int sha384Update(register sha384Param* sp, const byte* data, size_t size)
{
register size_t proclength;
#if (MP_WBITS == 64)
mpw add[2];
mpsetw(2, add, size);
mplshift(2, add, 3);
mpadd(2, sp->length, add);
#elif (MP_WBITS == 32)
mpw add[4];
mpsetws(4, add, size);
mplshift(4, add, 3);
mpadd(4, sp->length, add);
#else
# error
#endif
while (size > 0)
{
proclength = ((sp->offset + size) > 128U) ? (128U - sp->offset) : size;
memcpy(((byte *) sp->data) + sp->offset, data, proclength);
size -= proclength;
data += proclength;
sp->offset += proclength;
if (sp->offset == 128U)
{
sha384Process(sp);
sp->offset = 0;
}
}
return 0;
}
ECpoint*
strtoec(ECdomain *dom, char *s, char **rptr, ECpoint *ret)
{
int allocd, o;
mpint *r;
allocd = 0;
if(ret == nil){
allocd = 1;
ret = mallocz(sizeof(*ret), 1);
if(ret == nil)
return nil;
ret->x = mpnew(0);
ret->y = mpnew(0);
}
o = 0;
switch(octet(&s)){
case 0:
ret->inf = 1;
return ret;
case 3:
o = 1;
case 2:
if(halfpt(dom, s, &s, ret->x) == nil)
goto err;
r = mpnew(0);
mpmul(ret->x, ret->x, r);
mpadd(r, dom->a, r);
mpmul(r, ret->x, r);
mpadd(r, dom->b, r);
if(!mpsqrt(r, dom->p, r)){
mpfree(r);
goto err;
}
if((r->p[0] & 1) != o)
mpsub(dom->p, r, r);
mpassign(r, ret->y);
mpfree(r);
if(!ecverify(dom, ret))
goto err;
return ret;
case 4:
if(halfpt(dom, s, &s, ret->x) == nil)
goto err;
if(halfpt(dom, s, &s, ret->y) == nil)
goto err;
if(!ecverify(dom, ret))
goto err;
return ret;
}
err:
if(rptr)
*rptr = s;
if(allocd){
mpfree(ret->x);
mpfree(ret->y);
free(ret);
}
return nil;
}
int sha1Update(sha1Param* sp, const byte* data, size_t size)
{
register uint32_t proclength;
#if (MP_WBITS == 64)
mpw add[1];
mpsetw(1, add, size);
mplshift(1, add, 3);
(void) mpadd(1, sp->length, add);
#elif (MP_WBITS == 32)
mpw add[2];
mpsetw(2, add, size);
mplshift(2, add, 3);
(void) mpadd(2, sp->length, add);
#else
# error
#endif
while (size > 0)
{
proclength = ((sp->offset + size) > 64U) ? (64U - sp->offset) : size;
memcpy(((byte *) sp->data) + sp->offset, data, proclength);
size -= proclength;
data += proclength;
sp->offset += proclength;
if (sp->offset == 64U)
{
sha1Process(sp);
sp->offset = 0;
}
}
return 0;
}
/* return a bound for T_2(P), P | polbase in C[X]
* NB: Mignotte bound: A | S ==>
* |a_i| <= binom(d-1, i-1) || S ||_2 + binom(d-1, i) lc(S)
*
* Apply to sigma(S) for all embeddings sigma, then take the L_2 norm over
* sigma, then take the sup over i.
**/
static GEN
nf_Mignotte_bound(GEN nf, GEN polbase)
{
GEN G = gmael(nf,5,2), lS = leading_term(polbase); /* t_INT */
GEN p1, C, N2, matGS, binlS, bin;
long prec, i, j, d = degpol(polbase), n = degpol(nf[1]), r1 = nf_get_r1(nf);
binlS = bin = vecbinome(d-1);
if (!gcmp1(lS)) binlS = gmul(lS, bin);
N2 = cgetg(n+1, t_VEC);
prec = gprecision(G);
for (;;)
{
nffp_t F;
matGS = cgetg(d+2, t_MAT);
for (j=0; j<=d; j++) gel(matGS,j+1) = arch_for_T2(G, gel(polbase,j+2));
matGS = shallowtrans(matGS);
for (j=1; j <= r1; j++) /* N2[j] = || sigma_j(S) ||_2 */
{
gel(N2,j) = gsqrt( QuickNormL2(gel(matGS,j), DEFAULTPREC), DEFAULTPREC );
if (lg(N2[j]) < DEFAULTPREC) goto PRECPB;
}
for ( ; j <= n; j+=2)
{
GEN q1 = QuickNormL2(gel(matGS,j ), DEFAULTPREC);
GEN q2 = QuickNormL2(gel(matGS,j+1), DEFAULTPREC);
p1 = gmul2n(mpadd(q1, q2), -1);
gel(N2,j) = gel(N2,j+1) = gsqrt( p1, DEFAULTPREC );
if (lg(N2[j]) < DEFAULTPREC) goto PRECPB;
}
if (j > n) break; /* done */
PRECPB:
prec = (prec<<1)-2;
remake_GM(nf, &F, prec); G = F.G;
if (DEBUGLEVEL>1) pari_warn(warnprec, "nf_factor_bound", prec);
}
/* Take sup over 0 <= i <= d of
* sum_sigma | binom(d-1, i-1) ||sigma(S)||_2 + binom(d-1,i) lc(S) |^2 */
