Crypto++ 8.6
Free C++ class library of cryptographic schemes
nbtheory.cpp
1// nbtheory.cpp - originally written and placed in the public domain by Wei Dai
2
3#include "pch.h"
4
5#ifndef CRYPTOPP_IMPORTS
6
7#include "nbtheory.h"
8#include "integer.h"
9#include "modarith.h"
10#include "algparam.h"
11#include "smartptr.h"
12#include "misc.h"
13#include "stdcpp.h"
14#include "trap.h"
15
16#ifdef _OPENMP
17# include <omp.h>
18#endif
19
20NAMESPACE_BEGIN(CryptoPP)
21
22const word s_lastSmallPrime = 32719;
23
24struct NewPrimeTable
25{
26 std::vector<word16> * operator()() const
27 {
28 const unsigned int maxPrimeTableSize = 3511;
29
30 member_ptr<std::vector<word16> > pPrimeTable(new std::vector<word16>);
31 std::vector<word16> &primeTable = *pPrimeTable;
32 primeTable.reserve(maxPrimeTableSize);
33
34 primeTable.push_back(2);
35 unsigned int testEntriesEnd = 1;
36
37 for (unsigned int p=3; p<=s_lastSmallPrime; p+=2)
38 {
39 unsigned int j;
40 for (j=1; j<testEntriesEnd; j++)
41 if (p%primeTable[j] == 0)
42 break;
43 if (j == testEntriesEnd)
44 {
45 primeTable.push_back(word16(p));
46 testEntriesEnd = UnsignedMin(54U, primeTable.size());
47 }
48 }
49
50 return pPrimeTable.release();
51 }
52};
53
54const word16 * GetPrimeTable(unsigned int &size)
55{
56 const std::vector<word16> &primeTable = Singleton<std::vector<word16>, NewPrimeTable>().Ref();
57 size = (unsigned int)primeTable.size();
58 return &primeTable[0];
59}
60
61bool IsSmallPrime(const Integer &p)
62{
63 unsigned int primeTableSize;
64 const word16 * primeTable = GetPrimeTable(primeTableSize);
65
66 if (p.IsPositive() && p <= primeTable[primeTableSize-1])
67 return std::binary_search(primeTable, primeTable+primeTableSize, (word16)p.ConvertToLong());
68 else
69 return false;
70}
71
72bool TrialDivision(const Integer &p, unsigned bound)
73{
74 unsigned int primeTableSize;
75 const word16 * primeTable = GetPrimeTable(primeTableSize);
76
77 CRYPTOPP_ASSERT(primeTable[primeTableSize-1] >= bound);
78
79 unsigned int i;
80 for (i = 0; primeTable[i]<bound; i++)
81 if ((p % primeTable[i]) == 0)
82 return true;
83
84 if (bound == primeTable[i])
85 return (p % bound == 0);
86 else
87 return false;
88}
89
90bool SmallDivisorsTest(const Integer &p)
91{
92 unsigned int primeTableSize;
93 const word16 * primeTable = GetPrimeTable(primeTableSize);
94 return !TrialDivision(p, primeTable[primeTableSize-1]);
95}
96
97bool IsFermatProbablePrime(const Integer &n, const Integer &b)
98{
99 if (n <= 3)
100 return n==2 || n==3;
101
102 CRYPTOPP_ASSERT(n>3 && b>1 && b<n-1);
103 return a_exp_b_mod_c(b, n-1, n)==1;
104}
105
106bool IsStrongProbablePrime(const Integer &n, const Integer &b)
107{
108 if (n <= 3)
109 return n==2 || n==3;
110
111 CRYPTOPP_ASSERT(n>3 && b>1 && b<n-1);
112
113 if ((n.IsEven() && n!=2) || GCD(b, n) != 1)
114 return false;
115
116 Integer nminus1 = (n-1);
117 unsigned int a;
118
119 // calculate a = largest power of 2 that divides (n-1)
120 for (a=0; ; a++)
121 if (nminus1.GetBit(a))
122 break;
123 Integer m = nminus1>>a;
124
125 Integer z = a_exp_b_mod_c(b, m, n);
126 if (z==1 || z==nminus1)
127 return true;
128 for (unsigned j=1; j<a; j++)
129 {
130 z = z.Squared()%n;
131 if (z==nminus1)
132 return true;
133 if (z==1)
134 return false;
135 }
136 return false;
137}
138
139bool RabinMillerTest(RandomNumberGenerator &rng, const Integer &n, unsigned int rounds)
140{
141 if (n <= 3)
142 return n==2 || n==3;
143
144 CRYPTOPP_ASSERT(n>3);
145
146 Integer b;
147 for (unsigned int i=0; i<rounds; i++)
148 {
149 b.Randomize(rng, 2, n-2);
150 if (!IsStrongProbablePrime(n, b))
151 return false;
152 }
153 return true;
154}
155
