are based on code and comments provided by Preda Mihailescu
416 static bool ProvePrime(const Integer &p, const Integer &q)
417 {
418  CRYPTOPP_ASSERT(p < q*q*q);
419  CRYPTOPP_ASSERT(p % q == 1);
420 
421 // this is the Quisquater test. Numbers p having passed the Lucas - Lehmer test
422 // for q and verifying p < q^3 can only be built up of two factors, both = 1 mod q,
423 // or be prime. The next two lines build the discriminant of a quadratic equation
424 // which holds iff p is built up of two factors (exercise ... )
425 
426  Integer r = (p-1)/q;
427  if (((r%q).Squared()-4*(r/q)).IsSquare())
428  return false;
429 
430  unsigned int primeTableSize;
431  const word16 * primeTable = GetPrimeTable(primeTableSize);
432 
433  CRYPTOPP_ASSERT(primeTableSize >= 50);
434  for (int i=0; i<50; i++)
435  {
436  Integer b = a_exp_b_mod_c(primeTable[i], r, p);
437  if (b != 1)
438  return a_exp_b_mod_c(b, q, p) == 1;
439  }
440  return false;
441 }
442 
443 Integer MihailescuProvablePrime(RandomNumberGenerator &rng, unsigned int pbits)
444 {
445  Integer p;
446  Integer minP = Integer::Power2(pbits-1);
447  Integer maxP = Integer::Power2(pbits) - 1;
448 
449  if (maxP <= Integer(s_lastSmallPrime).Squared())
450  {
451  // Randomize() will generate a prime provable by trial division
452  p.Randomize(rng, minP, maxP, Integer::PRIME);
453  return p;
454  }
455 
456  unsigned int qbits = (pbits+2)/3 + 1 + rng.GenerateWord32(0, pbits/36);
457  Integer q = MihailescuProvablePrime(rng, qbits);
458  Integer q2 = q<<1;
459 
460  while (true)
461  {
462  // this initializes the sieve to search in the arithmetic
463  // progression p = p_0 + \lambda * q2 = p_0 + 2 * \lambda * q,
464  // with q the recursively generated prime above. We will be able
465  // to use Lucas tets for proving primality. A trick of Quisquater
466  // allows taking q > cubic_root(p) rather than square_root: this
467  // decreases the recursion.
468 
469  p.Randomize(rng, minP, maxP, Integer::ANY, 1, q2);
470  PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*q2, maxP), q2);
471 
472  while (sieve.NextCandidate(p))
473  {
474  if (FastProbablePrimeTest(p) && ProvePrime(p, q))
475  return p;
476  }
477  }
478 
479  // not reached
480  return p;
481 }
482 
483 Integer MaurerProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
484 {
485  const unsigned smallPrimeBound = 29, c_opt=10;
486  Integer p;
487 
488  unsigned int primeTableSize;
489  const word16 * primeTable = GetPrimeTable(primeTableSize);
490 
491  if (bits < smallPrimeBound)
492  {
493  do
494  p.Randomize(rng, Integer::Power2(bits-1), Integer::Power2(bits)-1, Integer::ANY, 1, 2);
495  while (TrialDivision(p, 1 << ((bits+1)/2)));
496  }
497  else
498  {
499  const unsigned margin = bits > 50 ? 20 : (bits-10)/2;
500  double relativeSize;
501  do
502  relativeSize = std::pow(2.0, double(rng.GenerateWord32())/0xffffffff - 1);
503  while (bits * relativeSize >= bits - margin);
504 
505  Integer a,b;
506  Integer q = MaurerProvablePrime(rng, unsigned(bits*relativeSize));
507  Integer I = Integer::Power2(bits-2)/q;
508  Integer I2 = I << 1;
509  unsigned int trialDivisorBound = (unsigned int)STDMIN((unsigned long)primeTable[primeTableSize-1], (unsigned long)bits*bits/c_opt);
510  bool success = false;
511  while (!success)
512  {
513  p.Randomize(rng, I, I2, Integer::ANY);
514  p *= q; p <<= 1; ++p;
515  if (!TrialDivision(p, trialDivisorBound))
516  {
517  a.Randomize(rng, 2, p-1, Integer::ANY);
518  b = a_exp_b_mod_c(a, (p-1)/q, p);
519  success = (GCD(b-1, p) == 1) && (a_exp_b_mod_c(b, q, p) == 1);
520  }
521  }
522  }
523  return p;
524 }
525 
526 Integer CRT(const Integer &xp, const Integer &p, const Integer &xq, const Integer &q, const Integer &u)
527 {
528  // isn't operator overloading great?
