void XTR_FindPrimesAndGenerator(RandomNumberGenerator &rng, Integer &p, Integer &q, GFP2Element &g, unsigned int pbits, unsigned int qbits) { CRYPTOPP_ASSERT(qbits > 9); // no primes exist for pbits = 10, qbits = 9 CRYPTOPP_ASSERT(pbits > qbits); const Integer minQ = Integer::Power2(qbits - 1); const Integer maxQ = Integer::Power2(qbits) - 1; const Integer minP = Integer::Power2(pbits - 1); const Integer maxP = Integer::Power2(pbits) - 1; top: Integer r1, r2; do { (void)q.Randomize(rng, minQ, maxQ, Integer::PRIME, 7, 12); // Solution always exists because q === 7 mod 12. (void)SolveModularQuadraticEquation(r1, r2, 1, -1, 1, q); // I believe k_i, r1 and r2 are being used slightly different than the // paper's algorithm. I believe it is leading to the failed asserts. // Just make the assert part of the condition. if(!p.Randomize(rng, minP, maxP, Integer::PRIME, CRT(rng.GenerateBit() ? r1 : r2, q, 2, 3, EuclideanMultiplicativeInverse(p, 3)), 3 * q)) { continue; } } while (((p % 3U) != 2) || (((p.Squared() - p + 1) % q).NotZero())); // CRYPTOPP_ASSERT((p % 3U) == 2); // CRYPTOPP_ASSERT(((p.Squared() - p + 1) % q).IsZero()); GFP2_ONB<ModularArithmetic> gfp2(p); GFP2Element three = gfp2.ConvertIn(3), t; while (true) { g.c1.Randomize(rng, Integer::Zero(), p-1); g.c2.Randomize(rng, Integer::Zero(), p-1); t = XTR_Exponentiate(g, p+1, p); if (t.c1 == t.c2) continue; g = XTR_Exponentiate(g, (p.Squared()-p+1)/q, p); if (g != three) break; } if (XTR_Exponentiate(g, q, p) != three) goto top; // CRYPTOPP_ASSERT(XTR_Exponentiate(g, q, p) == three); }
Integer ModularSquareRoot(const Integer &a, const Integer &p) { if (p%4 == 3) return a_exp_b_mod_c(a, (p+1)/4, p); Integer q=p-1; unsigned int r=0; while (q.IsEven()) { r++; q >>= 1; } Integer n=2; while (Jacobi(n, p) != -1) ++n; Integer y = a_exp_b_mod_c(n, q, p); Integer x = a_exp_b_mod_c(a, (q-1)/2, p); Integer b = (x.Squared()%p)*a%p; x = a*x%p; Integer tempb, t; while (b != 1) { unsigned m=0; tempb = b; do { m++; b = b.Squared()%p; if (m==r) return Integer::Zero(); } while (b != 1); t = y; for (unsigned i=0; i<r-m-1; i++) t = t.Squared()%p; y = t.Squared()%p; r = m; x = x*t%p; b = tempb*y%p; } assert(x.Squared()%p == a); return x; }
bool IsStrongProbablePrime(const Integer &n, const Integer &b) { if (n <= 3) return n==2 || n==3; assert(n>3 && b>1 && b<n-1); if ((n.IsEven() && n!=2) || GCD(b, n) != 1) return false; Integer nminus1 = (n-1); unsigned int a; // calculate a = largest power of 2 that divides (n-1) for (a=0; ; a++) if (nminus1.GetBit(a)) break; Integer m = nminus1>>a; Integer z = a_exp_b_mod_c(b, m, n); if (z==1 || z==nminus1) return true; for (unsigned j=1; j<a; j++) { z = z.Squared()%n; if (z==nminus1) return true; if (z==1) return false; } return false; }
Integer RabinFunction::ApplyFunction(const Integer &in) const { Integer out = in.Squared()%n; if (in.IsOdd()) out = out*r%n; if (Jacobi(in, n)==-1) out = out*s%n; return out; }
Integer RabinFunction::ApplyFunction(const Integer &in) const { DoQuickSanityCheck(); Integer out = in.Squared()%m_n; if (in.IsOdd()) out = out*m_r%m_n; if (Jacobi(in, m_n)==-1) out = out*m_s%m_n; return out; }
void XTR_FindPrimesAndGenerator(RandomNumberGenerator &rng, Integer &p, Integer &q, GFP2Element &g, unsigned int pbits, unsigned int qbits) { assert(qbits > 9); // no primes exist for pbits = 10, qbits = 9 assert(pbits > qbits); const Integer minQ = Integer::Power2(qbits - 1); const Integer maxQ = Integer::Power2(qbits) - 1; const Integer minP = Integer::Power2(pbits - 1); const Integer maxP = Integer::Power2(pbits) - 1; Integer r1, r2; do { bool qFound = q.Randomize(rng, minQ, maxQ, Integer::PRIME, 7, 12); CRYPTOPP_UNUSED(qFound); assert(qFound); bool solutionsExist = SolveModularQuadraticEquation(r1, r2, 1, -1, 1, q); CRYPTOPP_UNUSED(solutionsExist); assert(solutionsExist); } while (!p.Randomize(rng, minP, maxP, Integer::PRIME, CRT(rng.GenerateBit()?r1:r2, q, 2, 3, EuclideanMultiplicativeInverse(p, 3)), 3*q)); assert(((p.Squared() - p + 1) % q).IsZero()); GFP2_ONB<ModularArithmetic> gfp2(p); GFP2Element three = gfp2.ConvertIn(3), t; while (true) { g.c1.Randomize(rng, Integer::Zero(), p-1); g.c2.Randomize(rng, Integer::Zero(), p-1); t = XTR_Exponentiate(g, p+1, p); if (t.c1 == t.c2) continue; g = XTR_Exponentiate(g, (p.Squared()-p+1)/q, p); if (g != three) break; } assert(XTR_Exponentiate(g, q, p) == three); }