156bool IsLucasProbablePrime(const Integer &n)
157{
158 if (n <= 1)
159 return false;
160
161 if (n.IsEven())
162 return n==2;
163
164 CRYPTOPP_ASSERT(n>2);
165
166 Integer b=3;
167 unsigned int i=0;
168 int j;
169
170 while ((j=Jacobi(b.Squared()-4, n)) == 1)
171 {
172 if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
173 return false;
174 ++b; ++b;
175 }
176
177 if (j==0)
178 return false;
179 else
180 return Lucas(n+1, b, n)==2;
181}
182
183bool IsStrongLucasProbablePrime(const Integer &n)
184{
185 if (n <= 1)
186 return false;
187
188 if (n.IsEven())
189 return n==2;
190
191 CRYPTOPP_ASSERT(n>2);
192
193 Integer b=3;
194 unsigned int i=0;
195 int j;
196
197 while ((j=Jacobi(b.Squared()-4, n)) == 1)
198 {
199 if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
200 return false;
201 ++b; ++b;
202 }
203
204 if (j==0)
205 return false;
206
207 Integer n1 = n+1;
208 unsigned int a;
209
210 // calculate a = largest power of 2 that divides n1
211 for (a=0; ; a++)
212 if (n1.GetBit(a))
213 break;
214 Integer m = n1>>a;
215
216 Integer z = Lucas(m, b, n);
217 if (z==2 || z==n-2)
218 return true;
219 for (i=1; i<a; i++)
220 {
221 z = (z.Squared()-2)%n;
222 if (z==n-2)
223 return true;
224 if (z==2)
225 return false;
226 }
227 return false;
228}
229
230struct NewLastSmallPrimeSquared
231{
232 Integer * operator()() const
233 {
234 return new Integer(Integer(s_lastSmallPrime).Squared());
235 }
236};
237
238bool IsPrime(const Integer &p)
239{
240 if (p <= s_lastSmallPrime)
241 return IsSmallPrime(p);
242 else if (p <= Singleton<Integer, NewLastSmallPrimeSquared>().Ref())
243 return SmallDivisorsTest(p);
244 else
245 return SmallDivisorsTest(p) && IsStrongProbablePrime(p, 3) && IsStrongLucasProbablePrime(p);
246}
247
248bool VerifyPrime(RandomNumberGenerator &rng, const Integer &p, unsigned int level)
249{
250 bool pass = IsPrime(p) && RabinMillerTest(rng, p, 1);
251 if (level >= 1)
252 pass = pass && RabinMillerTest(rng, p, 10);
253 return pass;
254}
255
256unsigned int PrimeSearchInterval(const Integer &max)
257{
258 return max.BitCount();
259}
260
261static inline bool FastProbablePrimeTest(const Integer &n)
262{
263 return IsStrongProbablePrime(n,2);
264}
265
266AlgorithmParameters MakeParametersForTwoPrimesOfEqualSize(unsigned int productBitLength)
267{
268 if (productBitLength < 16)
269 throw InvalidArgument("invalid bit length");
270
271 Integer minP, maxP;
272
273 if (productBitLength%2==0)
274 {
275 minP = Integer(182) << (productBitLength/2-8);
276 maxP = Integer::Power2(productBitLength/2)-1;
277 }
278 else
279 {
280 minP = Integer::Power2((productBitLength-1)/2);
281 maxP = Integer(181) << ((productBitLength+1)/2-8);
282 }
283
284 return MakeParameters("RandomNumberType", Integer::PRIME)("Min", minP)("Max", maxP);
285}
286
287class PrimeSieve
288{
289public:
290 // delta == 1 or -1 means double sieve with p = 2*q + delta
291 PrimeSieve(const Integer &first, const Integer &last, const Integer &step, signed int delta=0);
292 bool NextCandidate(Integer &c);
293
294 void DoSieve();
295 static void SieveSingle(std::vector<bool> &sieve, word16 p, const Integer &first, const Integer &step, word16 stepInv);
296
297 Integer m_first, m_last, m_step;
298 signed int m_delta;
299 word m_next;
300 std::vector<bool> m_sieve;
301};
302
303PrimeSieve::PrimeSieve(const Integer &first, const Integer &last, const Integer &step, signed int delta)
304 : m_first(first), m_last(last), m_step(step), m_delta(delta), m_next(0)
305{
306 DoSieve();
307}
308
309bool PrimeSieve::NextCandidate(Integer &c)
310{
311 bool safe = SafeConvert(std::find(m_sieve.begin()+m_next, m_sieve.end(), false) - m_sieve.begin(), m_next);