529  return p * (u * (xq-xp) % q) + xp;
530 /*
531  Integer t1 = xq-xp;
532  cout << hex << t1 << endl;
533  Integer t2 = u * t1;
534  cout << hex << t2 << endl;
535  Integer t3 = t2 % q;
536  cout << hex << t3 << endl;
537  Integer t4 = p * t3;
538  cout << hex << t4 << endl;
539  Integer t5 = t4 + xp;
540  cout << hex << t5 << endl;
541  return t5;
542 */
543 }
544 
545 Integer ModularSquareRoot(const Integer &a, const Integer &p)
546 {
547  // Callers must ensure p is prime, GH #1249
548  CRYPTOPP_ASSERT(IsPrime(p));
549 
550  if (p%4 == 3)
551  return a_exp_b_mod_c(a, (p+1)/4, p);
552 
553  Integer q=p-1;
554  unsigned int r=0;
555  while (q.IsEven())
556  {
557  r++;
558  q >>= 1;
559  }
560 
561  Integer n=2;
562  while (Jacobi(n, p) != -1)
563  ++n;
564 
565  Integer y = a_exp_b_mod_c(n, q, p);
566  Integer x = a_exp_b_mod_c(a, (q-1)/2, p);
567  Integer b = (x.Squared()%p)*a%p;
568  x = a*x%p;
569  Integer tempb, t;
570 
571  while (b != 1)
572  {
573  unsigned m=0;
574  tempb = b;
575  do
576  {
577  m++;
578  b = b.Squared()%p;
579  if (m==r)
580  return Integer::Zero();
581  }
582  while (b != 1);
583 
584  t = y;
585  for (unsigned i=0; i<r-m-1; i++)
586  t = t.Squared()%p;
587  y = t.Squared()%p;
588  r = m;
589  x = x*t%p;
590  b = tempb*y%p;
591  }
592 
593  CRYPTOPP_ASSERT(x.Squared()%p == a);
594  return x;
595 }
596 
597 bool SolveModularQuadraticEquation(Integer &r1, Integer &r2, const Integer &a, const Integer &b, const Integer &c, const Integer &p)
598 {
599  // Callers must ensure p is prime, GH #1249
600  CRYPTOPP_ASSERT(IsPrime(p));
601 
602  Integer D = (b.Squared() - 4*a*c) % p;
603  switch (Jacobi(D, p))
604  {
605  default:
606  CRYPTOPP_ASSERT(false); // not reached
607  return false;
608  case -1:
609  return false;
610  case 0:
611  r1 = r2 = (-b*(a+a).InverseMod(p)) % p;
612  CRYPTOPP_ASSERT(((r1.Squared()*a + r1*b + c) % p).IsZero());
613  return true;
614  case 1:
615  Integer s = ModularSquareRoot(D, p);
616  Integer t = (a+a).InverseMod(p);
617  r1 = (s-b)*t % p;
618  r2 = (-s-b)*t % p;
619  CRYPTOPP_ASSERT(((r1.Squared()*a + r1*b + c) % p).IsZero());
620  CRYPTOPP_ASSERT(((r2.Squared()*a + r2*b + c) % p).IsZero());
621  return true;
622  }
623 }
624 
625 Integer ModularRoot(const Integer &a, const Integer &dp, const Integer &dq,
626  const Integer &p, const Integer &q, const Integer &u)
627 {
628  // Callers must ensure p and q are prime, GH #1249
629  CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
630 
631  // GCC warning bug, https://stackoverflow.com/q/12842306/608639
632 #ifdef _OPENMP
633  Integer p2, q2;
634  #pragma omp parallel
635  #pragma omp sections
636  {
637  #pragma omp section
638  p2 = ModularExponentiation((a % p), dp, p);
639  #pragma omp section
640  q2 = ModularExponentiation((a % q), dq, q);
641  }
642 #else
