void
ecdsasign(ECdomain *dom, ECpriv *priv, uchar *dig, int len, mpint *r, mpint *s)
{
ECpriv tmp;
mpint *E, *t;
tmp.x = mpnew(0);
tmp.y = mpnew(0);
tmp.d = mpnew(0);
E = betomp(dig, len, nil);
t = mpnew(0);
if(mpsignif(dom->n) < 8*len)
mpright(E, 8*len - mpsignif(dom->n), E);
for(;;){
ecgen(dom, &tmp);
mpmod(tmp.x, dom->n, r);
if(mpcmp(r, mpzero) == 0)
continue;
mpmul(r, priv->d, s);
mpadd(E, s, s);
mpinvert(tmp.d, dom->n, t);
mpmul(s, t, s);
mpmod(s, dom->n, s);
if(mpcmp(s, mpzero) != 0)
break;
}
mpfree(t);
mpfree(E);
mpfree(tmp.x);
mpfree(tmp.y);
mpfree(tmp.d);
}
void
ecmul(ECdomain *dom, ECpoint *a, mpint *k, ECpoint *s)
{
ECpoint ns, na;
mpint *l;
if(a->inf || mpcmp(k, mpzero) == 0){
s->inf = 1;
return;
}
ns.inf = 1;
ns.x = mpnew(0);
ns.y = mpnew(0);
na.x = mpnew(0);
na.y = mpnew(0);
ecassign(dom, a, &na);
l = mpcopy(k);
l->sign = 1;
while(mpcmp(l, mpzero) != 0){
if(l->p[0] & 1)
ecadd(dom, &na, &ns, &ns);
ecadd(dom, &na, &na, &na);
mpright(l, 1, l);
}
if(k->sign < 0){
ns.y->sign = -1;
mpmod(ns.y, dom->p, ns.y);
}
ecassign(dom, &ns, s);
mpfree(ns.x);
mpfree(ns.y);
mpfree(na.x);
mpfree(na.y);
}
int
ecdsaverify(ECdomain *dom, ECpub *pub, uchar *dig, int len, mpint *r, mpint *s)
{
mpint *E, *t, *u1, *u2;
ECpoint R, S;
int ret;
if(mpcmp(r, mpone) < 0 || mpcmp(s, mpone) < 0 || mpcmp(r, dom->n) >= 0 || mpcmp(r, dom->n) >= 0)
return 0;
E = betomp(dig, len, nil);
if(mpsignif(dom->n) < 8*len)
mpright(E, 8*len - mpsignif(dom->n), E);
t = mpnew(0);
u1 = mpnew(0);
u2 = mpnew(0);
R.x = mpnew(0);
R.y = mpnew(0);
S.x = mpnew(0);
S.y = mpnew(0);
mpinvert(s, dom->n, t);
mpmul(E, t, u1);
mpmod(u1, dom->n, u1);
mpmul(r, t, u2);
mpmod(u2, dom->n, u2);
ecmul(dom, dom->G, u1, &R);
ecmul(dom, pub, u2, &S);
ecadd(dom, &R, &S, &R);
ret = 0;
if(!R.inf){
mpmod(R.x, dom->n, t);
ret = mpcmp(r, t) == 0;
}
mpfree(t);
mpfree(u1);
mpfree(u2);
mpfree(R.x);
mpfree(R.y);
mpfree(S.x);
mpfree(S.y);
return ret;
}
static int
mpleg(mpint *a, mpint *b)
{
int r, k;
mpint *m, *n, *t;
r = 1;
m = mpcopy(a);
n = mpcopy(b);
for(;;){
if(mpcmp(m, n) > 0)
mpmod(m, n, m);
if(mpcmp(m, mpzero) == 0){
r = 0;
break;
}
if(mpcmp(m, mpone) == 0)
break;
k = mplowbits0(m);
if(k > 0){
if(k & 1)
switch(n->p[0] & 15){
case 3: case 5: case 11: case 13:
r = -r;
}
mpright(m, k, m);
}
if((n->p[0] & 3) == 3 && (m->p[0] & 3) == 3)
r = -r;
t = m;
m = n;
n = t;
}
mpfree(m);
mpfree(n);
return r;
}
static int
mpsqrt(mpint *n, mpint *p, mpint *r)
{
mpint *a, *t, *s, *xp, *xq, *yp, *yq, *zp, *zq, *N;
