int elgv3sign(const mpbarrett* p, const mpbarrett* n, const mpnumber* g, randomGeneratorContext* rgc, const mpnumber* hm, const mpnumber* x, mpnumber* r, mpnumber* s) { register size_t size = p->size; register mpw* temp = (mpw*) malloc((6*size+2)*sizeof(mpw)); if (temp) { /* get a random k */ mpbrnd_w(p, rgc, temp, temp+2*size); /* compute r = g^k mod p */ mpnfree(r); mpnsize(r, size); mpbpowmod_w(p, g->size, g->data, size, temp, r->data, temp+2*size); /* compute u1 = x*r mod n */ mpbmulmod_w(n, x->size, x->data, size, r->data, temp+size, temp+2*size); /* compute u2 = k*h(m) mod n */ mpbmulmod_w(n, size, temp, hm->size, hm->data, temp, temp+2*size); /* compute s = u1+u2 mod n */ mpnfree(s); mpnsize(s, n->size); mpbaddmod_w(n, size, temp, size, temp+size, s->data, temp+2*size); free(temp); return 0; } return -1; }
int dldp_pgoqGenerator_w(dldp_p* dp, randomGeneratorContext* rgc, mpw* wksp) { /* * Randomly determine a generator over the subgroup with order q */ register size_t size = dp->p.size; mpnfree(&dp->g); mpnsize(&dp->g, size); while (1) { /* get a random value h (stored into g) */ mpbrnd_w(&dp->p, rgc, dp->g.data, wksp); /* first compute h^r mod p (stored in g) */ mpbpowmod_w(&dp->p, size, dp->g.data, dp->r.size, dp->r.data, dp->g.data, wksp); if (mpisone(size, dp->g.data)) continue; return 0; } return -1; }
void mpbnrnd(const mpbarrett* b, randomGeneratorContext* rc, mpnumber* result) { register size_t size = b->size; register mpw* temp = (mpw*) malloc(size * sizeof(mpw)); mpnfree(result); mpnsize(result, size); mpbrnd_w(b, rc, result->data, temp); free(temp); }
/* * mpbrndinv_w * generates a random invertible (modulo b) in the range 1 < r < b-1 * needs workspace of (6*size+6) words */ void mpbrndinv_w(const mpbarrett* b, randomGeneratorContext* rc, mpw* result, mpw* inverse, mpw* wksp) { register size_t size = b->size; do { if (mpeven(size, b->modl)) mpbrndodd_w(b, rc, result, wksp); else mpbrnd_w(b, rc, result, wksp); } while (mpextgcd_w(size, b->modl, result, inverse, wksp) == 0); }
/* * needs workspace of (8*size+2) words */ int mppmilrab_w(const mpbarrett* p, randomGeneratorContext* rc, int t, mpw* wksp) { /* * Miller-Rabin probabilistic primality test, with modification * * For more information, see: * "Handbook of Applied Cryptography" * Chapter 4.24 * * Modification to the standard algorithm: * The first value of a is not obtained randomly, but set to two */ /* this routine uses (size*3) storage, and calls mpbpowmod, which needs (size*4+2) */ /* (size) for a, (size) for r, (size) for n-1 */ register size_t size = p->size; register mpw* ndata = wksp; register mpw* rdata = ndata+size; register mpw* adata = rdata+size; int s; mpcopy(size, ndata, p->modl); mpsubw(size, ndata, 1); mpcopy(size, rdata, ndata); s = mprshiftlsz(size, rdata); /* we've split p-1 into (2^s)*r */ /* should do an assert that s != 0 */ /* do at least one test, with a = 2 */ if (t == 0) t++; if (!mppmilrabtwo_w(p, s, rdata, ndata, wksp+3*size)) return 0; while (t-- > 0) { /* generate a random 'a' into b->data */ mpbrnd_w(p, rc, adata, wksp); if (!mppmilraba_w(p, adata, s, rdata, ndata, wksp+3*size)) return 0; } return 1; }
int dldp_pgonGenerator_w(dldp_p* dp, randomGeneratorContext* rgc, mpw* wksp) { register size_t size = dp->p.size; mpnfree(&dp->g); mpnsize(&dp->g, size); while (1) { mpbrnd_w(&dp->p, rgc, dp->g.data, wksp); if (mpistwo(dp->r.size, dp->r.data)) { /* * A little math here: the only element in the group which has order 2 is (p-1); * the two group elements raised to power two which result in 1 (mod p) are thus (p-1) and 1 * * mpbrnd_w doesn't return 1 or (p-1), so the test where g^2 mod p = 1 can be safely skipped */ /* check g^q mod p*/ mpbpowmod_w(&dp->p, size, dp->g.data, dp->q.size, dp->q.modl, wksp, wksp+size); if (mpisone(size, wksp)) continue; } else { /* we can either compute g^r, g^2q and g^(qr/2) or * we first compute s = r/2, and then compute g^2s, g^2q and g^qs * * hence we first compute t = g^s * then compute t^2 mod p, and test if one * then compute t^q mod p, and test if one * then compute (g^q mod p)^2 mod p, and test if one */ /* compute s = r/2 */ mpsetx(size, wksp, dp->r.size, dp->r.data); mpdivtwo(size, wksp); /* compute t = g^s mod p */ mpbpowmod_w(&dp->p, size, dp->g.data, size, wksp, wksp+size, wksp+2*size); /* compute t^2 mod p = g^2s mod p = g^r mod p*/ mpbsqrmod_w(&dp->p, size, wksp+size, wksp+size, wksp+2*size); if (mpisone(size, wksp+size)) continue; /* compute t^q mod p = g^qs mod p */ mpbpowmod_w(&dp->p, size, wksp, dp->q.size, dp->q.modl, wksp+size, wksp+2*size); if (mpisone(size, wksp+size)) continue; /* compute g^2q mod p */ mpbpowmod_w(&dp->p, size, dp->g.data, dp->q.size, dp->q.modl, wksp, wksp+size); mpbsqrmod_w(&dp->p, size, wksp, wksp+size, wksp+2*size); if (mpisone(size, wksp+size)) continue; } return 0; } return -1; }