643  const Integer p2 = ModularExponentiation((a % p), dp, p);
644  const Integer q2 = ModularExponentiation((a % q), dq, q);
645 #endif
646 
647  return CRT(p2, p, q2, q, u);
648 }
649 
650 Integer ModularRoot(const Integer &a, const Integer &e,
651  const Integer &p, const Integer &q)
652 {
653  // Callers must ensure p and q are prime, GH #1249
654  CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
655 
656  Integer dp = EuclideanMultiplicativeInverse(e, p-1);
657  Integer dq = EuclideanMultiplicativeInverse(e, q-1);
658  Integer u = EuclideanMultiplicativeInverse(p, q);
659  CRYPTOPP_ASSERT(!!dp && !!dq && !!u);
660  return ModularRoot(a, dp, dq, p, q, u);
661 }
662 
663 /*
664 Integer GCDI(const Integer &x, const Integer &y)
665 {
666  Integer a=x, b=y;
667  unsigned k=0;
668 
669  CRYPTOPP_ASSERT(!!a && !!b);
670 
671  while (a[0]==0 && b[0]==0)
672  {
673  a >>= 1;
674  b >>= 1;
675  k++;
676  }
677 
678  while (a[0]==0)
679  a >>= 1;
680 
681  while (b[0]==0)
682  b >>= 1;
683 
684  while (1)
685  {
686  switch (a.Compare(b))
687  {
688  case -1:
689  b -= a;
690  while (b[0]==0)
691  b >>= 1;
692  break;
693 
694  case 0:
695  return (a <<= k);
696 
697  case 1:
698  a -= b;
699  while (a[0]==0)
700  a >>= 1;
701  break;
702 
703  default:
704  CRYPTOPP_ASSERT(false);
705  }
706  }
707 }
708 
709 Integer EuclideanMultiplicativeInverse(const Integer &a, const Integer &b)
710 {
711  CRYPTOPP_ASSERT(b.Positive());
712 
713  if (a.Negative())
714  return EuclideanMultiplicativeInverse(a%b, b);
715 
716  if (b[0]==0)
717  {
718  if (!b || a[0]==0)
719  return Integer::Zero(); // no inverse
720  if (a==1)
721  return 1;
722  Integer u = EuclideanMultiplicativeInverse(b, a);
723  if (!u)
724  return Integer::Zero(); // no inverse
725  else
726  return (b*(a-u)+1)/a;
727  }
728 
729  Integer u=1, d=a, v1=b, v3=b, t1, t3, b2=(b+1)>>1;
730 
731  if (a[0])
732  {
733  t1 = Integer::Zero();
734  t3 = -b;
735  }
736  else
737  {
738  t1 = b2;
739  t3 = a>>1;
740  }
741 
742  while (!!t3)
743  {
744  while (t3[0]==0)
745  {
746  t3 >>= 1;
747  if (t1[0]==0)
748  t1 >>= 1;
749  else
750  {
751  t1 >>= 1;
752  t1 += b2;
753  }
754  }
755  if (t3.Positive())
756  {
757  u = t1;
758  d = t3;
759  }
760  else
761  {
762  v1 = b-t1;
763  v3 = -t3;
764  }
765  t1 = u-v1;
766  t3 = d-v3;
767  if (t1.Negative())
768  t1 += b;
769  }
770  if (d==1)
771  return u;
772  else
773  return Integer::Zero(); // no inverse
774 }
775 */
776 
777 int Jacobi(const Integer &aIn, const Integer &bIn)
778 {
779  CRYPTOPP_ASSERT(bIn.IsOdd());
780 
781  Integer b = bIn, a = aIn%bIn;
782  int result = 1;
783 
784  while (!!a)
785  {
786  unsigned i=0;
787  while (a.GetBit(i)==0)
788  i++;
789  a>>=i;
790 
791  if (i%2==1 && (b%8==3 || b%8==5))
792  result = -result;
793 
794  if (a%4==3 && b%4==3)
795  result = -result;
796 
797  std::swap(a, b);