312 CRYPTOPP_UNUSED(safe); CRYPTOPP_ASSERT(safe);
313 if (m_next == m_sieve.size())
314 {
315 m_first += long(m_sieve.size())*m_step;
316 if (m_first > m_last)
317 return false;
318 else
319 {
320 m_next = 0;
321 DoSieve();
322 return NextCandidate(c);
323 }
324 }
325 else
326 {
327 c = m_first + long(m_next)*m_step;
328 ++m_next;
329 return true;
330 }
331}
332
333void PrimeSieve::SieveSingle(std::vector<bool> &sieve, word16 p, const Integer &first, const Integer &step, word16 stepInv)
334{
335 if (stepInv)
336 {
337 size_t sieveSize = sieve.size();
338 size_t j = (word32(p-(first%p))*stepInv) % p;
339 // if the first multiple of p is p, skip it
340 if (first.WordCount() <= 1 && first + step*long(j) == p)
341 j += p;
342 for (; j < sieveSize; j += p)
343 sieve[j] = true;
344 }
345}
346
347void PrimeSieve::DoSieve()
348{
349 unsigned int primeTableSize;
350 const word16 * primeTable = GetPrimeTable(primeTableSize);
351
352 const unsigned int maxSieveSize = 32768;
353 unsigned int sieveSize = STDMIN(Integer(maxSieveSize), (m_last-m_first)/m_step+1).ConvertToLong();
354
355 m_sieve.clear();
356 m_sieve.resize(sieveSize, false);
357
358 if (m_delta == 0)
359 {
360 for (unsigned int i = 0; i < primeTableSize; ++i)
361 SieveSingle(m_sieve, primeTable[i], m_first, m_step, (word16)m_step.InverseMod(primeTable[i]));
362 }
363 else
364 {
365 CRYPTOPP_ASSERT(m_step%2==0);
366 Integer qFirst = (m_first-m_delta) >> 1;
367 Integer halfStep = m_step >> 1;
368 for (unsigned int i = 0; i < primeTableSize; ++i)
369 {
370 word16 p = primeTable[i];
371 word16 stepInv = (word16)m_step.InverseMod(p);
372 SieveSingle(m_sieve, p, m_first, m_step, stepInv);
373
374 word16 halfStepInv = 2*stepInv < p ? 2*stepInv : 2*stepInv-p;
375 SieveSingle(m_sieve, p, qFirst, halfStep, halfStepInv);
376 }
377 }
378}
379
380bool FirstPrime(Integer &p, const Integer &max, const Integer &equiv, const Integer &mod, const PrimeSelector *pSelector)
381{
382 CRYPTOPP_ASSERT(!equiv.IsNegative() && equiv < mod);
383
384 Integer gcd = GCD(equiv, mod);
385 if (gcd != Integer::One())
386 {
387 // the only possible prime p such that p%mod==equiv where GCD(mod,equiv)!=1 is GCD(mod,equiv)
388 if (p <= gcd && gcd <= max && IsPrime(gcd) && (!pSelector || pSelector->IsAcceptable(gcd)))
389 {
390 p = gcd;
391 return true;
392 }
393 else
394 return false;
395 }
396
397 unsigned int primeTableSize;
398 const word16 * primeTable = GetPrimeTable(primeTableSize);
399
400 if (p <= primeTable[primeTableSize-1])
401 {
402 const word16 *pItr;
403
404 --p;
405 if (p.IsPositive())
406 pItr = std::upper_bound(primeTable, primeTable+primeTableSize, (word)p.ConvertToLong());
407 else
408 pItr = primeTable;
409
410 while (pItr < primeTable+primeTableSize && !(*pItr%mod == equiv && (!pSelector || pSelector->IsAcceptable(*pItr))))
411 ++pItr;
412
413 if (pItr < primeTable+primeTableSize)
414 {
415 p = *pItr;
416 return p <= max;
417 }
418
419 p = primeTable[primeTableSize-1]+1;
420 }
421
422 CRYPTOPP_ASSERT(p > primeTable[primeTableSize-1]);
423
424 if (mod.IsOdd())
425 return FirstPrime(p, max, CRT(equiv, mod, 1, 2, 1), mod<<1, pSelector);
426
427 p += (equiv-p)%mod;
428
429 if (p>max)
430 return false;
431
432 PrimeSieve sieve(p, max, mod);
433
434 while (sieve.NextCandidate(p))
435 {
436 if ((!pSelector || pSelector->IsAcceptable(p)) && FastProbablePrimeTest(p) && IsPrime(p))
437 return true;
438 }
439
440 return false;
441}
442
443// the following two functions are based on code and comments provided by Preda Mihailescu
444static bool ProvePrime(const Integer &p, const Integer &q)
445{
446 CRYPTOPP_ASSERT(p < q*q*q);