if(mpleg(n, p) == -1)
return 0;
a = mpnew(0);
t = mpnew(0);
s = mpnew(0);
N = mpnew(0);
xp = mpnew(0);
xq = mpnew(0);
yp = mpnew(0);
yq = mpnew(0);
zp = mpnew(0);
zq = mpnew(0);
for(;;){
for(;;){
mprand(mpsignif(p), genrandom, a);
if(mpcmp(a, mpzero) > 0 && mpcmp(a, p) < 0)
break;
}
mpmul(a, a, t);
mpsub(t, n, t);
mpmod(t, p, t);
if(mpleg(t, p) == -1)
break;
}
mpadd(p, mpone, N);
mpright(N, 1, N);
mpmul(a, a, t);
mpsub(t, n, t);
mpassign(a, xp);
uitomp(1, xq);
uitomp(1, yp);
uitomp(0, yq);
while(mpcmp(N, mpzero) != 0){
if(N->p[0] & 1){
mpmul(xp, yp, zp);
mpmul(xq, yq, zq);
mpmul(zq, t, zq);
mpadd(zp, zq, zp);
mpmod(zp, p, zp);
mpmul(xp, yq, zq);
mpmul(xq, yp, s);
mpadd(zq, s, zq);
mpmod(zq, p, yq);
mpassign(zp, yp);
}
mpmul(xp, xp, zp);
mpmul(xq, xq, zq);
mpmul(zq, t, zq);
mpadd(zp, zq, zp);
mpmod(zp, p, zp);
mpmul(xp, xq, zq);
mpadd(zq, zq, zq);
mpmod(zq, p, xq);
mpassign(zp, xp);
mpright(N, 1, N);
}
if(mpcmp(yq, mpzero) != 0)
abort();
mpassign(yp, r);
mpfree(a);
mpfree(t);
mpfree(s);
mpfree(N);
mpfree(xp);
mpfree(xq);
mpfree(yp);
mpfree(yq);
mpfree(zp);
mpfree(zq);
return 1;
}
// extended binary gcd
//
// For a anv b it solves, v = gcd(a,b) and finds x and y s.t.
// ax + by = v
//
// Handbook of Applied Cryptography, Menezes et al, 1997, pg 608.
void
mpextendedgcd(mpint *a, mpint *b, mpint *v, mpint *x, mpint *y)
{
mpint *u, *A, *B, *C, *D;
int g;
if(a->top == 0){
mpassign(b, v);
mpassign(mpone, y);
mpassign(mpzero, x);
return;
}
if(b->top == 0){
mpassign(a, v);
mpassign(mpone, x);
mpassign(mpzero, y);
return;
}
g = 0;
a = mpcopy(a);
b = mpcopy(b);
while(iseven(a) && iseven(b)){
mpright(a, 1, a);
mpright(b, 1, b);
g++;
}
u = mpcopy(a);
mpassign(b, v);
A = mpcopy(mpone);
B = mpcopy(mpzero);
C = mpcopy(mpzero);
D = mpcopy(mpone);
for(;;) {
// print("%B %B %B %B %B %B\n", u, v, A, B, C, D);
while(iseven(u)){
mpright(u, 1, u);
if(!iseven(A) || !iseven(B)) {
mpadd(A, b, A);
mpsub(B, a, B);
}
mpright(A, 1, A);
mpright(B, 1, B);
}
// print("%B %B %B %B %B %B\n", u, v, A, B, C, D);
while(iseven(v)){
mpright(v, 1, v);
if(!iseven(C) || !iseven(D)) {
mpadd(C, b, C);
mpsub(D, a, D);
}
mpright(C, 1, C);
mpright(D, 1, D);
}
// print("%B %B %B %B %B %B\n", u, v, A, B, C, D);
if(mpcmp(u, v) >= 0){
mpsub(u, v, u);
mpsub(A, C, A);
mpsub(B, D, B);
} else {
mpsub(v, u, v);
mpsub(C, A, C);
mpsub(D, B, D);
}
if(u->top == 0)
break;
}
mpassign(C, x);
mpassign(D, y);
mpleft(v, g, v);
mpfree(A);
mpfree(B);
mpfree(C);
mpfree(D);
mpfree(u);
mpfree(a);