798  a %= b;
799  }
800 
801  return (b==1) ? result : 0;
802 }
803 
804 Integer Lucas(const Integer &e, const Integer &pIn, const Integer &n)
805 {
806  unsigned i = e.BitCount();
807  if (i==0)
808  return Integer::Two();
809 
810  MontgomeryRepresentation m(n);
811  Integer p=m.ConvertIn(pIn%n), two=m.ConvertIn(Integer::Two());
812  Integer v=p, v1=m.Subtract(m.Square(p), two);
813 
814  i--;
815  while (i--)
816  {
817  if (e.GetBit(i))
818  {
819  // v = (v*v1 - p) % m;
820  v = m.Subtract(m.Multiply(v,v1), p);
821  // v1 = (v1*v1 - 2) % m;
822  v1 = m.Subtract(m.Square(v1), two);
823  }
824  else
825  {
826  // v1 = (v*v1 - p) % m;
827  v1 = m.Subtract(m.Multiply(v,v1), p);
828  // v = (v*v - 2) % m;
829  v = m.Subtract(m.Square(v), two);
830  }
831  }
832  return m.ConvertOut(v);
833 }
834 
835 // This is Peter Montgomery's unpublished Lucas sequence evaluation algorithm.
836 // The total number of multiplies and squares used is less than the binary
837 // algorithm (see above). Unfortunately I can't get it to run as fast as
838 // the binary algorithm because of the extra overhead.
839 /*
840 Integer Lucas(const Integer &n, const Integer &P, const Integer &modulus)
841 {
842  if (!n)
843  return 2;
844 
845 #define f(A, B, C) m.Subtract(m.Multiply(A, B), C)
846 #define X2(A) m.Subtract(m.Square(A), two)
847 #define X3(A) m.Multiply(A, m.Subtract(m.Square(A), three))
848 
849  MontgomeryRepresentation m(modulus);
850  Integer two=m.ConvertIn(2), three=m.ConvertIn(3);
851  Integer A=m.ConvertIn(P), B, C, p, d=n, e, r, t, T, U;
852 
853  while (d!=1)
854  {
855  p = d;
856  unsigned int b = WORD_BITS * p.WordCount();
857  Integer alpha = (Integer(5)<<(2*b-2)).SquareRoot() - Integer::Power2(b-1);
858  r = (p*alpha)>>b;
859  e = d-r;
860  B = A;
861  C = two;
862  d = r;
863 
864  while (d!=e)
865  {
866  if (d<e)
867  {
868  swap(d, e);
869  swap(A, B);
870  }
871 
872  unsigned int dm2 = d[0], em2 = e[0];
873  unsigned int dm3 = d%3, em3 = e%3;
874 
875 // if ((dm6+em6)%3 == 0 && d <= e + (e>>2))
876  if ((dm3+em3==0 || dm3+em3==3) && (t = e, t >>= 2, t += e, d <= t))
877  {
878  // #1
879 // t = (d+d-e)/3;
880 // t = d; t += d; t -= e; t /= 3;
881 // e = (e+e-d)/3;
882 // e += e; e -= d; e /= 3;
883 // d = t;
884 
885 // t = (d+e)/3
886  t = d; t += e; t /= 3;
887  e -= t;
888  d -= t;
889 
890  T = f(A, B, C);
891  U = f(T, A, B);
892  B = f(T, B, A);
893  A = U;
894  continue;
895  }
896 
897 // if (dm6 == em6 && d <= e + (e>>2))
898  if (dm3 == em3 && dm2 == em2 && (t = e, t >>= 2, t += e, d <= t))
899  {
900  // #2
901 // d = (d-e)>>1;
902  d -= e; d >>= 1;
903  B = f(A, B, C);
904  A = X2(A);
905  continue;
906  }
907 
908 // if (d <= (e<<2))
909  if (d <= (t = e, t <<= 2))
910  {
911  // #3
912  d -= e;
913  C = f(A, B, C);
914  swap(B, C);
915  continue;
916  }
917 
918  if (dm2 == em2)