/* i = 0: n lc(S)^2 */
C = mulsi(n, sqri(lS));
/* i = d: sum_sigma ||sigma(S)||_2^2 */
p1 = gnorml2(N2); if (gcmp(C, p1) < 0) C = p1;
for (i = 1; i < d; i++)
{
GEN s = gen_0;
for (j = 1; j <= n; j++)
{
p1 = mpadd( mpmul(gel(bin,i), gel(N2,j)), gel(binlS,i+1) );
s = mpadd(s, gsqr(p1));
}
if (gcmp(C, s) < 0) C = s;
}
return C;
}
void
mpmod(mpint *b, mpint *m, mpint *remainder)
{
mpdiv(b, m, nil, remainder);
if(remainder->sign < 0)
mpadd(m, remainder, remainder);
}
// find a prime p of length n and a generator alpha of Z^*_p
// Alg 4.86 Menezes et al () Handbook, p.164
void
gensafeprime(mpint *p, mpint *alpha, int n, int accuracy)
{
mpint *q, *b;
q = mpnew(n-1);
while(1){
genprime(q, n-1, accuracy);
mpleft(q, 1, p);
mpadd(p, mpone, p); // p = 2*q+1
if(probably_prime(p, accuracy))
break;
}
// now find a generator alpha of the multiplicative
// group Z*_p of order p-1=2q
b = mpnew(0);
while(1){
mprand(n, genrandom, alpha);
mpmod(alpha, p, alpha);
mpmul(alpha, alpha, b);
mpmod(b, p, b);
if(mpcmp(b, mpone) == 0)
continue;
mpexp(alpha, q, p, b);
if(mpcmp(b, mpone) != 0)
break;
}
mpfree(b);
mpfree(q);
}
void
ecdsasign(ECdomain *dom, ECpriv *priv, uchar *dig, int len, mpint *r, mpint *s)
{
ECpriv tmp;
mpint *E, *t;
tmp.x = mpnew(0);
tmp.y = mpnew(0);
tmp.d = mpnew(0);
E = betomp(dig, len, nil);
t = mpnew(0);
if(mpsignif(dom->n) < 8*len)
mpright(E, 8*len - mpsignif(dom->n), E);
for(;;){
ecgen(dom, &tmp);
mpmod(tmp.x, dom->n, r);
if(mpcmp(r, mpzero) == 0)
continue;
mpmul(r, priv->d, s);
mpadd(E, s, s);
mpinvert(tmp.d, dom->n, t);
mpmul(s, t, s);
mpmod(s, dom->n, s);
if(mpcmp(s, mpzero) != 0)
break;
}
mpfree(t);
mpfree(E);
mpfree(tmp.x);
mpfree(tmp.y);
mpfree(tmp.d);
}
int
base58dec(char *src, uchar *dst, int len)
{
mpint *n, *b, *r;
char *t;
int l;
n = mpnew(0);
r = mpnew(0);
b = uitomp(58, nil);
for(; *src; src++){
t = strchr(code, *src);
if(t == nil){
mpfree(n);
mpfree(r);
mpfree(b);
werrstr("invalid base58 char");
return -1;
}
uitomp(t - code, r);
mpmul(n, b, n);
mpadd(n, r, n);
}
memset(dst, 0, len);
l = (mpsignif(n) + 7) / 8;
mptobe(n, dst + (len - l), l, nil);
mpfree(n);
mpfree(r);
mpfree(b);
return 0;
}
void
testcrt(mpint **p)
{
CRTpre *crt;
CRTres *res;
mpint *m, *x, *y;
fmtinstall('B', mpfmt);
// get a modulus and a test number
m = mpnew(1024+160);
mpmul(p[0], p[1], m);
x = mpnew(1024+160);
mpadd(m, mpone, x);
// do the precomputation for crt conversion
crt = crtpre(2, p);
// convert x to residues
res = crtin(crt, x);
// convert back
y = mpnew(1024+160);
crtout(crt, res, y);
print("x %B\ny %B\n", x, y);
mpfree(m);
mpfree(x);
mpfree(y);
}
/*
* mpbneg
* computes the negative (modulo b) of x, where x must contain a value between 0 and b-1
*/
void mpbneg(const mpbarrett* b, const mpw* data, mpw* result)
{
register size_t size = b->size;
mpcopy(size, result, data);
mpneg(size, result);
mpadd(size, result, b->modl);
}
int
ecverify(ECdomain *dom, ECpoint *a)
{
mpint *p, *q;
int r;
if(a->inf)
return 1;
p = mpnew(0);
q = mpnew(0);
mpmul(a->y, a->y, p);
mpmod(p, dom->p, p);
mpmul(a->x, a->x, q);
mpadd(q, dom->a, q);
mpmul(a->x, q, q);
mpadd(q, dom->b, q);
mpmod(q, dom->p, q);
r = mpcmp(p, q);
mpfree(p);
mpfree(q);
return r == 0;
}
int ripemd256Update(ripemd256Param* mp, const byte* data, size_t size)
{
register uint32_t proclength;
#if (MP_WBITS == 64)
mpw add[1];
mpsetw(1, add, size);
mplshift(1, add, 3);
mpadd(1, mp->length, add);
#elif (MP_WBITS == 32)
mpw add[2];
mpsetw(2, add, size);
mplshift(2, add, 3);
(void) mpadd(2, mp->length, add);
#else
# error
#endif
while (size > 0)