447 CRYPTOPP_ASSERT(p % q == 1);
448
449// this is the Quisquater test. Numbers p having passed the Lucas - Lehmer test
450// for q and verifying p < q^3 can only be built up of two factors, both = 1 mod q,
451// or be prime. The next two lines build the discriminant of a quadratic equation
452// which holds iff p is built up of two factors (exercise ... )
453
454 Integer r = (p-1)/q;
455 if (((r%q).Squared()-4*(r/q)).IsSquare())
456 return false;
457
458 unsigned int primeTableSize;
459 const word16 * primeTable = GetPrimeTable(primeTableSize);
460
461 CRYPTOPP_ASSERT(primeTableSize >= 50);
462 for (int i=0; i<50; i++)
463 {
464 Integer b = a_exp_b_mod_c(primeTable[i], r, p);
465 if (b != 1)
466 return a_exp_b_mod_c(b, q, p) == 1;
467 }
468 return false;
469}
470
471Integer MihailescuProvablePrime(RandomNumberGenerator &rng, unsigned int pbits)
472{
473 Integer p;
474 Integer minP = Integer::Power2(pbits-1);
475 Integer maxP = Integer::Power2(pbits) - 1;
476
477 if (maxP <= Integer(s_lastSmallPrime).Squared())
478 {
479 // Randomize() will generate a prime provable by trial division
480 p.Randomize(rng, minP, maxP, Integer::PRIME);
481 return p;
482 }
483
484 unsigned int qbits = (pbits+2)/3 + 1 + rng.GenerateWord32(0, pbits/36);
485 Integer q = MihailescuProvablePrime(rng, qbits);
486 Integer q2 = q<<1;
487
488 while (true)
489 {
490 // this initializes the sieve to search in the arithmetic
491 // progression p = p_0 + \lambda * q2 = p_0 + 2 * \lambda * q,
492 // with q the recursively generated prime above. We will be able
493 // to use Lucas tets for proving primality. A trick of Quisquater
494 // allows taking q > cubic_root(p) rather than square_root: this
495 // decreases the recursion.
496
497 p.Randomize(rng, minP, maxP, Integer::ANY, 1, q2);
498 PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*q2, maxP), q2);
499
500 while (sieve.NextCandidate(p))
501 {
502 if (FastProbablePrimeTest(p) && ProvePrime(p, q))
503 return p;
504 }
505 }
506
507 // not reached
508 return p;
509}
510
511Integer MaurerProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
512{
513 const unsigned smallPrimeBound = 29, c_opt=10;
514 Integer p;
515
516 unsigned int primeTableSize;
517 const word16 * primeTable = GetPrimeTable(primeTableSize);
518
519 if (bits < smallPrimeBound)
520 {
521 do
522 p.Randomize(rng, Integer::Power2(bits-1), Integer::Power2(bits)-1, Integer::ANY, 1, 2);
523 while (TrialDivision(p, 1 << ((bits+1)/2)));
524 }
525 else
526 {
527 const unsigned margin = bits > 50 ? 20 : (bits-10)/2;
528 double relativeSize;
529 do
530 relativeSize = std::pow(2.0, double(rng.GenerateWord32())/0xffffffff - 1);
531 while (bits * relativeSize >= bits - margin);
532
533 Integer a,b;
534 Integer q = MaurerProvablePrime(rng, unsigned(bits*relativeSize));
535 Integer I = Integer::Power2(bits-2)/q;
536 Integer I2 = I << 1;
537 unsigned int trialDivisorBound = (unsigned int)STDMIN((unsigned long)primeTable[primeTableSize-1], (unsigned long)bits*bits/c_opt);
538 bool success = false;
539 while (!success)
540 {
541 p.Randomize(rng, I, I2, Integer::ANY);
542 p *= q; p <<= 1; ++p;
543 if (!TrialDivision(p, trialDivisorBound))
544 {
545 a.Randomize(rng, 2, p-1, Integer::ANY);
546 b = a_exp_b_mod_c(a, (p-1)/q, p);
547 success = (GCD(b-1, p) == 1) && (a_exp_b_mod_c(b, q, p) == 1);
548 }
549 }
550 }
551 return p;
552}
553
554Integer CRT(const Integer &xp, const Integer &p, const Integer &xq, const Integer &q, const Integer &u)
555{
556 // Callers must ensure p and q are prime, GH #1249
557 CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
558
559 // isn't operator overloading great?