919  {
920  // #4
921 // d = (d-e)>>1;
922  d -= e; d >>= 1;
923  B = f(A, B, C);
924  A = X2(A);
925  continue;
926  }
927 
928  if (dm2 == 0)
929  {
930  // #5
931  d >>= 1;
932  C = f(A, C, B);
933  A = X2(A);
934  continue;
935  }
936 
937  if (dm3 == 0)
938  {
939  // #6
940 // d = d/3 - e;
941  d /= 3; d -= e;
942  T = X2(A);
943  C = f(T, f(A, B, C), C);
944  swap(B, C);
945  A = f(T, A, A);
946  continue;
947  }
948 
949  if (dm3+em3==0 || dm3+em3==3)
950  {
951  // #7
952 // d = (d-e-e)/3;
953  d -= e; d -= e; d /= 3;
954  T = f(A, B, C);
955  B = f(T, A, B);
956  A = X3(A);
957  continue;
958  }
959 
960  if (dm3 == em3)
961  {
962  // #8
963 // d = (d-e)/3;
964  d -= e; d /= 3;
965  T = f(A, B, C);
966  C = f(A, C, B);
967  B = T;
968  A = X3(A);
969  continue;
970  }
971 
972  CRYPTOPP_ASSERT(em2 == 0);
973  // #9
974  e >>= 1;
975  C = f(C, B, A);
976  B = X2(B);
977  }
978 
979  A = f(A, B, C);
980  }
981 
982 #undef f
983 #undef X2
984 #undef X3
985 
986  return m.ConvertOut(A);
987 }
988 */
989 
990 Integer InverseLucas(const Integer &e, const Integer &m, const Integer &p, const Integer &q, const Integer &u)
991 {
992  // Callers must ensure p and q are prime, GH #1249
993  CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
994 
995  // GCC warning bug, https://stackoverflow.com/q/12842306/608639
996 #ifdef _OPENMP
997  Integer d = (m*m-4), p2, q2;
998  #pragma omp parallel
999  #pragma omp sections
1000  {
1001  #pragma omp section
1002  {
1003  p2 = p-Jacobi(d,p);
1004  p2 = Lucas(EuclideanMultiplicativeInverse(e,p2), m, p);
1005  }
1006  #pragma omp section
1007  {
1008  q2 = q-Jacobi(d,q);
1009  q2 = Lucas(EuclideanMultiplicativeInverse(e,q2), m, q);
1010  }
1011  }
1012 #else
1013  const Integer d = (m*m-4);
1014  const Integer t1 = p-Jacobi(d,p);
1015  const Integer p2 = Lucas(EuclideanMultiplicativeInverse(e,t1), m, p);
1016 
1017  const Integer t2 = q-Jacobi(d,q);
1018  const Integer q2 = Lucas(EuclideanMultiplicativeInverse(e,t2), m, q);
1019 #endif
1020 
1021  return CRT(p2, p, q2, q, u);
1022 }
1023 
1024 unsigned int FactoringWorkFactor(unsigned int n)
1025 {
1026  // extrapolated from the table in Odlyzko's "The Future of Integer Factorization"
1027  // updated to reflect the factoring of RSA-130
1028  if (n<5) return 0;
1029  else return (unsigned int)(2.4 * std::pow((double)n, 1.0/3.0) * std::pow(log(double(n)), 2.0/3.0) - 5);
1030 }
1031 
1032 unsigned int DiscreteLogWorkFactor(unsigned int n)
1033 {
1034  // assuming discrete log takes about the same time as factoring
1035  if (n<5) return 0;
1036  else return (unsigned int)(2.4 * std::pow((double)n, 1.0/3.0) * std::pow(log(double(n)), 2.0/3.0) - 5);
1037 }
1038 
1039 // ********************************************************
1040 
1041 void PrimeAndGenerator::Generate(signed int delta, RandomNumberGenerator &rng, unsigned int pbits, unsigned int qbits)