{
proclength = ((mp->offset + size) > 64U) ? (64U - mp->offset) : size;
/*@-mayaliasunique@*/
memcpy(((byte *) mp->data) + mp->offset, data, proclength);
/*@=mayaliasunique@*/
size -= proclength;
data += proclength;
mp->offset += proclength;
if (mp->offset == 64U)
{
ripemd256Process(mp);
mp->offset = 0;
}
}
return 0;
}
int md2Update(md2Param *mp, const byte *data, size_t size)
{
uint32_t proclength;
#if (MP_WBITS == 64)
mpw add[1];
mpsetw(1, add, size);
mplshift(1, add, 3);
mpadd(1, mp->length, add);
#elif (MP_WBITS == 32)
mpw add[2];
mpsetw(2, add, size);
mplshift(2, add, 3);
(void) mpadd(2, mp->length, add);
#else
# error
#endif
while (size > 0) {
proclength = ((mp->offset + size) > 16U) ? (16U - mp->offset) : size;
/*@-mayaliasunique@*/
memcpy(((byte *)mp->buf) + mp->offset, data, proclength);
/*@=mayaliasunique@*/
size -= proclength;
data += proclength;
mp->offset += proclength;
/* is 16 bytes full? */
if (mp->offset == 16U) {
md2_compress(mp);
md2_update_chksum(mp);
mp->offset = 0;
}
}
return 0;
}
DSAsig*
dsasign(DSApriv *priv, mpint *m)
{
DSApub *pub = &priv->pub;
DSAsig *sig;
mpint *qm1, *k, *kinv, *r, *s;
mpint *q = pub->q, *p = pub->p, *alpha = pub->alpha;
int qlen = mpsignif(q);
qm1 = mpnew(0);
kinv = mpnew(0);
r = mpnew(0);
s = mpnew(0);
k = mpnew(0);
mpsub(pub->q, mpone, qm1);
// find a k that has an inverse mod q
while(1){
mprand(qlen, genrandom, k);
if((mpcmp(mpone, k) > 0) || (mpcmp(k, qm1) >= 0))
continue;
mpextendedgcd(k, q, r, kinv, s);
if(mpcmp(r, mpone) != 0)
continue;
break;
}
// make kinv positive
mpmod(kinv, qm1, kinv);
// r = ((alpha**k) mod p) mod q
mpexp(alpha, k, p, r);
mpmod(r, q, r);
// s = (kinv*(m + ar)) mod q
mpmul(r, priv->secret, s);
mpadd(s, m, s);
mpmul(s, kinv, s);
mpmod(s, q, s);
sig = dsasigalloc();
sig->r = r;
sig->s = s;
mpfree(qm1);
mpfree(k);
mpfree(kinv);
return sig;
}
/* garners algorithm for converting residue form to linear */
void
crtout(CRTpre *crt, CRTres *res, mpint *x)
{
mpint *u;
int i;
u = mpnew(0);
mpassign(res->r[0], x);
for(i = 1; i < crt->n; i++){
mpsub(res->r[i], x, u);
mpmul(u, crt->c[i], u);
mpmod(u, crt->m[i], u);
mpmul(u, crt->p[i-1], u);
mpadd(x, u, x);
}
mpfree(u);
}
/*
* needs workspace of (size*2) words
*/
static void mpprndbits(mpbarrett* p, size_t bits, size_t lsbset, const mpnumber* min, const mpnumber* max, randomGeneratorContext* rc, mpw* wksp)
{
register size_t size = p->size;
register size_t msbclr = MP_WORDS_TO_BITS(size) - bits;
/* assume that mpbits(max) == bits */
/* calculate k=max-min; generate q such that 0 <= q <= k; then set p = q + min */
/* for the second step, set the appropriate number of bits */
if (max)
{
mpsetx(size, wksp, max->size, max->data);
}
else
{
mpfill(size, wksp, MP_ALLMASK);
wksp[0] &= (MP_ALLMASK >> msbclr);
}
if (min)
{
mpsetx(size, wksp+size, min->size, min->data);
}
else
{
mpzero(size, wksp+size);
wksp[size] |= (MP_MSBMASK >> msbclr);
}
mpsub(size, wksp, wksp+size);
rc->rng->next(rc->param, (byte*) p->modl, MP_WORDS_TO_BYTES(size));
p->modl[0] &= (MP_ALLMASK >> msbclr);
while (mpgt(size, p->modl, wksp))
mpsub(size, p->modl, wksp);
mpadd(size, p->modl, wksp+size);
if (lsbset)
p->modl[size-1] |= (MP_ALLMASK >> (MP_WBITS - lsbset));
}
// generate a probable prime. accuracy is the miller-rabin interations
void
genprime(mpint *p, int n, int accuracy)
{
mpdigit x;
// generate n random bits with high and low bits set
mpbits(p, n);
genrandom((uint8_t*)p->p, (n+7)/8);
p->top = (n+Dbits-1)/Dbits;
x = 1;
x <<= ((n-1)%Dbits);
p->p[p->top-1] &= (x-1);
p->p[p->top-1] |= x;
p->p[0] |= 1;