560 return p * (u * (xq-xp) % q) + xp;
561/*
562 Integer t1 = xq-xp;
563 cout << hex << t1 << endl;
564 Integer t2 = u * t1;
565 cout << hex << t2 << endl;
566 Integer t3 = t2 % q;
567 cout << hex << t3 << endl;
568 Integer t4 = p * t3;
569 cout << hex << t4 << endl;
570 Integer t5 = t4 + xp;
571 cout << hex << t5 << endl;
572 return t5;
573*/
574}
575
576Integer ModularSquareRoot(const Integer &a, const Integer &p)
577{
578 // Callers must ensure p is prime, GH #1249
579 CRYPTOPP_ASSERT(IsPrime(p));
580
581 if (p%4 == 3)
582 return a_exp_b_mod_c(a, (p+1)/4, p);
583
584 Integer q=p-1;
585 unsigned int r=0;
586 while (q.IsEven())
587 {
588 r++;
589 q >>= 1;
590 }
591
592 Integer n=2;
593 while (Jacobi(n, p) != -1)
594 ++n;
595
596 Integer y = a_exp_b_mod_c(n, q, p);
597 Integer x = a_exp_b_mod_c(a, (q-1)/2, p);
598 Integer b = (x.Squared()%p)*a%p;
599 x = a*x%p;
600 Integer tempb, t;
601
602 while (b != 1)
603 {
604 unsigned m=0;
605 tempb = b;
606 do
607 {
608 m++;
609 b = b.Squared()%p;
610 if (m==r)
611 return Integer::Zero();
612 }
613 while (b != 1);
614
615 t = y;
616 for (unsigned i=0; i<r-m-1; i++)
617 t = t.Squared()%p;
618 y = t.Squared()%p;
619 r = m;
620 x = x*t%p;
621 b = tempb*y%p;
622 }
623
624 CRYPTOPP_ASSERT(x.Squared()%p == a);
625 return x;
626}
627
628bool SolveModularQuadraticEquation(Integer &r1, Integer &r2, const Integer &a, const Integer &b, const Integer &c, const Integer &p)
629{
630 // Callers must ensure p is prime, GH #1249
631 CRYPTOPP_ASSERT(IsPrime(p));
632
633 Integer D = (b.Squared() - 4*a*c) % p;
634 switch (Jacobi(D, p))
635 {
636 default:
637 CRYPTOPP_ASSERT(false); // not reached
638 return false;
639 case -1:
640 return false;
641 case 0:
642 r1 = r2 = (-b*(a+a).InverseMod(p)) % p;
643 CRYPTOPP_ASSERT(((r1.Squared()*a + r1*b + c) % p).IsZero());
644 return true;
645 case 1:
646 Integer s = ModularSquareRoot(D, p);
647 Integer t = (a+a).InverseMod(p);
648 r1 = (s-b)*t % p;
649 r2 = (-s-b)*t % p;
650 CRYPTOPP_ASSERT(((r1.Squared()*a + r1*b + c) % p).IsZero());
651 CRYPTOPP_ASSERT(((r2.Squared()*a + r2*b + c) % p).IsZero());
652 return true;
653 }
654}
655
656Integer ModularRoot(const Integer &a, const Integer &dp, const Integer &dq,
657 const Integer &p, const Integer &q, const Integer &u)
658{
659 // Callers must ensure p and q are prime, GH #1249
660 CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
661
662 // GCC warning bug, https://stackoverflow.com/q/12842306/608639
663#ifdef _OPENMP
664 Integer p2, q2;
665 #pragma omp parallel
666 #pragma omp sections
667 {
668 #pragma omp section
669 p2 = ModularExponentiation((a % p), dp, p);
670 #pragma omp section
671 q2 = ModularExponentiation((a % q), dq, q);
672 }
673#else
674 const Integer p2 = ModularExponentiation((a % p), dp, p);
675 const Integer q2 = ModularExponentiation((a % q), dq, q);
676#endif
677
678 return CRT(p2, p, q2, q, u);
679}
680
681Integer ModularRoot(const Integer &a, const Integer &e,
682 const Integer &p, const Integer &q)
683{
684 // Callers must ensure p and q are prime, GH #1249
685 CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
686
