Integer MaurerProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
{
const unsigned smallPrimeBound = 29, c_opt=10;
Integer p;
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
if (bits < smallPrimeBound)
{
do
p.Randomize(rng, Integer::Power2(bits-1), Integer::Power2(bits)-1, Integer::ANY, 1, 2);
while (TrialDivision(p, 1 << ((bits+1)/2)));
}
else
{
const unsigned margin = bits > 50 ? 20 : (bits-10)/2;
double relativeSize;
do
relativeSize = pow(2.0, double(rng.GenerateWord32())/0xffffffff - 1);
while (bits * relativeSize >= bits - margin);
Integer a,b;
Integer q = MaurerProvablePrime(rng, unsigned(bits*relativeSize));
Integer I = Integer::Power2(bits-2)/q;
Integer I2 = I << 1;
unsigned int trialDivisorBound = (unsigned int)STDMIN((unsigned long)primeTable[primeTableSize-1], (unsigned long)bits*bits/c_opt);
bool success = false;
while (!success)
{
p.Randomize(rng, I, I2, Integer::ANY);
p *= q; p <<= 1; ++p;
if (!TrialDivision(p, trialDivisorBound))
{
a.Randomize(rng, 2, p-1, Integer::ANY);
b = a_exp_b_mod_c(a, (p-1)/q, p);
success = (GCD(b-1, p) == 1) && (a_exp_b_mod_c(b, q, p) == 1);
}
}
}
return p;
}
void PKCS_EncryptionPaddingScheme::Pad(RandomNumberGenerator &rng, const byte *input, unsigned int inputLen, byte *pkcsBlock, unsigned int pkcsBlockLen, const NameValuePairs ¶meters) const
{
assert (inputLen <= MaxUnpaddedLength(pkcsBlockLen)); // this should be checked by caller
// convert from bit length to byte length
if (pkcsBlockLen % 8 != 0)
{
pkcsBlock[0] = 0;
pkcsBlock++;
}
pkcsBlockLen /= 8;
pkcsBlock[0] = 2; // block type 2
// pad with non-zero random bytes
for (unsigned i = 1; i < pkcsBlockLen-inputLen-1; i++)
pkcsBlock[i] = (byte)rng.GenerateWord32(1, 0xff);
pkcsBlock[pkcsBlockLen-inputLen-1] = 0; // separator
memcpy(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen);
}
Integer MihailescuProvablePrime(RandomNumberGenerator &rng, unsigned int pbits)
{
Integer p;
Integer minP = Integer::Power2(pbits-1);
Integer maxP = Integer::Power2(pbits) - 1;
if (maxP <= Integer(s_lastSmallPrime).Squared())
{
// Randomize() will generate a prime provable by trial division
p.Randomize(rng, minP, maxP, Integer::PRIME);
return p;
}
unsigned int qbits = (pbits+2)/3 + 1 + rng.GenerateWord32(0, pbits/36);
Integer q = MihailescuProvablePrime(rng, qbits);
Integer q2 = q<<1;
while (true)
{
// this initializes the sieve to search in the arithmetic
// progression p = p_0 + \lambda * q2 = p_0 + 2 * \lambda * q,
// with q the recursively generated prime above. We will be able
// to use Lucas tets for proving primality. A trick of Quisquater
// allows taking q > cubic_root(p) rather then square_root: this
// decreases the recursion.
p.Randomize(rng, minP, maxP, Integer::ANY, 1, q2);
PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*q2, maxP), q2);
while (sieve.NextCandidate(p))
{
if (FastProbablePrimeTest(p) && ProvePrime(p, q))
return p;
}
}
// not reached
return p;
}