// keep icrementing till it looks prime
for(;;){
if(probably_prime(p, accuracy))
break;
mpadd(p, mptwo, p);
}
}
int elgv1sign(const mpbarrett* p, const mpbarrett* n, const mpnumber* g, randomGeneratorContext* rgc, const mpnumber* hm, const mpnumber* x, mpnumber* r, mpnumber* s)
{
register size_t size = p->size;
register mpw* temp = (mpw*) malloc((8*size+6)*sizeof(mpw));
if (temp)
{
/* get a random k, invertible modulo (p-1) */
mpbrndinv_w(n, rgc, temp, temp+size, temp+2*size);
/* compute r = g^k mod p */
mpnfree(r);
mpnsize(r, size);
mpbpowmod_w(p, g->size, g->data, size, temp, r->data, temp+2*size);
/* compute x*r mod n */
mpbmulmod_w(n, x->size, x->data, r->size, r->data, temp, temp+2*size);
/* compute -(x*r) mod n */
mpneg(size, temp);
mpadd(size, temp, n->modl);
/* compute h(m) - x*r mod n */
mpbaddmod_w(n, hm->size, hm->data, size, temp, temp, temp+2*size);
/* compute s = inv(k)*(h(m) - x*r) mod n */
mpnfree(s);
mpnsize(s, size);
mpbmulmod_w(n, size, temp, size, temp+size, s->data, temp+2*size);
free(temp);
return 0;
}
return -1;
}
/*
* mpbtwopowmod_w
* needs workspace of (4*size+2) words
*/
void mpbtwopowmod_w(const mpbarrett* b, size_t psize, const mpw* pdata, mpw* result, mpw* wksp)
{
/*
* Modular exponention, 2^p mod modulus, special optimization
*
* Uses left-to-right exponentiation; needs no extra storage
*
*/
/* this routine calls mpbmod, which needs (size*2+2), this routine needs (size*2) for sdata */
register size_t size = b->size;
register mpw temp = 0;
mpsetw(size, result, 1);
while (psize)
{
if ((temp = *(pdata++))) /* break when first non-zero word found */
break;
psize--;
}
/* if temp is still zero, then we're trying to raise x to power zero, and result stays one */
if (temp)
{
register int count = MP_WBITS;
/* first skip bits until we reach a one */
while (count)
{
if (temp & MP_MSBMASK)
break;
temp <<= 1;
count--;
}
while (psize--)
{
while (count)
{
/* always square */
mpbsqrmod_w(b, size, result, result, wksp);
/* multiply by two if bit is 1 */
if (temp & MP_MSBMASK)
{
if (mpadd(size, result, result) || mpge(size, result, b->modl))
{
/* there was carry, or the result is greater than the modulus, so we need to adjust */
mpsub(size, result, b->modl);
}
}
temp <<= 1;
count--;
}
count = MP_WBITS;
temp = *(pdata++);
}
}
}
static int Ympbinv_w(const mpbarrett* b, size_t xsize, const mpw* xdata, mpw* result, mpw* wksp)
{
size_t ysize = b->size+1;
int k;
mpw* u1 = wksp;
mpw* u2 = u1+ysize;
mpw* u3 = u2+ysize;
mpw* v1 = u3+ysize;
mpw* v2 = v1+ysize;
mpw* v3 = v2+ysize;
mpw* t1 = v3+ysize;
mpw* t2 = t1+ysize;
mpw* t3 = t2+ysize;
mpw* u = t3+ysize;
mpw* v = u+ysize;
mpsetx(ysize, u, xsize, xdata);
mpsetx(ysize, v, b->size, b->modl);
/* Y1. Find power of 2. */
for (k = 0; mpeven(ysize, u) && mpeven(ysize, v); k++) {
mpdivtwo(ysize, u);
mpdivtwo(ysize, v);
}
if (_debug < 0)
fprintf(stderr, " u: "), mpfprintln(stderr, ysize, u);
if (_debug < 0)
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
/* Y2. Initialize. */
mpsetw(ysize, u1, 1);
if (_debug < 0)
fprintf(stderr, " u1: "), mpfprintln(stderr, ysize, u1);
mpzero(ysize, u2);
if (_debug < 0)
fprintf(stderr, " u2: "), mpfprintln(stderr, ysize, u2);
mpsetx(ysize, u3, ysize, u);
if (_debug < 0)
fprintf(stderr, " u3: "), mpfprintln(stderr, ysize, u3);
mpsetx(ysize, v1, ysize, v);
if (_debug < 0)
fprintf(stderr, " v1: "), mpfprintln(stderr, ysize, v1);
mpsetw(ysize, v2, 1);
(void) mpsub(ysize, v2, u);
if (_debug < 0)
fprintf(stderr, " v2: "), mpfprintln(stderr, ysize, v2);
mpsetx(ysize, v3, ysize, v);
if (_debug < 0)