mpfree(b);
}
/*
* Miller-Rabin probabilistic primality testing
* Knuth (1981) Seminumerical Algorithms, p.379
* Menezes et al () Handbook, p.39
* 0 if composite; 1 if almost surely prime, Pr(err)<1/4**nrep
*/
int
probably_prime(mpint *n, int nrep)
{
int j, k, rep, nbits, isprime;
mpint *nm1, *q, *x, *y, *r;
if(n->sign < 0)
sysfatal("negative prime candidate");
if(nrep <= 0)
nrep = 18;
k = mptoi(n);
if(k == 2) /* 2 is prime */
return 1;
if(k < 2) /* 1 is not prime */
return 0;
if((n->p[0] & 1) == 0) /* even is not prime */
return 0;
/* test against small prime numbers */
if(smallprimetest(n) < 0)
return 0;
/* fermat test, 2^n mod n == 2 if p is prime */
x = uitomp(2, nil);
y = mpnew(0);
mpexp(x, n, n, y);
k = mptoi(y);
if(k != 2){
mpfree(x);
mpfree(y);
return 0;
}
nbits = mpsignif(n);
nm1 = mpnew(nbits);
mpsub(n, mpone, nm1); /* nm1 = n - 1 */
k = mplowbits0(nm1);
q = mpnew(0);
mpright(nm1, k, q); /* q = (n-1)/2**k */
for(rep = 0; rep < nrep; rep++){
for(;;){
/* find x = random in [2, n-2] */
r = mprand(nbits, prng, nil);
mpmod(r, nm1, x);
mpfree(r);
if(mpcmp(x, mpone) > 0)
break;
}
/* y = x**q mod n */
mpexp(x, q, n, y);
if(mpcmp(y, mpone) == 0 || mpcmp(y, nm1) == 0)
continue;
for(j = 1;; j++){
if(j >= k) {
isprime = 0;
goto done;
}
mpmul(y, y, x);
mpmod(x, n, y); /* y = y*y mod n */
if(mpcmp(y, nm1) == 0)
break;
if(mpcmp(y, mpone) == 0){
isprime = 0;
goto done;
}
}
}
isprime = 1;
done:
mpfree(y);
mpfree(x);
mpfree(q);
mpfree(nm1);
return isprime;
}
// Miller-Rabin probabilistic primality testing
// Knuth (1981) Seminumerical Algorithms, p.379
// Menezes et al () Handbook, p.39
// 0 if composite; 1 if almost surely prime, Pr(err)<1/4**nrep
int
probably_prime(mpint *n, int nrep)
{
int j, k, rep, nbits, isprime = 1;
mpint *nm1, *q, *x, *y, *r;
if(n->sign < 0)
sysfatal("negative prime candidate");
if(nrep <= 0)
nrep = 18;
k = mptoi(n);
if(k == 2) // 2 is prime
return 1;
if(k < 2) // 1 is not prime
return 0;
if((n->p[0] & 1) == 0) // even is not prime
return 0;
// test against small prime numbers
if(smallprimetest(n) < 0)
return 0;
// fermat test, 2^n mod n == 2 if p is prime
x = uitomp(2, nil);
y = mpnew(0);
mpexp(x, n, n, y);
k = mptoi(y);
if(k != 2){
mpfree(x);
mpfree(y);
return 0;
}
nbits = mpsignif(n);
nm1 = mpnew(nbits);
mpsub(n, mpone, nm1); // nm1 = n - 1 */
k = mplowbits0(nm1);
q = mpnew(0);
mpright(nm1, k, q); // q = (n-1)/2**k
for(rep = 0; rep < nrep; rep++){
// x = random in [2, n-2]
r = mprand(nbits, prng, nil);
