monty::monty( const vlong &M ) { m = M; N = 0; R = 1; while ( R < M ) { R += R; N += 1; } R1 = modinv( R-m, m ); n1 = R - modinv( m, R ); }
int nCr_ferma(int n, int r, unsigned int p) { if (r == 0) return 1; int fac[n + 1]; fac[0] = 1; for (int i = 1; i <= n; ++i) { fac[i] = fac[i-1] * i % p; } return (fac[n] * modinv(fac[r], p) % p * modinv(fac[n-r], p) % p) % p; }
vlong private_key::decrypt( const vlong& cipher ) { // Calculate values for performing decryption // These could be cached, but the calculation is quite fast vlong d = modinv( e, (p-(vlong)1)*(q-(vlong)1) ); vlong u = modinv( p, q ); vlong dp = d % (p-(vlong)1); vlong dq = d % (q-(vlong)1); // Apply chinese remainder theorem vlong a = modexp( cipher % p, dp, p ); vlong b = modexp( cipher % q, dq, q ); if ( b < a ) b += q; return a + p * ( ((b-a)*u) % q ); }
int RSAKey::Generate( int bits ) { Bignum pm1, qm1, phi_n; /* * We don't generate e; we just use a standard one always. */ this->exponent = bignum_from_long(RSA_EXPONENT); /* * Generate p and q: primes with combined length `bits', not * congruent to 1 modulo e. (Strictly speaking, we wanted (p-1) * and e to be coprime, and (q-1) and e to be coprime, but in * general that's slightly more fiddly to arrange. By choosing * a prime e, we can simplify the criterion.) */ this->p = primegen(bits / 2, RSA_EXPONENT, 1, NULL, 1); this->q = primegen(bits - bits / 2, RSA_EXPONENT, 1, NULL, 2); /* * Ensure p > q, by swapping them if not. */ if (bignum_cmp(this->p, this->q) < 0) swap( p, q ); /* * Now we have p, q and e. All we need to do now is work out * the other helpful quantities: n=pq, d=e^-1 mod (p-1)(q-1), * and (q^-1 mod p). */ this->modulus = bigmul(this->p, this->q); pm1 = copybn(this->p); decbn(pm1); qm1 = copybn(this->q); decbn(qm1); phi_n = bigmul(pm1, qm1); freebn(pm1); freebn(qm1); this->private_exponent = modinv(this->exponent, phi_n); this->iqmp = modinv(this->q, this->p); /* * Clean up temporary numbers. */ freebn(phi_n); return 1; }
//创建公私钥 void rsa_create_key(vlong& e, vlong& d , vlong& m ) { unsigned char prand[2][128],tc; UINT i,j, nCount = 64; srand((unsigned)time(NULL)); for(i=0; i<2; i++) { for(j=0; j<nCount; j++) { tc = (char)(0x41+rand()%0xAF); prand[i][j] = tc; } prand[i][j]=0; } // Choose primes prime_factory pf; vlong s1 = from_str((const char*)prand[0]); vlong s2 = from_str((const char*)prand[1]); vlong p = pf.find_prime( s1 ); vlong q = pf.find_prime( s2 ); // Calculate public key m = p*q; e = 65537; while ( gcd(p-1,e) != 1 || gcd(q-1,e) != 1 ) e += 2; // Calculate private key d = modinv( e, (p-1)*(q-1) ); }
//创建公私钥 void rsa_create_key(RSA_KEY& pub, RSA_PRIVATE_KEY& pri) { unsigned char prand[2][128],tc; UINT i,j, nCount = 64; srand((unsigned)time(NULL)); for(i=0; i<2; i++) { for(j=0; j<nCount; j++) { tc = (char)(0x41+rand()%0xAF); prand[i][j] = tc; } prand[i][j]=0; } // Choose primes prime_factory pf; vlong s1 = from_str((const char*)prand[0]); vlong s2 = from_str((const char*)prand[1]); vlong tp = pf.find_prime( s1 ); vlong tq = pf.find_prime( s2 ); if ( tq > tp ) //make sure p > q { vlong tmp = tp; tp = tq; tq = tmp; } // Calculate public key pub.modulus = tp*tq; pub.key = 65537; while ( gcd(tp-1,pub.key) != 1 || gcd(tq-1,pub.key) != 1 ) pub.key += 2; // Calculate private key pri.p=tp; pri.q=tq; pri.dp=modinv(pub.key,tp-1); pri.dq=modinv(pub.key,tq-1); pri.qinv=modinv(tq,tp); }
static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) { struct dss_key *dss = (struct dss_key *) key; Bignum k, gkp, hash, kinv, hxr, r, s; unsigned char digest[20]; unsigned char *bytes; int nbytes, i; SHA_Simple(data, datalen, digest); k = dss_gen_k("DSA deterministic k generator", dss->q, dss->x, digest, sizeof(digest)); kinv = modinv(k, dss->q); /* k^-1 mod q */ assert(kinv); /* * Now we have k, so just go ahead and compute the signature. */ gkp = modpow(dss->g, k, dss->p); /* g^k mod p */ r = bigmod(gkp, dss->q); /* r = (g^k mod p) mod q */ freebn(gkp); hash = bignum_from_bytes(digest, 20); hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */ s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */ freebn(hxr); freebn(kinv); freebn(k); freebn(hash); /* * Signature blob is * * string "ssh-dss" * string two 20-byte numbers r and s, end to end * * i.e. 4+7 + 4+40 bytes. */ nbytes = 4 + 7 + 4 + 40; bytes = snewn(nbytes, unsigned char); PUT_32BIT(bytes, 7); memcpy(bytes + 4, "ssh-dss", 7); PUT_32BIT(bytes + 4 + 7, 40); for (i = 0; i < 20; i++) { bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i); bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i); } freebn(r); freebn(s); *siglen = nbytes; return bytes; }
int main() { for (int m = 1; m < 10000; ++m) { for (int a = 0; a < 2*m; ++a) { if (gcd(a,m) % m == 1) { assert((a * modinv(a,m)) % m == 1); } } } return 0; }
void solve(int n, int m, int k){ long long sum = 0; long long sdi2 = m; for(int i=1;i<=k;i++){ sum+= (sdi2*pnr(n,i))%PRIME;; long long den = i+1; long long num = m-i; sdi2 = (sdi2*num)%PRIME; sdi2 = (sdi2*modinv(den,PRIME))%PRIME; } printf("%ld\n",(sum+PRIME)%PRIME); }
static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) { /* * The basic DSS signing algorithm is: * * - invent a random k between 1 and q-1 (exclusive). * - Compute r = (g^k mod p) mod q. * - Compute s = k^-1 * (hash + x*r) mod q. * * This has the dangerous properties that: * * - if an attacker in possession of the public key _and_ the * signature (for example, the host you just authenticated * to) can guess your k, he can reverse the computation of s * and work out x = r^-1 * (s*k - hash) mod q. That is, he * can deduce the private half of your key, and masquerade * as you for as long as the key is still valid. * * - since r is a function purely of k and the public key, if * the attacker only has a _range of possibilities_ for k * it's easy for him to work through them all and check each * one against r; he'll never be unsure of whether he's got * the right one. * * - if you ever sign two different hashes with the same k, it * will be immediately obvious because the two signatures * will have the same r, and moreover an attacker in * possession of both signatures (and the public key of * course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q, * and from there deduce x as before. * * - the Bleichenbacher attack on DSA makes use of methods of * generating k which are significantly non-uniformly * distributed; in particular, generating a 160-bit random * number and reducing it mod q is right out. * * For this reason we must be pretty careful about how we * generate our k. Since this code runs on Windows, with no * particularly good system entropy sources, we can't trust our * RNG itself to produce properly unpredictable data. Hence, we * use a totally different scheme instead. * * What we do is to take a SHA-512 (_big_) hash of the private * key x, and then feed this into another SHA-512 hash that * also includes the message hash being signed. That is: * * proto_k = SHA512 ( SHA512(x) || SHA160(message) ) * * This number is 512 bits long, so reducing it mod q won't be * noticeably non-uniform. So * * k = proto_k mod q * * This has the interesting property that it's _deterministic_: * signing the same hash twice with the same key yields the * same signature. * * Despite this determinism, it's still not predictable to an * attacker, because in order to repeat the SHA-512 * construction that created it, the attacker would have to * know the private key value x - and by assumption he doesn't, * because if he knew that he wouldn't be attacking k! * * (This trick doesn't, _per se_, protect against reuse of k. * Reuse of k is left to chance; all it does is prevent * _excessively high_ chances of reuse of k due to entropy * problems.) * * Thanks to Colin Plumb for the general idea of using x to * ensure k is hard to guess, and to the Cambridge University * Computer Security Group for helping to argue out all the * fine details. */ struct dss_key *dss = (struct dss_key *) key; SHA512_State ss; unsigned char digest[20], digest512[64]; Bignum proto_k, k, gkp, hash, kinv, hxr, r, s; unsigned char *bytes; int nbytes, i; SHA_Simple(data, datalen, digest); /* * Hash some identifying text plus x. */ SHA512_Init(&ss); SHA512_Bytes(&ss, "DSA deterministic k generator", 30); sha512_mpint(&ss, dss->x); SHA512_Final(&ss, digest512); /* * Now hash that digest plus the message hash. */ SHA512_Init(&ss); SHA512_Bytes(&ss, digest512, sizeof(digest512)); SHA512_Bytes(&ss, digest, sizeof(digest)); SHA512_Final(&ss, digest512); memset(&ss, 0, sizeof(ss)); /* * Now convert the result into a bignum, and reduce it mod q. */ proto_k = bignum_from_bytes(digest512, 64); k = bigmod(proto_k, dss->q); freebn(proto_k); memset(digest512, 0, sizeof(digest512)); /* * Now we have k, so just go ahead and compute the signature. */ gkp = modpow(dss->g, k, dss->p); /* g^k mod p */ r = bigmod(gkp, dss->q); /* r = (g^k mod p) mod q */ freebn(gkp); hash = bignum_from_bytes(digest, 20); kinv = modinv(k, dss->q); /* k^-1 mod q */ hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */ s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */ freebn(hxr); freebn(kinv); freebn(hash); /* * Signature blob is * * string "ssh-dss" * string two 20-byte numbers r and s, end to end * * i.e. 4+7 + 4+40 bytes. */ nbytes = 4 + 7 + 4 + 40; bytes = snewn(nbytes, unsigned char); PUT_32BIT(bytes, 7); memcpy(bytes + 4, "ssh-dss", 7); PUT_32BIT(bytes + 4 + 7, 40); for (i = 0; i < 20; i++) { bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i); bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i); } freebn(r); freebn(s); *siglen = nbytes; return bytes; }
static int dss_verifysig(void *key, char *sig, int siglen, char *data, int datalen) { struct dss_key *dss = (struct dss_key *) key; char *p; int slen; char hash[20]; Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v; int ret; if (!dss->p) return 0; #ifdef DEBUG_DSS { int i; printf("sig:"); for (i = 0; i < siglen; i++) printf(" %02x", (unsigned char) (sig[i])); printf("\n"); } #endif /* * Commercial SSH (2.0.13) and OpenSSH disagree over the format * of a DSA signature. OpenSSH is in line with the IETF drafts: * it uses a string "ssh-dss", followed by a 40-byte string * containing two 160-bit integers end-to-end. Commercial SSH * can't be bothered with the header bit, and considers a DSA * signature blob to be _just_ the 40-byte string containing * the two 160-bit integers. We tell them apart by measuring * the length: length 40 means the commercial-SSH bug, anything * else is assumed to be IETF-compliant. */ if (siglen != 40) { /* bug not present; read admin fields */ getstring(&sig, &siglen, &p, &slen); if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) { return 0; } sig += 4, siglen -= 4; /* skip yet another length field */ } r = get160(&sig, &siglen); s = get160(&sig, &siglen); if (!r || !s) return 0; /* * Step 1. w <- s^-1 mod q. */ w = modinv(s, dss->q); /* * Step 2. u1 <- SHA(message) * w mod q. */ SHA_Simple(data, datalen, (unsigned char *)hash); p = hash; slen = 20; sha = get160(&p, &slen); u1 = modmul(sha, w, dss->q); /* * Step 3. u2 <- r * w mod q. */ u2 = modmul(r, w, dss->q); /* * Step 4. v <- (g^u1 * y^u2 mod p) mod q. */ gu1p = modpow(dss->g, u1, dss->p); yu2p = modpow(dss->y, u2, dss->p); gu1yu2p = modmul(gu1p, yu2p, dss->p); v = modmul(gu1yu2p, One, dss->q); /* * Step 5. v should now be equal to r. */ ret = !bignum_cmp(v, r); freebn(w); freebn(sha); freebn(gu1p); freebn(yu2p); freebn(gu1yu2p); freebn(v); freebn(r); freebn(s); return ret; }