fprintf(stderr, " v3: "), mpfprintln(stderr, ysize, v3);
if (mpodd(ysize, u)) {
mpzero(ysize, t1);
if (_debug < 0)
fprintf(stderr, " t1: "), mpfprintln(stderr, ysize, t1);
mpzero(ysize, t2);
mpsubw(ysize, t2, 1);
if (_debug < 0)
fprintf(stderr, " t2: "), mpfprintln(stderr, ysize, t2);
mpzero(ysize, t3);
mpsub(ysize, t3, v);
if (_debug < 0)
fprintf(stderr, " t3: "), mpfprintln(stderr, ysize, t3);
goto Y4;
} else {
mpsetw(ysize, t1, 1);
if (_debug < 0)
fprintf(stderr, " t1: "), mpfprintln(stderr, ysize, t1);
mpzero(ysize, t2);
if (_debug < 0)
fprintf(stderr, " t2: "), mpfprintln(stderr, ysize, t2);
mpsetx(ysize, t3, ysize, u);
if (_debug < 0)
fprintf(stderr, " t3: "), mpfprintln(stderr, ysize, t3);
}
do {
do {
if (mpodd(ysize, t1) || mpodd(ysize, t2)) {
mpadd(ysize, t1, v);
mpsub(ysize, t2, u);
}
mpsdivtwo(ysize, t1);
mpsdivtwo(ysize, t2);
mpsdivtwo(ysize, t3);
Y4:
if (_debug < 0)
fprintf(stderr, " Y4 t3: "), mpfprintln(stderr, ysize, t3);
} while (mpeven(ysize, t3));
/* Y5. Reset max(u3,v3). */
if (!(*t3 & 0x80000000)) {
if (_debug < 0)
fprintf(stderr, "--> Y5 (t3 > 0)\n");
mpsetx(ysize, u1, ysize, t1);
if (_debug < 0)
fprintf(stderr, " u1: "), mpfprintln(stderr, ysize, u1);
mpsetx(ysize, u2, ysize, t2);
if (_debug < 0)
fprintf(stderr, " u2: "), mpfprintln(stderr, ysize, u2);
mpsetx(ysize, u3, ysize, t3);
if (_debug < 0)
fprintf(stderr, " u3: "), mpfprintln(stderr, ysize, u3);
} else {
if (_debug < 0)
fprintf(stderr, "--> Y5 (t3 <= 0)\n");
mpsetx(ysize, v1, ysize, v);
mpsub(ysize, v1, t1);
if (_debug < 0)
fprintf(stderr, " v1: "), mpfprintln(stderr, ysize, v1);
mpsetx(ysize, v2, ysize, u);
mpneg(ysize, v2);
mpsub(ysize, v2, t2);
if (_debug < 0)
fprintf(stderr, " v2: "), mpfprintln(stderr, ysize, v2);
mpzero(ysize, v3);
mpsub(ysize, v3, t3);
if (_debug < 0)
fprintf(stderr, " v3: "), mpfprintln(stderr, ysize, v3);
}
/* Y6. Subtract. */
mpsetx(ysize, t1, ysize, u1);
mpsub(ysize, t1, v1);
mpsetx(ysize, t2, ysize, u2);
mpsub(ysize, t2, v2);
mpsetx(ysize, t3, ysize, u3);
mpsub(ysize, t3, v3);
if (*t1 & 0x80000000) {
mpadd(ysize, t1, v);
mpsub(ysize, t2, u);
}
if (_debug < 0)
fprintf(stderr, "-->Y6 t1: "), mpfprintln(stderr, ysize, t1);
if (_debug < 0)
fprintf(stderr, " t2: "), mpfprintln(stderr, ysize, t2);
if (_debug < 0)
fprintf(stderr, " t3: "), mpfprintln(stderr, ysize, t3);
} while (mpnz(ysize, t3));
if (!(mpisone(ysize, u3) && mpisone(ysize, v3)))
return 0;
if (result) {
while (--k > 0)
mpadd(ysize, u1, u1);
mpsetx(b->size, result, ysize, u1);
}
fprintf(stderr, "=== EXIT: "), mpfprintln(stderr, b->size, result);
fprintf(stderr, " u1: "), mpfprintln(stderr, ysize, u1);
fprintf(stderr, " u2: "), mpfprintln(stderr, ysize, u2);
fprintf(stderr, " u3: "), mpfprintln(stderr, ysize, u3);
fprintf(stderr, " v1: "), mpfprintln(stderr, ysize, v1);
fprintf(stderr, " v2: "), mpfprintln(stderr, ysize, v2);
fprintf(stderr, " v3: "), mpfprintln(stderr, ysize, v3);
fprintf(stderr, " t1: "), mpfprintln(stderr, ysize, t1);
fprintf(stderr, " t2: "), mpfprintln(stderr, ysize, t2);
fprintf(stderr, " t3: "), mpfprintln(stderr, ysize, t3);
return 1;
}
/**
* Computes the inverse (modulo b) of x, and returns 1 if x was invertible.
* needs workspace of (6*size+6) words
* @note xdata and result cannot point to the same area
*/
static int Xmpbinv_w(const mpbarrett* b, size_t xsize, const mpw* xdata, mpw* result, mpw* wksp)
{
/*
* Fact: if a element of Zn, then a is invertible if and only if gcd(a,n) = 1
* Hence: if b->modl is even, then x must be odd, otherwise the gcd(x,n) >= 2
*
* The calling routine must guarantee this condition.