mpmod(r, nm1, x);
mpfree(r);
if(mpcmp(x, mpone) <= 0)
continue;
// y = x**q mod n
mpexp(x, q, n, y);
if(mpcmp(y, mpone) == 0 || mpcmp(y, nm1) == 0)
goto done;
for(j = 1; j < k; j++){
mpmul(y, y, x);
mpmod(x, n, y); // y = y*y mod n
if(mpcmp(y, nm1) == 0)
goto done;
if(mpcmp(y, mpone) == 0){
isprime = 0;
goto done;
}
}
isprime = 0;
}
done:
mpfree(y);
mpfree(x);
mpfree(q);
mpfree(nm1);
return isprime;
}
void
mpdiv(mpint *dividend, mpint *divisor, mpint *quotient, mpint *remainder)
{
int j, s, vn, sign;
mpdigit qd, *up, *vp, *qp;
mpint *u, *v, *t;
// divide bv zero
if(divisor->top == 0)
sysfatal("mpdiv: divide by zero");
// quick check
if(mpmagcmp(dividend, divisor) < 0){
if(remainder != nil)
mpassign(dividend, remainder);
if(quotient != nil)
mpassign(mpzero, quotient);
return;
}
// D1: shift until divisor, v, has hi bit set (needed to make trial
// divisor accurate)
qd = divisor->p[divisor->top-1];
for(s = 0; (qd & mpdighi) == 0; s++)
qd <<= 1;
u = mpnew((dividend->top+2)*Dbits + s);
if(s == 0 && divisor != quotient && divisor != remainder) {
mpassign(dividend, u);
v = divisor;
} else {
mpleft(dividend, s, u);
v = mpnew(divisor->top*Dbits);
mpleft(divisor, s, v);
}
up = u->p+u->top-1;
vp = v->p+v->top-1;
vn = v->top;
// D1a: make sure high digit of dividend is less than high digit of divisor
if(*up >= *vp){
*++up = 0;
u->top++;
}
// storage for multiplies
t = mpnew(4*Dbits);
qp = nil;
if(quotient != nil){
mpbits(quotient, (u->top - v->top)*Dbits);
quotient->top = u->top - v->top;
qp = quotient->p+quotient->top-1;
}
// D2, D7: loop on length of dividend
for(j = u->top; j > vn; j--){
// D3: calculate trial divisor
mpdigdiv(up-1, *vp, &qd);
// D3a: rule out trial divisors 2 greater than real divisor
if(vn > 1) for(;;){
memset(t->p, 0, 3*Dbytes); // mpvecdigmuladd adds to what's there
mpvecdigmuladd(vp-1, 2, qd, t->p);
if(mpveccmp(t->p, 3, up-2, 3) > 0)
qd--;
else
break;
}
// D4: u -= v*qd << j*Dbits
sign = mpvecdigmulsub(v->p, vn, qd, up-vn);
if(sign < 0){
// D6: trial divisor was too high, add back borrowed
// value and decrease divisor
mpvecadd(up-vn, vn+1, v->p, vn, up-vn);
qd--;
}
// D5: save quotient digit
if(qp != nil)
*qp-- = qd;
// push top of u down one
u->top--;
*up-- = 0;
}
if(qp != nil){
mpnorm(quotient);
if(dividend->sign != divisor->sign)
quotient->sign = -1;
}
if(remainder != nil){
mpright(u, s, remainder); // u is the remainder shifted
remainder->sign = dividend->sign;
}
mpfree(t);
mpfree(u);
if(v != divisor)
mpfree(v);
}