687 Integer dp = EuclideanMultiplicativeInverse(e, p-1);
688 Integer dq = EuclideanMultiplicativeInverse(e, q-1);
689 Integer u = EuclideanMultiplicativeInverse(p, q);
690 CRYPTOPP_ASSERT(!!dp && !!dq && !!u);
691 return ModularRoot(a, dp, dq, p, q, u);
692}
693
694/*
695Integer GCDI(const Integer &x, const Integer &y)
696{
697 Integer a=x, b=y;
698 unsigned k=0;
699
700 CRYPTOPP_ASSERT(!!a && !!b);
701
702 while (a[0]==0 && b[0]==0)
703 {
704 a >>= 1;
705 b >>= 1;
706 k++;
707 }
708
709 while (a[0]==0)
710 a >>= 1;
711
712 while (b[0]==0)
713 b >>= 1;
714
715 while (1)
716 {
717 switch (a.Compare(b))
718 {
719 case -1:
720 b -= a;
721 while (b[0]==0)
722 b >>= 1;
723 break;
724
725 case 0:
726 return (a <<= k);
727
728 case 1:
729 a -= b;
730 while (a[0]==0)
731 a >>= 1;
732 break;
733
734 default:
735 CRYPTOPP_ASSERT(false);
736 }
737 }
738}
739
740Integer EuclideanMultiplicativeInverse(const Integer &a, const Integer &b)
741{
742 CRYPTOPP_ASSERT(b.Positive());
743
744 if (a.Negative())
745 return EuclideanMultiplicativeInverse(a%b, b);
746
747 if (b[0]==0)
748 {
749 if (!b || a[0]==0)
750 return Integer::Zero(); // no inverse
751 if (a==1)
752 return 1;
753 Integer u = EuclideanMultiplicativeInverse(b, a);
754 if (!u)
755 return Integer::Zero(); // no inverse
756 else
757 return (b*(a-u)+1)/a;
758 }
759
760 Integer u=1, d=a, v1=b, v3=b, t1, t3, b2=(b+1)>>1;
761
762 if (a[0])
763 {
764 t1 = Integer::Zero();
765 t3 = -b;
766 }
767 else
768 {
769 t1 = b2;
770 t3 = a>>1;
771 }
772
773 while (!!t3)
774 {
775 while (t3[0]==0)
776 {
777 t3 >>= 1;
778 if (t1[0]==0)
779 t1 >>= 1;
780 else
781 {
782 t1 >>= 1;
783 t1 += b2;
784 }
785 }
786 if (t3.Positive())
787 {
788 u = t1;
789 d = t3;
790 }
791 else
792 {
793 v1 = b-t1;
794 v3 = -t3;
795 }
796 t1 = u-v1;
797 t3 = d-v3;
798 if (t1.Negative())
799 t1 += b;
800 }
801 if (d==1)
802 return u;
803 else
804 return Integer::Zero(); // no inverse
805}
806*/
807
808int Jacobi(const Integer &aIn, const Integer &bIn)
809{
810 CRYPTOPP_ASSERT(bIn.IsOdd());
811
812 Integer b = bIn, a = aIn%bIn;
813 int result = 1;
814
815 while (!!a)
816 {
817 unsigned i=0;
818 while (a.GetBit(i)==0)
819 i++;
820 a>>=i;
821
822 if (i%2==1 && (b%8==3 || b%8==5))
823 result = -result;
824
825 if (a%4==3 && b%4==3)
826 result = -result;
827
828 std::swap(a, b);
829 a %= b;
830 }
831
832 return (b==1) ? result : 0;
833}
834
835Integer Lucas(const Integer &e, const Integer &pIn, const Integer &n)
836{
837 unsigned i = e.BitCount();
838 if (i==0)
839 return Integer::Two();
840
841 MontgomeryRepresentation m(n);
842 Integer p=m.ConvertIn(pIn%n), two=m.ConvertIn(Integer::Two());
843 Integer v=p, v1=m.Subtract(m.Square(p), two);
844
845 i--;
846 while (i--)
847 {
848 if (e.GetBit(i))
849 {
850 // v = (v*v1 - p) % m;
851 v = m.Subtract(m.Multiply(v,v1), p);
852 // v1 = (v1*v1 - 2) % m;
853 v1 = m.Subtract(m.Square(v1), two);
854 }
855 else
856 {
857 // v1 = (v*v1 - p) % m;
858 v1 = m.Subtract(m.Multiply(v,v1), p);
859 // v = (v*v - 2) % m;
860 v = m.Subtract(m.Square(v), two);
861 }
862 }
863 return m.ConvertOut(v);
864}
865
866// This is Peter Montgomery's unpublished Lucas sequence evalutation algorithm.