*/
size_t ysize = b->size+1;
mpw* u = wksp;
mpw* v = u+ysize;
mpw* A = v+ysize;
mpw* B = A+ysize;
mpw* C = B+ysize;
mpw* D = C+ysize;
mpsetx(ysize, u, b->size, b->modl);
mpsetx(ysize, v, xsize, xdata);
mpsetw(ysize, A, 1);
mpzero(ysize, B);
mpzero(ysize, C);
mpsetw(ysize, D, 1);
if (_debug < 0)
fprintf(stderr, " u: "), mpfprintln(stderr, ysize, u);
if (_debug < 0)
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
if (_debug < 0)
fprintf(stderr, " A: "), mpfprintln(stderr, ysize, A);
if (_debug < 0)
fprintf(stderr, " B: "), mpfprintln(stderr, ysize, B);
if (_debug < 0)
fprintf(stderr, " C: "), mpfprintln(stderr, ysize, C);
if (_debug < 0)
fprintf(stderr, " D: "), mpfprintln(stderr, ysize, D);
do {
while (mpeven(ysize, u))
{
mpdivtwo(ysize, u);
if (mpodd(ysize, A) || mpodd(ysize, B))
{
(void) mpaddx(ysize, A, xsize, xdata);
(void) mpsubx(ysize, B, b->size, b->modl);
}
mpsdivtwo(ysize, A);
mpsdivtwo(ysize, B);
}
while (mpeven(ysize, v))
{
mpdivtwo(ysize, v);
if (mpodd(ysize, C) || mpodd(ysize, D))
{
(void) mpaddx(ysize, C, xsize, xdata);
(void) mpsubx(ysize, D, b->size, b->modl);
}
mpsdivtwo(ysize, C);
mpsdivtwo(ysize, D);
}
if (mpge(ysize, u, v))
{
if (_debug < 0)
fprintf(stderr, "--> 5 (u >= v)\n");
(void) mpsub(ysize, u, v);
(void) mpsub(ysize, A, C);
(void) mpsub(ysize, B, D);
if (_debug < 0)
fprintf(stderr, " u: "), mpfprintln(stderr, ysize, u);
if (_debug < 0)
fprintf(stderr, " A: "), mpfprintln(stderr, ysize, A);
if (_debug < 0)
fprintf(stderr, " B: "), mpfprintln(stderr, ysize, B);
}
else
{
if (_debug < 0)
fprintf(stderr, "--> 5 (u < v)\n");
(void) mpsub(ysize, v, u);
(void) mpsub(ysize, C, A);
(void) mpsub(ysize, D, B);
if (_debug < 0)
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
if (_debug < 0)
fprintf(stderr, " C: "), mpfprintln(stderr, ysize, C);
if (_debug < 0)
fprintf(stderr, " D: "), mpfprintln(stderr, ysize, D);
}
} while (mpnz(ysize, u));
if (!mpisone(ysize, v))
return 0;
if (result)
{
mpsetx(b->size, result, ysize, D);
/*@-usedef@*/
if (*D & 0x80000000)
(void) mpadd(b->size, result, b->modl);
/*@=usedef@*/
}
fprintf(stderr, "=== EXIT: "), mpfprintln(stderr, b->size, result);
fprintf(stderr, " u: "), mpfprintln(stderr, ysize, u);
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
fprintf(stderr, " A: "), mpfprintln(stderr, ysize, A);
fprintf(stderr, " B: "), mpfprintln(stderr, ysize, B);
fprintf(stderr, " C: "), mpfprintln(stderr, ysize, C);
fprintf(stderr, " D: "), mpfprintln(stderr, ysize, D);
return 1;
}
static int
mpsqrt(mpint *n, mpint *p, mpint *r)
{
mpint *a, *t, *s, *xp, *xq, *yp, *yq, *zp, *zq, *N;
if(mpleg(n, p) == -1)
return 0;
a = mpnew(0);
t = mpnew(0);
s = mpnew(0);
N = mpnew(0);
xp = mpnew(0);
xq = mpnew(0);
yp = mpnew(0);
yq = mpnew(0);
zp = mpnew(0);
zq = mpnew(0);
for(;;){
for(;;){
mprand(mpsignif(p), genrandom, a);
if(mpcmp(a, mpzero) > 0 && mpcmp(a, p) < 0)
break;
}
mpmul(a, a, t);
mpsub(t, n, t);
mpmod(t, p, t);
if(mpleg(t, p) == -1)
break;
}
mpadd(p, mpone, N);
mpright(N, 1, N);
mpmul(a, a, t);
mpsub(t, n, t);
mpassign(a, xp);
uitomp(1, xq);
uitomp(1, yp);
uitomp(0, yq);
while(mpcmp(N, mpzero) != 0){
if(N->p[0] & 1){
mpmul(xp, yp, zp);
mpmul(xq, yq, zq);
mpmul(zq, t, zq);
mpadd(zp, zq, zp);
mpmod(zp, p, zp);
mpmul(xp, yq, zq);
mpmul(xq, yp, s);
mpadd(zq, s, zq);
mpmod(zq, p, yq);
mpassign(zp, yp);
}
mpmul(xp, xp, zp);
mpmul(xq, xq, zq);
mpmul(zq, t, zq);
mpadd(zp, zq, zp);
mpmod(zp, p, zp);
mpmul(xp, xq, zq);
mpadd(zq, zq, zq);
mpmod(zq, p, xq);
mpassign(zp, xp);