/* * This function is a wrapper on modpow(). It has the same effect * as modpow(), but employs RSA blinding to protect against timing * attacks. */ static Bignum rsa_privkey_op(Bignum input, struct RSAKey *key) { Bignum random, random_encrypted, random_inverse; Bignum input_blinded, ret_blinded; Bignum ret; SHA512_State ss; unsigned char digest512[64]; int digestused = lenof(digest512); int hashseq = 0; /* * Start by inventing a random number chosen uniformly from the * range 2..modulus-1. (We do this by preparing a random number * of the right length and retrying if it's greater than the * modulus, to prevent any potential Bleichenbacher-like * attacks making use of the uneven distribution within the * range that would arise from just reducing our number mod n. * There are timing implications to the potential retries, of * course, but all they tell you is the modulus, which you * already knew.) * * To preserve determinism and avoid Pageant needing to share * the random number pool, we actually generate this `random' * number by hashing stuff with the private key. */ while (1) { int bits, byte, bitsleft, v; random = copybn(key->modulus); /* * Find the topmost set bit. (This function will return its * index plus one.) Then we'll set all bits from that one * downwards randomly. */ bits = bignum_bitcount(random); byte = 0; bitsleft = 0; while (bits--) { if (bitsleft <= 0) { bitsleft = 8; /* * Conceptually the following few lines are equivalent to * byte = random_byte(); */ if (digestused >= lenof(digest512)) { unsigned char seqbuf[4]; PUT_32BIT(seqbuf, hashseq); pSHA512_Init(&ss); SHA512_Bytes(&ss, "RSA deterministic blinding", 26); SHA512_Bytes(&ss, seqbuf, sizeof(seqbuf)); sha512_mpint(&ss, key->private_exponent); pSHA512_Final(&ss, digest512); hashseq++; /* * Now hash that digest plus the signature * input. */ pSHA512_Init(&ss); SHA512_Bytes(&ss, digest512, sizeof(digest512)); sha512_mpint(&ss, input); pSHA512_Final(&ss, digest512); digestused = 0; } byte = digest512[digestused++]; } v = byte & 1; byte >>= 1; bitsleft--; bignum_set_bit(random, bits, v); } /* * Now check that this number is strictly greater than * zero, and strictly less than modulus. */ if (bignum_cmp(random, Zero) <= 0 || bignum_cmp(random, key->modulus) >= 0) { freebn(random); continue; } else { break; } } /* * RSA blinding relies on the fact that (xy)^d mod n is equal * to (x^d mod n) * (y^d mod n) mod n. We invent a random pair * y and y^d; then we multiply x by y, raise to the power d mod * n as usual, and divide by y^d to recover x^d. Thus an * attacker can't correlate the timing of the modpow with the * input, because they don't know anything about the number * that was input to the actual modpow. * * The clever bit is that we don't have to do a huge modpow to * get y and y^d; we will use the number we just invented as * _y^d_, and use the _public_ exponent to compute (y^d)^e = y * from it, which is much faster to do. */ random_encrypted = modpow(random, key->exponent, key->modulus); random_inverse = modinv(random, key->modulus); input_blinded = modmul(input, random_encrypted, key->modulus); ret_blinded = modpow(input_blinded, key->private_exponent, key->modulus); ret = modmul(ret_blinded, random_inverse, key->modulus); freebn(ret_blinded); freebn(input_blinded); freebn(random_inverse); freebn(random_encrypted); freebn(random); return ret; }
int main(int argc, char *argv[]) { KryState state = STATE_BADARG; long mod_bits; if (argc == 3 && !strcmp(argv[1], "-g")) { // Key generation state = STATE_KEYGEN; mod_bits = strtol(argv[2], NULL, 10); if (mod_bits < 16) { state = STATE_BADARG; fprintf(stderr, "Too small key length\n"); } } else if (argc == 5 && !strcmp(argv[1], "-e")) { // Encryption state = STATE_ENCRYPTION; } else if (argc == 5 && !strcmp(argv[1], "-d")) { // Decryption state = STATE_DECRYPTION; } else if (argc == 5 && !strcmp(argv[1], "-b")) { // RSA cracking state = STATE_CRACKING; } if (state == STATE_BADARG) { // Someting is messed up print_help(argv[0]); return EXIT_FAILURE; } // Prepare pseudo number generator stuff gmp_randstate_t randstate; gmp_randinit_default(randstate); //gmp_randseed_ui(randstate, 1); gmp_randseed_ui(randstate, time(NULL)); int rc = EXIT_SUCCESS; mpz_t res; mpz_init(res); switch (state) { case STATE_KEYGEN: { mpz_t p, q, n, e; // For d use res var mpz_init(p); mpz_init(q); mpz_init(n); mpz_init(e); rc = keygen(p, q, n, e, res, mod_bits, randstate); gmp_printf("0x%Zx 0x%Zx 0x%Zx 0x%Zx 0x%Zx\n", p, q, n, e, res); mpz_clear(p); mpz_clear(q); mpz_clear(n); mpz_clear(e); break; } case STATE_ENCRYPTION: // Argv: [2]=e; [3]=n; [4]=m; rc = encrypt(res, argv[2], argv[3], argv[4]); gmp_printf("0x%Zx\n", res); break; case STATE_DECRYPTION: // Argv: [2]=d; [3]=n; [4]=c; rc = decrypt(res, argv[2], argv[3], argv[4]); gmp_printf("0x%Zx\n", res); break; case STATE_CRACKING: { // Argv: [2]=e; [3]=n; [4]=c; mpz_t p, q, p_, q_, e, d; mpz_init(p); mpz_init(q); mpz_init(p_); mpz_init(q_); mpz_init(e); mpz_init(d); rc = factorization(p, q, argv[3]); if (rc != 0) goto cracking_cleanup; // phi = (p-1) * (q-1) mpz_sub_ui(p_, p, 1L); mpz_sub_ui(q_, q, 1L); mpz_mul(res, p_, q_); // d = e^1 mod phi mpz_set_str(e, argv[2], 0); modinv(d, e, res); rc = decrypt_mpz_d(res, d, argv[3], argv[4]); gmp_printf("0x%Zx 0x%Zx 0x%Zx\n", p, q, res); cracking_cleanup: mpz_clear(p); mpz_clear(q); mpz_clear(p_); mpz_clear(q_); mpz_clear(e); mpz_clear(d); break; } case STATE_BADARG: break; } mpz_clear(res); gmp_randclear(randstate); return rc; }
uint64_t moddiv(uint64_t a, uint64_t b, uint64_t m) { uint64_t i = modinv(b, m); return a*i%m; }
int main() { printf("%d\n", modinv(3, 4)); return 0; }
int rsa_generate(struct RSAKey *key, struct RSAAux *aux, int bits, progfn_t pfn, void *pfnparam) { Bignum pm1, qm1, phi_n; /* * Set up the phase limits for the progress report. We do this * by passing minus the phase number. * * For prime generation: our initial filter finds things * coprime to everything below 2^16. Computing the product of * (p-1)/p for all prime p below 2^16 gives about 20.33; so * among B-bit integers, one in every 20.33 will get through * the initial filter to be a candidate prime. * * Meanwhile, we are searching for primes in the region of 2^B; * since pi(x) ~ x/log(x), when x is in the region of 2^B, the * prime density will be d/dx pi(x) ~ 1/log(B), i.e. about * 1/0.6931B. So the chance of any given candidate being prime * is 20.33/0.6931B, which is roughly 29.34 divided by B. * * So now we have this probability P, we're looking at an * exponential distribution with parameter P: we will manage in * one attempt with probability P, in two with probability * P(1-P), in three with probability P(1-P)^2, etc. The * probability that we have still not managed to find a prime * after N attempts is (1-P)^N. * * We therefore inform the progress indicator of the number B * (29.34/B), so that it knows how much to increment by each * time. We do this in 16-bit fixed point, so 29.34 becomes * 0x1D.57C4. */ pfn(pfnparam, -1, -0x1D57C4/(bits/2)); pfn(pfnparam, -2, -0x1D57C4/(bits-bits/2)); pfn(pfnparam, -3, 5); /* * We don't generate e; we just use a standard one always. */ key->exponent = bignum_from_short(RSA_EXPONENT); /* * Generate p and q: primes with combined length `bits', not * congruent to 1 modulo e. (Strictly speaking, we wanted (p-1) * and e to be coprime, and (q-1) and e to be coprime, but in * general that's slightly more fiddly to arrange. By choosing * a prime e, we can simplify the criterion.) */ aux->p = primegen(bits/2, RSA_EXPONENT, 1, 1, pfn, pfnparam); aux->q = primegen(bits - bits/2, RSA_EXPONENT, 1, 2, pfn, pfnparam); /* * Ensure p > q, by swapping them if not. */ if (bignum_cmp(aux->p, aux->q) < 0) { Bignum t = aux->p; aux->p = aux->q; aux->q = t; } /* * Now we have p, q and e. All we need to do now is work out * the other helpful quantities: n=pq, d=e^-1 mod (p-1)(q-1), * and (q^-1 mod p). */ pfn(pfnparam, 3, 1); key->modulus = bigmul(aux->p, aux->q); pfn(pfnparam, 3, 2); pm1 = copybn(aux->p); decbn(pm1); qm1 = copybn(aux->q); decbn(qm1); phi_n = bigmul(pm1, qm1); pfn(pfnparam, 3, 3); freebn(pm1); freebn(qm1); key->private_exponent = modinv(key->exponent, phi_n); pfn(pfnparam, 3, 4); aux->iqmp = modinv(aux->q, aux->p); pfn(pfnparam, 3, 5); /* * Clean up temporary numbers. */ freebn(phi_n); return 1; }