bool SolveModularQuadraticEquation(Integer &r1, Integer &r2, const Integer &a, const Integer &b, const Integer &c, const Integer &p) { Integer D = (b.Squared() - 4*a*c) % p; switch (Jacobi(D, p)) { default: assert(false); // not reached return false; case -1: return false; case 0: r1 = r2 = (-b*(a+a).InverseMod(p)) % p; assert(((r1.Squared()*a + r1*b + c) % p).IsZero()); return true; case 1: Integer s = ModularSquareRoot(D, p); Integer t = (a+a).InverseMod(p); r1 = (s-b)*t % p; r2 = (-s-b)*t % p; assert(((r1.Squared()*a + r1*b + c) % p).IsZero()); assert(((r2.Squared()*a + r2*b + c) % p).IsZero()); return true; } }
bool IsStrongLucasProbablePrime(const Integer &n) { if (n <= 1) return false; if (n.IsEven()) return n==2; assert(n>2); Integer b=3; unsigned int i=0; int j; while ((j=Jacobi(b.Squared()-4, n)) == 1) { if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square return false; ++b; ++b; } if (j==0) return false; Integer n1 = n+1; unsigned int a; // calculate a = largest power of 2 that divides n1 for (a=0; ; a++) if (n1.GetBit(a)) break; Integer m = n1>>a; Integer z = Lucas(m, b, n); if (z==2 || z==n-2) return true; for (i=1; i<a; i++) { z = (z.Squared()-2)%n; if (z==n-2) return true; if (z==2) return false; } return false; }
/* * function computeRabin : This function compute the Rabin function on the accepted element * param tpPtr : The pointer to the Rabin object * param element : The element for the computation */ JNIEXPORT jlong JNICALL Java_edu_biu_scapi_primitives_trapdoorPermutation_cryptopp_CryptoPpRabinPermutation_computeRabin (JNIEnv *env, jobject, jlong tpPtr, jlong element) { Utils utils; //get the Integer value for the computation Integer x = *(Integer*) element; Integer mod = ((RabinFunction *) tpPtr) -> GetModulus(); ((RabinFunction *) tpPtr) -> DoQuickSanityCheck(); //compute Integer result = x.Squared()%mod; //return the result as jbyteArray return (jlong) utils.getPointerToInteger(result); }
Integer RWFunction::ApplyFunction(const Integer &in) const { DoQuickSanityCheck(); Integer out = in.Squared()%m_n; const word r = 12; // this code was written to handle both r = 6 and r = 12, // but now only r = 12 is used in P1363 const word r2 = r/2; const word r3a = (16 + 5 - r) % 16; // n%16 could be 5 or 13 const word r3b = (16 + 13 - r) % 16; const word r4 = (8 + 5 - r/2) % 8; // n%8 == 5 switch (out % 16) { case r: break; case r2: case r2+8: out <<= 1; break; case r3a: case r3b: out.Negate(); out += m_n; break; case r4: case r4+8: out.Negate(); out += m_n; out <<= 1; break; default: out = Integer::Zero(); } return out; }
// DJB's "RSA signatures and Rabin-Williams signatures..." (http://cr.yp.to/sigs/rwsota-20080131.pdf). Integer InvertibleRWFunction::CalculateInverse(RandomNumberGenerator &rng, const Integer &x) const { DoQuickSanityCheck(); if(!m_precompute) Precompute(); ModularArithmetic modn(m_n), modp(m_p), modq(m_q); Integer r, rInv; do { // Do this in a loop for people using small numbers for testing r.Randomize(rng, Integer::One(), m_n - Integer::One()); // Fix for CVE-2015-2141. Thanks to Evgeny Sidorov for reporting. // Squaring to satisfy Jacobi requirements suggested by Jean-Pierre Muench. r = modn.Square(r); rInv = modn.MultiplicativeInverse(r); } while (rInv.IsZero()); Integer re = modn.Square(r); re = modn.Multiply(re, x); // blind const Integer &h = re, &p = m_p, &q = m_q; Integer e, f; const Integer U = modq.Exponentiate(h, (q+1)/8); if(((modq.Exponentiate(U, 4) - h) % q).IsZero()) e = Integer::One(); else e = -1; const Integer eh = e*h, V = modp.Exponentiate(eh, (p-3)/8); if(((modp.Multiply(modp.Exponentiate(V, 4), modp.Exponentiate(eh, 2)) - eh) % p).IsZero()) f = Integer::One(); else f = 2; Integer W, X; #pragma omp parallel sections if(CRYPTOPP_RW_USE_OMP) { #pragma omp section { W = (f.IsUnit() ? U : modq.Multiply(m_pre_2_3q, U)); } #pragma omp section { const Integer t = modp.Multiply(modp.Exponentiate(V, 3), eh); X = (f.IsUnit() ? t : modp.Multiply(m_pre_2_9p, t)); } } const Integer Y = W + q * modp.Multiply(m_pre_q_p, (X - W)); // Signature Integer s = modn.Multiply(modn.Square(Y), rInv); CRYPTOPP_ASSERT((e * f * s.Squared()) % m_n == x); // IEEE P1363, Section 8.2.8 IFSP-RW, p.44 s = STDMIN(s, m_n - s); if (ApplyFunction(s) != x) // check throw Exception(Exception::OTHER_ERROR, "InvertibleRWFunction: computational error during private key operation"); return s; }