mpright(N, 1, N);
}
if(mpcmp(yq, mpzero) != 0)
abort();
mpassign(yp, r);
mpfree(a);
mpfree(t);
mpfree(s);
mpfree(N);
mpfree(xp);
mpfree(xq);
mpfree(yp);
mpfree(yq);
mpfree(zp);
mpfree(zq);
return 1;
}
void
ecadd(ECdomain *dom, ECpoint *a, ECpoint *b, ECpoint *s)
{
mpint *l, *k, *sx, *sy;
if(a->inf && b->inf){
s->inf = 1;
return;
}
if(a->inf){
ecassign(dom, b, s);
return;
}
if(b->inf){
ecassign(dom, a, s);
return;
}
if(mpcmp(a->x, b->x) == 0 && (mpcmp(a->y, mpzero) == 0 || mpcmp(a->y, b->y) != 0)){
s->inf = 1;
return;
}
l = mpnew(0);
k = mpnew(0);
sx = mpnew(0);
sy = mpnew(0);
if(mpcmp(a->x, b->x) == 0 && mpcmp(a->y, b->y) == 0){
mpadd(mpone, mptwo, k);
mpmul(a->x, a->x, l);
mpmul(l, k, l);
mpadd(l, dom->a, l);
mpleft(a->y, 1, k);
mpmod(k, dom->p, k);
mpinvert(k, dom->p, k);
mpmul(k, l, l);
mpmod(l, dom->p, l);
mpleft(a->x, 1, k);
mpmul(l, l, sx);
mpsub(sx, k, sx);
mpmod(sx, dom->p, sx);
mpsub(a->x, sx, sy);
mpmul(l, sy, sy);
mpsub(sy, a->y, sy);
mpmod(sy, dom->p, sy);
mpassign(sx, s->x);
mpassign(sy, s->y);
mpfree(sx);
mpfree(sy);
mpfree(l);
mpfree(k);
return;
}
mpsub(b->y, a->y, l);
mpmod(l, dom->p, l);
mpsub(b->x, a->x, k);
mpmod(k, dom->p, k);
mpinvert(k, dom->p, k);
mpmul(k, l, l);
mpmod(l, dom->p, l);
mpmul(l, l, sx);
mpsub(sx, a->x, sx);
mpsub(sx, b->x, sx);
mpmod(sx, dom->p, sx);
mpsub(a->x, sx, sy);
mpmul(sy, l, sy);
mpsub(sy, a->y, sy);
mpmod(sy, dom->p, sy);
mpassign(sx, s->x);
mpassign(sy, s->y);
mpfree(sx);
mpfree(sy);
mpfree(l);
mpfree(k);
}
static int Zmpbinv_w(const mpbarrett* b, size_t xsize, const mpw* xdata, mpw* result, mpw* wksp)
{
size_t ysize = b->size+1;
size_t ubits, vbits;
int k = 0;
mpw* u = wksp;
mpw* v = u+ysize;
mpw* A = v+ysize;
mpw* B = A+ysize;
mpw* C = B+ysize;
mpw* D = C+ysize;
mpsetx(ysize, u, xsize, xdata);
mpsetx(ysize, v, b->size, b->modl);
mpsetw(ysize, A, 1);
mpzero(ysize, B);
mpzero(ysize, C);
mpsetw(ysize, D, 1);
for (k = 0; mpeven(ysize, u) && mpeven(ysize, v); k++) {
mpdivtwo(ysize, u);
mpdivtwo(ysize, v);
}
if (mpeven(ysize, u))
(void) mpadd(ysize, u, v);
if (_debug < 0)
fprintf(stderr, " u: "), mpfprintln(stderr, ysize, u);
if (_debug < 0)
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
if (_debug < 0)
fprintf(stderr, " A: "), mpfprintln(stderr, ysize, A);
if (_debug < 0)
fprintf(stderr, " B: "), mpfprintln(stderr, ysize, B);
if (_debug < 0)
fprintf(stderr, " C: "), mpfprintln(stderr, ysize, C);
if (_debug < 0)
fprintf(stderr, " D: "), mpfprintln(stderr, ysize, D);
ubits = vbits = MP_WORDS_TO_BITS(ysize);
do {
while (mpeven(ysize, v)) {
mpsdivtwo(ysize, v);
vbits -= 1;
if (mpodd(ysize, C)) {
(void) mpaddx(ysize, C, b->size, b->modl);
(void) mpsubx(ysize, D, xsize, xdata);
}
mpsdivtwo(ysize, C);
mpsdivtwo(ysize, D);
if (_debug < 0)
fprintf(stderr, "-->> v: "), mpfprintln(stderr, ysize, v);
}
if (ubits >= vbits) {
mpw* swapu;
size_t swapi;
if (_debug < 0)
fprintf(stderr, "--> (swap u <-> v)\n");
swapu = u; u = v; v = swapu;
swapi = ubits; ubits = vbits; vbits = swapi;
swapu = A; A = C; C = swapu;
swapu = B; B = D; D = swapu;
}
if (!((u[ysize-1] + v[ysize-1]) & 0x3)) {
if (_debug < 0)
fprintf(stderr, "--> (even parity)\n");
mpadd(ysize, v, u);
mpadd(ysize, C, A);
mpadd(ysize, D, B);
} else {
if (_debug < 0)
fprintf(stderr, "--> (odd parity)\n");
mpsub(ysize, v, u);
mpsub(ysize, C, A);
mpsub(ysize, D, B);
}
if (_debug < 0)
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
if (_debug < 0)
fprintf(stderr, " C: "), mpfprintln(stderr, ysize, C);