1042 {
1043  // no prime exists for delta = -1, qbits = 4, and pbits = 5
1044  CRYPTOPP_ASSERT(qbits > 4);
1045  CRYPTOPP_ASSERT(pbits > qbits);
1046 
1047  if (qbits+1 == pbits)
1048  {
1049  Integer minP = Integer::Power2(pbits-1);
1050  Integer maxP = Integer::Power2(pbits) - 1;
1051  bool success = false;
1052 
1053  while (!success)
1054  {
1055  p.Randomize(rng, minP, maxP, Integer::ANY, 6+5*delta, 12);
1056  PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*12, maxP), 12, delta);
1057 
1058  while (sieve.NextCandidate(p))
1059  {
1060  CRYPTOPP_ASSERT(IsSmallPrime(p) || SmallDivisorsTest(p));
1061  q = (p-delta) >> 1;
1062  CRYPTOPP_ASSERT(IsSmallPrime(q) || SmallDivisorsTest(q));
1063  if (FastProbablePrimeTest(q) && FastProbablePrimeTest(p) && IsPrime(q) && IsPrime(p))
1064  {
1065  success = true;
1066  break;
1067  }
1068  }
1069  }
1070 
1071  if (delta == 1)
1072  {
1073  // find g such that g is a quadratic residue mod p, then g has order q
1074  // g=4 always works, but this way we get the smallest quadratic residue (other than 1)
1075  for (g=2; Jacobi(g, p) != 1; ++g) {}
1076  // contributed by Walt Tuvell: g should be the following according to the Law of Quadratic Reciprocity
1077  CRYPTOPP_ASSERT((p%8==1 || p%8==7) ? g==2 : (p%12==1 || p%12==11) ? g==3 : g==4);
1078  }
1079  else
1080  {
1081  CRYPTOPP_ASSERT(delta == -1);
1082  // find g such that g*g-4 is a quadratic non-residue,
1083  // and such that g has order q
1084  for (g=3; ; ++g)
1085  if (Jacobi(g*g-4, p)==-1 && Lucas(q, g, p)==2)
1086  break;
1087  }
1088  }
1089  else
1090  {
1091  Integer minQ = Integer::Power2(qbits-1);
1092  Integer maxQ = Integer::Power2(qbits) - 1;
1093  Integer minP = Integer::Power2(pbits-1);
1094  Integer maxP = Integer::Power2(pbits) - 1;
1095 
1096  do
1097  {
1098  q.Randomize(rng, minQ, maxQ, Integer::PRIME);
1099  } while (!p.Randomize(rng, minP, maxP, Integer::PRIME, delta%q, q));
1100 
1101  // find a random g of order q
1102  if (delta==1)
1103  {
1104  do
1105  {
1106  Integer h(rng, 2, p-2, Integer::ANY);
1107  g = a_exp_b_mod_c(h, (p-1)/q, p);
1108  } while (g <= 1);
1109  CRYPTOPP_ASSERT(a_exp_b_mod_c(g, q, p)==1);
1110  }
1111  else
1112  {
1113  CRYPTOPP_ASSERT(delta==-1);
1114  do
1115  {
1116  Integer h(rng, 3, p-1, Integer::ANY);
1117  if (Jacobi(h*h-4, p)==1)
1118  continue;
1119  g = Lucas((p+1)/q, h, p);
1120  } while (g <= 2);
1121  CRYPTOPP_ASSERT(Lucas(q, g, p) == 2);
1122  }
1123  }
1124 }
1125 
1126 NAMESPACE_END
1127 
1128 #endif
algparam.h
Classes for working with NameValuePairs.
MakeParameters
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:508
AlgorithmParameters
An object that implements NameValuePairs.
Definition: algparam.h:426
Integer
Multiple precision integer with arithmetic operations.