867// The total number of multiplies and squares used is less than the binary
868// algorithm (see above). Unfortunately I can't get it to run as fast as
869// the binary algorithm because of the extra overhead.
870/*
871Integer Lucas(const Integer &n, const Integer &P, const Integer &modulus)
872{
873 if (!n)
874 return 2;
875
876#define f(A, B, C) m.Subtract(m.Multiply(A, B), C)
877#define X2(A) m.Subtract(m.Square(A), two)
878#define X3(A) m.Multiply(A, m.Subtract(m.Square(A), three))
879
880 MontgomeryRepresentation m(modulus);
881 Integer two=m.ConvertIn(2), three=m.ConvertIn(3);
882 Integer A=m.ConvertIn(P), B, C, p, d=n, e, r, t, T, U;
883
884 while (d!=1)
885 {
886 p = d;
887 unsigned int b = WORD_BITS * p.WordCount();
888 Integer alpha = (Integer(5)<<(2*b-2)).SquareRoot() - Integer::Power2(b-1);
889 r = (p*alpha)>>b;
890 e = d-r;
891 B = A;
892 C = two;
893 d = r;
894
895 while (d!=e)
896 {
897 if (d<e)
898 {
899 swap(d, e);
900 swap(A, B);
901 }
902
903 unsigned int dm2 = d[0], em2 = e[0];
904 unsigned int dm3 = d%3, em3 = e%3;
905
906// if ((dm6+em6)%3 == 0 && d <= e + (e>>2))
907 if ((dm3+em3==0 || dm3+em3==3) && (t = e, t >>= 2, t += e, d <= t))
908 {
909 // #1
910// t = (d+d-e)/3;
911// t = d; t += d; t -= e; t /= 3;
912// e = (e+e-d)/3;
913// e += e; e -= d; e /= 3;
914// d = t;
915
916// t = (d+e)/3
917 t = d; t += e; t /= 3;
918 e -= t;
919 d -= t;
920
921 T = f(A, B, C);
922 U = f(T, A, B);
923 B = f(T, B, A);
924 A = U;
925 continue;
926 }
927
928// if (dm6 == em6 && d <= e + (e>>2))
929 if (dm3 == em3 && dm2 == em2 && (t = e, t >>= 2, t += e, d <= t))
930 {
931 // #2
932// d = (d-e)>>1;
933 d -= e; d >>= 1;
934 B = f(A, B, C);
935 A = X2(A);
936 continue;
937 }
938
939// if (d <= (e<<2))
940 if (d <= (t = e, t <<= 2))
941 {
942 // #3
943 d -= e;
944 C = f(A, B, C);
945 swap(B, C);
946 continue;
947 }
948
949 if (dm2 == em2)
950 {
951 // #4
952// d = (d-e)>>1;
953 d -= e; d >>= 1;
954 B = f(A, B, C);
955 A = X2(A);
956 continue;
957 }
958
959 if (dm2 == 0)
960 {
961 // #5
962 d >>= 1;
963 C = f(A, C, B);
964 A = X2(A);
965 continue;
966 }
967
968 if (dm3 == 0)
969 {
970 // #6
971// d = d/3 - e;
972 d /= 3; d -= e;
973 T = X2(A);
974 C = f(T, f(A, B, C), C);
975 swap(B, C);
976 A = f(T, A, A);
977 continue;
978 }
979
980 if (dm3+em3==0 || dm3+em3==3)
981 {
982 // #7
983// d = (d-e-e)/3;
984 d -= e; d -= e; d /= 3;
985 T = f(A, B, C);
986 B = f(T, A, B);
987 A = X3(A);
988 continue;
989 }
990
991 if (dm3 == em3)
992 {
993 // #8
994// d = (d-e)/3;
995 d -= e; d /= 3;
996 T = f(A, B, C);
997 C = f(A, C, B);
998 B = T;
999 A = X3(A);
1000 continue;
1001 }
1002
1003 CRYPTOPP_ASSERT(em2 == 0);
1004 // #9
1005 e >>= 1;
1006 C = f(C, B, A);
1007 B = X2(B);
1008 }
1009
1010 A = f(A, B, C);
1011 }
1012
1013#undef f
1014#undef X2
1015#undef X3
1016
1017 return m.ConvertOut(A);
1018}
1019*/
1020
1021Integer InverseLucas(const Integer &e, const Integer &m, const Integer &p, const Integer &q, const Integer &u)
1022{
1023 // Callers must ensure p and q are prime, GH #1249