if (_debug < 0)
fprintf(stderr, " D: "), mpfprintln(stderr, ysize, D);
vbits++;
} while (mpnz(ysize, v));
#ifdef NOTYET
if (!mpisone(ysize, u))
return 0;
#endif
if (result) {
mpsetx(b->size, result, ysize, A);
/*@-usedef@*/
if (*A & 0x80000000)
(void) mpneg(b->size, result);
/*@=usedef@*/
while (--k > 0)
mpadd(b->size, result, result);
}
fprintf(stderr, "=== EXIT: "), mpfprintln(stderr, b->size, result);
fprintf(stderr, " u: "), mpfprintln(stderr, ysize, u);
fprintf(stderr, " v: "), mpfprintln(stderr, ysize, v);
fprintf(stderr, " A: "), mpfprintln(stderr, ysize, A);
fprintf(stderr, " B: "), mpfprintln(stderr, ysize, B);
fprintf(stderr, " C: "), mpfprintln(stderr, ysize, C);
fprintf(stderr, " D: "), mpfprintln(stderr, ysize, D);
return 1;
}
RSApriv*
rsagen(int nlen, int elen, int rounds)
{
mpint *p, *q, *e, *d, *phi, *n, *t1, *t2, *kp, *kq, *c2;
RSApriv *rsa;
p = mpnew(nlen/2);
q = mpnew(nlen/2);
n = mpnew(nlen);
e = mpnew(elen);
d = mpnew(0);
phi = mpnew(nlen);
// create the prime factors and euclid's function
genprime(p, nlen/2, rounds);
genprime(q, nlen - mpsignif(p) + 1, rounds);
mpmul(p, q, n);
mpsub(p, mpone, e);
mpsub(q, mpone, d);
mpmul(e, d, phi);
// find an e relatively prime to phi
t1 = mpnew(0);
t2 = mpnew(0);
mprand(elen, genrandom, e);
if(mpcmp(e,mptwo) <= 0)
itomp(3, e);
// See Menezes et al. p.291 "8.8 Note (selecting primes)" for discussion
// of the merits of various choices of primes and exponents. e=3 is a
// common and recommended exponent, but doesn't necessarily work here
// because we chose strong rather than safe primes.
for(;;){
mpextendedgcd(e, phi, t1, d, t2);
if(mpcmp(t1, mpone) == 0)
break;
mpadd(mpone, e, e);
}
mpfree(t1);
mpfree(t2);
// compute chinese remainder coefficient
c2 = mpnew(0);
mpinvert(p, q, c2);
// for crt a**k mod p == (a**(k mod p-1)) mod p
kq = mpnew(0);
kp = mpnew(0);
mpsub(p, mpone, phi);
mpmod(d, phi, kp);
mpsub(q, mpone, phi);
mpmod(d, phi, kq);
rsa = rsaprivalloc();
rsa->pub.ek = e;
rsa->pub.n = n;
rsa->dk = d;
rsa->kp = kp;
rsa->kq = kq;
rsa->p = p;
rsa->q = q;
rsa->c2 = c2;
mpfree(phi);
return rsa;
}
// extended binary gcd
//
// For a anv b it solves, v = gcd(a,b) and finds x and y s.t.
// ax + by = v
//
// Handbook of Applied Cryptography, Menezes et al, 1997, pg 608.
void
mpextendedgcd(mpint *a, mpint *b, mpint *v, mpint *x, mpint *y)
{
mpint *u, *A, *B, *C, *D;
int g;
if(a->top == 0){
mpassign(b, v);
mpassign(mpone, y);
mpassign(mpzero, x);
return;
}
if(b->top == 0){
mpassign(a, v);
mpassign(mpone, x);
mpassign(mpzero, y);
return;
}
g = 0;
a = mpcopy(a);
b = mpcopy(b);
while(iseven(a) && iseven(b)){
mpright(a, 1, a);
mpright(b, 1, b);
g++;
}
u = mpcopy(a);
mpassign(b, v);
A = mpcopy(mpone);
B = mpcopy(mpzero);
C = mpcopy(mpzero);
D = mpcopy(mpone);
for(;;) {
// print("%B %B %B %B %B %B\n", u, v, A, B, C, D);
while(iseven(u)){
mpright(u, 1, u);
if(!iseven(A) || !iseven(B)) {
mpadd(A, b, A);
mpsub(B, a, B);
}
mpright(A, 1, A);
mpright(B, 1, B);
}
// print("%B %B %B %B %B %B\n", u, v, A, B, C, D);
while(iseven(v)){
mpright(v, 1, v);
if(!iseven(C) || !iseven(D)) {
mpadd(C, b, C);
mpsub(D, a, D);
}
mpright(C, 1, C);
mpright(D, 1, D);
}
// print("%B %B %B %B %B %B\n", u, v, A, B, C, D);
if(mpcmp(u, v) >= 0){
mpsub(u, v, u);
mpsub(A, C, A);
mpsub(B, D, B);
} else {
mpsub(v, u, v);
mpsub(C, A, C);
mpsub(D, B, D);
}
if(u->top == 0)
break;
}
mpassign(C, x);
mpassign(D, y);
mpleft(v, g, v);
mpfree(A);
mpfree(B);
mpfree(C);
mpfree(D);
mpfree(u);
mpfree(a);
mpfree(b);
}