Definition: integer.h:50
Integer::GetBit
bool GetBit(size_t i) const
Provides the i-th bit of the Integer.
Integer::IsPositive
bool IsPositive() const
Determines if the Integer is positive.
Definition: integer.h:347
Integer::ConvertToLong
signed long ConvertToLong() const
Convert the Integer to Long.
Integer::IsSquare
bool IsSquare() const
Determine whether this integer is a perfect square.
Integer::Randomize
void Randomize(RandomNumberGenerator &rng, size_t bitCount)
Set this Integer to random integer.
Integer::Power2
static Integer Power2(size_t e)
Exponentiates to a power of 2.
Integer::Squared
Integer Squared() const
Multiply this integer by itself.
Definition: integer.h:634
Integer::One
static const Integer & One()
Integer representing 1.
Integer::BitCount
unsigned int BitCount() const
Determines the number of bits required to represent the Integer.
Integer::WordCount
unsigned int WordCount() const
Determines the number of words required to represent the Integer.
Integer::ANY
@ ANY
a number with no special properties
Definition: integer.h:93
Integer::PRIME
@ PRIME
a number which is probabilistically prime
Definition: integer.h:95
Integer::Zero
static const Integer & Zero()
Integer representing 0.
Integer::IsNegative
bool IsNegative() const
Determines if the Integer is negative.
Definition: integer.h:341
Integer::Two
static const Integer & Two()
Integer representing 2.
Integer::IsOdd
bool IsOdd() const
Determines if the Integer is odd parity.
Definition: integer.h:356
Integer::InverseMod
Integer InverseMod(const Integer &n) const
Calculate multiplicative inverse.
Integer::IsEven
bool IsEven() const
Determines if the Integer is even parity.
Definition: integer.h:353
InvalidArgument
An invalid argument was detected.
Definition: cryptlib.h:208
MontgomeryRepresentation
Performs modular arithmetic in Montgomery representation for increased speed.
Definition: modarith.h:296
PrimeAndGenerator::Generate
void Generate(signed int delta, RandomNumberGenerator &rng, unsigned int pbits, unsigned qbits)
Generate a Prime and Generator.
PrimeSelector
Application callback to signal suitability of a candidate prime.
Definition: nbtheory.h:117
RandomNumberGenerator
Interface for random number generators.
Definition: cryptlib.h:1440
RandomNumberGenerator::GenerateWord32
virtual word32 GenerateWord32(word32 min=0, word32 max=0xffffffffUL)
Generate a random 32 bit word in the range min to max, inclusive.
Singleton
Restricts the instantiation of a class to one static object without locks.
Definition: misc.h:309
word
word64 word
Full word used for multiprecision integer arithmetic.
Definition: config_int.h:192
word32
unsigned int word32
32-bit unsigned datatype
Definition: config_int.h:72
word16
unsigned short word16
16-bit unsigned datatype
Definition: config_int.h:69
integer.h
Multiple precision integer with arithmetic operations.
misc.h
Utility functions for the Crypto++ library.
SafeConvert
bool SafeConvert(T1 from, T2 &to)
Perform a conversion from from to to.
Definition: misc.h:718
STDMIN
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition: misc.h:657
modarith.h
Class file for performing modular arithmetic.
CryptoPP
Crypto++ library namespace.
nbtheory.h
Classes and functions for number theoretic operations.
Jacobi
CRYPTOPP_DLL int Jacobi(const Integer &a, const Integer &b)
Calculate the Jacobi symbol.
IsPrime
CRYPTOPP_DLL bool IsPrime(const Integer &p)
Verifies a number is probably prime.
MihailescuProvablePrime
CRYPTOPP_DLL Integer MihailescuProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
Generates a provable prime.
IsStrongLucasProbablePrime
CRYPTOPP_DLL bool IsStrongLucasProbablePrime(const Integer &n)
Determine if a number is probably prime.
DiscreteLogWorkFactor
CRYPTOPP_DLL unsigned int DiscreteLogWorkFactor(unsigned int bitlength)
Estimate work factor.
