int elgv3sign(const mpbarrett* p, const mpbarrett* n, const mpnumber* g, randomGeneratorContext* rgc, const mpnumber* hm, const mpnumber* x, mpnumber* r, mpnumber* s)
{
register size_t size = p->size;
register mpw* temp = (mpw*) malloc((6*size+2)*sizeof(mpw));
if (temp)
{
/* get a random k */
mpbrnd_w(p, rgc, temp, temp+2*size);
/* compute r = g^k mod p */
mpnfree(r);
mpnsize(r, size);
mpbpowmod_w(p, g->size, g->data, size, temp, r->data, temp+2*size);
/* compute u1 = x*r mod n */
mpbmulmod_w(n, x->size, x->data, size, r->data, temp+size, temp+2*size);
/* compute u2 = k*h(m) mod n */
mpbmulmod_w(n, size, temp, hm->size, hm->data, temp, temp+2*size);
/* compute s = u1+u2 mod n */
mpnfree(s);
mpnsize(s, n->size);
mpbaddmod_w(n, size, temp, size, temp+size, s->data, temp+2*size);
free(temp);
return 0;
}
return -1;
}
int dldp_pgoqGenerator_w(dldp_p* dp, randomGeneratorContext* rgc, mpw* wksp)
{
/*
* Randomly determine a generator over the subgroup with order q
*/
register size_t size = dp->p.size;
mpnfree(&dp->g);
mpnsize(&dp->g, size);
while (1)
{
/* get a random value h (stored into g) */
mpbrnd_w(&dp->p, rgc, dp->g.data, wksp);
/* first compute h^r mod p (stored in g) */
mpbpowmod_w(&dp->p, size, dp->g.data, dp->r.size, dp->r.data, dp->g.data, wksp);
if (mpisone(size, dp->g.data))
continue;
return 0;
}
return -1;
}
void mpbnrnd(const mpbarrett* b, randomGeneratorContext* rc, mpnumber* result)
{
register size_t size = b->size;
register mpw* temp = (mpw*) malloc(size * sizeof(mpw));
mpnfree(result);
mpnsize(result, size);
mpbrnd_w(b, rc, result->data, temp);
free(temp);
}
/*
* mpbrndinv_w
* generates a random invertible (modulo b) in the range 1 < r < b-1
* needs workspace of (6*size+6) words
*/
void mpbrndinv_w(const mpbarrett* b, randomGeneratorContext* rc, mpw* result, mpw* inverse, mpw* wksp)
{
register size_t size = b->size;
do
{
if (mpeven(size, b->modl))
mpbrndodd_w(b, rc, result, wksp);
else
mpbrnd_w(b, rc, result, wksp);
} while (mpextgcd_w(size, b->modl, result, inverse, wksp) == 0);
}
/*
* needs workspace of (8*size+2) words
*/
int mppmilrab_w(const mpbarrett* p, randomGeneratorContext* rc, int t, mpw* wksp)
{
/*
* Miller-Rabin probabilistic primality test, with modification
*
* For more information, see:
* "Handbook of Applied Cryptography"
* Chapter 4.24
*
* Modification to the standard algorithm:
* The first value of a is not obtained randomly, but set to two
*/
/* this routine uses (size*3) storage, and calls mpbpowmod, which needs (size*4+2) */
/* (size) for a, (size) for r, (size) for n-1 */
register size_t size = p->size;
register mpw* ndata = wksp;
register mpw* rdata = ndata+size;
register mpw* adata = rdata+size;
int s;
mpcopy(size, ndata, p->modl);
mpsubw(size, ndata, 1);
mpcopy(size, rdata, ndata);
s = mprshiftlsz(size, rdata); /* we've split p-1 into (2^s)*r */
/* should do an assert that s != 0 */
/* do at least one test, with a = 2 */
if (t == 0)
t++;
if (!mppmilrabtwo_w(p, s, rdata, ndata, wksp+3*size))
return 0;
while (t-- > 0)
{
/* generate a random 'a' into b->data */
mpbrnd_w(p, rc, adata, wksp);
if (!mppmilraba_w(p, adata, s, rdata, ndata, wksp+3*size))
return 0;
}
return 1;
}
int dldp_pgonGenerator_w(dldp_p* dp, randomGeneratorContext* rgc, mpw* wksp)
{
register size_t size = dp->p.size;
mpnfree(&dp->g);
mpnsize(&dp->g, size);
while (1)
{
mpbrnd_w(&dp->p, rgc, dp->g.data, wksp);
if (mpistwo(dp->r.size, dp->r.data))
{
/*
* A little math here: the only element in the group which has order 2 is (p-1);
* the two group elements raised to power two which result in 1 (mod p) are thus (p-1) and 1
*
* mpbrnd_w doesn't return 1 or (p-1), so the test where g^2 mod p = 1 can be safely skipped
*/
/* check g^q mod p*/
mpbpowmod_w(&dp->p, size, dp->g.data, dp->q.size, dp->q.modl, wksp, wksp+size);
if (mpisone(size, wksp))
continue;
}
else
{
/* we can either compute g^r, g^2q and g^(qr/2) or
* we first compute s = r/2, and then compute g^2s, g^2q and g^qs
*
* hence we first compute t = g^s
* then compute t^2 mod p, and test if one
* then compute t^q mod p, and test if one
* then compute (g^q mod p)^2 mod p, and test if one
*/
/* compute s = r/2 */
mpsetx(size, wksp, dp->r.size, dp->r.data);
mpdivtwo(size, wksp);
/* compute t = g^s mod p */
mpbpowmod_w(&dp->p, size, dp->g.data, size, wksp, wksp+size, wksp+2*size);
/* compute t^2 mod p = g^2s mod p = g^r mod p*/
mpbsqrmod_w(&dp->p, size, wksp+size, wksp+size, wksp+2*size);
if (mpisone(size, wksp+size))
continue;
/* compute t^q mod p = g^qs mod p */
mpbpowmod_w(&dp->p, size, wksp, dp->q.size, dp->q.modl, wksp+size, wksp+2*size);
if (mpisone(size, wksp+size))
continue;
/* compute g^2q mod p */
mpbpowmod_w(&dp->p, size, dp->g.data, dp->q.size, dp->q.modl, wksp, wksp+size);
mpbsqrmod_w(&dp->p, size, wksp, wksp+size, wksp+2*size);
if (mpisone(size, wksp+size))
continue;
}
return 0;
}
return -1;
}