ModularExponentiation
Integer ModularExponentiation(const Integer &x, const Integer &e, const Integer &m)
Modular exponentiation.
Definition: nbtheory.h:219
ModularSquareRoot
CRYPTOPP_DLL Integer ModularSquareRoot(const Integer &a, const Integer &p)
Extract a modular square root.
GetPrimeTable
CRYPTOPP_DLL const word16 * GetPrimeTable(unsigned int &size)
The Small Prime table.
IsSmallPrime
CRYPTOPP_DLL bool IsSmallPrime(const Integer &p)
Tests whether a number is a small prime.
SolveModularQuadraticEquation
CRYPTOPP_DLL bool SolveModularQuadraticEquation(Integer &r1, Integer &r2, const Integer &a, const Integer &b, const Integer &c, const Integer &p)
Solve a Modular Quadratic Equation.
RabinMillerTest
CRYPTOPP_DLL bool RabinMillerTest(RandomNumberGenerator &rng, const Integer &n, unsigned int rounds)
Determine if a number is probably prime.
MaurerProvablePrime
CRYPTOPP_DLL Integer MaurerProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
Generates a provable prime.
Lucas
CRYPTOPP_DLL Integer Lucas(const Integer &e, const Integer &p, const Integer &n)
Calculate the Lucas value.
InverseLucas
CRYPTOPP_DLL Integer InverseLucas(const Integer &e, const Integer &m, const Integer &p, const Integer &q, const Integer &u)
Calculate the inverse Lucas value.
VerifyPrime
CRYPTOPP_DLL bool VerifyPrime(RandomNumberGenerator &rng, const Integer &p, unsigned int level=1)
Verifies a number is probably prime.
ModularRoot
CRYPTOPP_DLL Integer ModularRoot(const Integer &a, const Integer &dp, const Integer &dq, const Integer &p, const Integer &q, const Integer &u)
Extract a modular root.
EuclideanMultiplicativeInverse
Integer EuclideanMultiplicativeInverse(const Integer &a, const Integer &b)
Calculate multiplicative inverse.
Definition: nbtheory.h:169
SmallDivisorsTest
CRYPTOPP_DLL bool SmallDivisorsTest(const Integer &p)
Tests whether a number is divisible by a small prime.
IsLucasProbablePrime
CRYPTOPP_DLL bool IsLucasProbablePrime(const Integer &n)
Determine if a number is probably prime.
GCD
Integer GCD(const Integer &a, const Integer &b)
Calculate the greatest common divisor.
Definition: nbtheory.h:146
TrialDivision
CRYPTOPP_DLL bool TrialDivision(const Integer &p, unsigned bound)
Tests whether a number is divisible by a small prime.
FactoringWorkFactor
CRYPTOPP_DLL unsigned int FactoringWorkFactor(unsigned int bitlength)
Estimate work factor.
IsFermatProbablePrime
CRYPTOPP_DLL bool IsFermatProbablePrime(const Integer &n, const Integer &b)
Determine if a number is probably prime.
CRT
CRYPTOPP_DLL Integer CRT(const Integer &xp, const Integer &p, const Integer &xq, const Integer &q, const Integer &u)
Chinese Remainder Theorem.
IsStrongProbablePrime
CRYPTOPP_DLL bool IsStrongProbablePrime(const Integer &n, const Integer &b)
Determine if a number is probably prime.
FirstPrime
CRYPTOPP_DLL bool FirstPrime(Integer &p, const Integer &max, const Integer &equiv, const Integer &mod, const PrimeSelector *pSelector)
Finds a random prime of special form.
pch.h
Precompiled header file.
swap
void swap(::SecBlock< T, A > &a, ::SecBlock< T, A > &b)
Swap two SecBlocks.
Definition: secblock.h:1289
smartptr.h
Classes for automatic resource management.
stdcpp.h
Common C++ header files.
trap.h
Debugging and diagnostic assertions.
CRYPTOPP_ASSERT
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:68
Generated on Thu Feb 6 2025 01:23:13 for Crypto++ by doxygen 1.9.1