1024 CRYPTOPP_ASSERT(IsPrime(p) && IsPrime(q));
1025
1026 // GCC warning bug, https://stackoverflow.com/q/12842306/608639
1027#ifdef _OPENMP
1028 Integer d = (m*m-4), p2, q2;
1029 #pragma omp parallel
1030 #pragma omp sections
1031 {
1032 #pragma omp section
1033 {
1034 p2 = p-Jacobi(d,p);
1035 p2 = Lucas(EuclideanMultiplicativeInverse(e,p2), m, p);
1036 }
1037 #pragma omp section
1038 {
1039 q2 = q-Jacobi(d,q);
1040 q2 = Lucas(EuclideanMultiplicativeInverse(e,q2), m, q);
1041 }
1042 }
1043#else
1044 const Integer d = (m*m-4);
1045 const Integer t1 = p-Jacobi(d,p);
1046 const Integer p2 = Lucas(EuclideanMultiplicativeInverse(e,t1), m, p);
1047
1048 const Integer t2 = q-Jacobi(d,q);
1049 const Integer q2 = Lucas(EuclideanMultiplicativeInverse(e,t2), m, q);
1050#endif
1051
1052 return CRT(p2, p, q2, q, u);
1053}
1054
1055unsigned int FactoringWorkFactor(unsigned int n)
1056{
1057 // extrapolated from the table in Odlyzko's "The Future of Integer Factorization"
1058 // updated to reflect the factoring of RSA-130
1059 if (n<5) return 0;
1060 else return (unsigned int)(2.4 * std::pow((double)n, 1.0/3.0) * std::pow(log(double(n)), 2.0/3.0) - 5);
1061}
1062
1063unsigned int DiscreteLogWorkFactor(unsigned int n)
1064{
1065 // assuming discrete log takes about the same time as factoring
1066 if (n<5) return 0;
1067 else return (unsigned int)(2.4 * std::pow((double)n, 1.0/3.0) * std::pow(log(double(n)), 2.0/3.0) - 5);
1068}
1069
1070// ********************************************************
1071
1072void PrimeAndGenerator::Generate(signed int delta, RandomNumberGenerator &rng, unsigned int pbits, unsigned int qbits)
1073{
1074 // no prime exists for delta = -1, qbits = 4, and pbits = 5
1075 CRYPTOPP_ASSERT(qbits > 4);
1076 CRYPTOPP_ASSERT(pbits > qbits);
1077
1078 if (qbits+1 == pbits)
1079 {
1080 Integer minP = Integer::Power2(pbits-1);
1081 Integer maxP = Integer::Power2(pbits) - 1;
1082 bool success = false;
1083
1084 while (!success)
1085 {
1086 p.Randomize(rng, minP, maxP, Integer::ANY, 6+5*delta, 12);
1087 PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*12, maxP), 12, delta);
1088
1089 while (sieve.NextCandidate(p))
1090 {
1091 CRYPTOPP_ASSERT(IsSmallPrime(p) || SmallDivisorsTest(p));
1092 q = (p-delta) >> 1;
1093 CRYPTOPP_ASSERT(IsSmallPrime(q) || SmallDivisorsTest(q));
1094 if (FastProbablePrimeTest(q) && FastProbablePrimeTest(p) && IsPrime(q) && IsPrime(p))
1095 {
1096 success = true;
1097 break;
1098 }
1099 }
1100 }
1101
1102 if (delta == 1)
1103 {
1104 // find g such that g is a quadratic residue mod p, then g has order q
1105 // g=4 always works, but this way we get the smallest quadratic residue (other than 1)
1106 for (g=2; Jacobi(g, p) != 1; ++g) {}
1107 // contributed by Walt Tuvell: g should be the following according to the Law of Quadratic Reciprocity
1108 CRYPTOPP_ASSERT((p%8==1 || p%8==7) ? g==2 : (p%12==1 || p%12==11) ? g==3 : g==4);
1109 }
1110 else
1111 {
1112 CRYPTOPP_ASSERT(delta == -1);
1113 // find g such that g*g-4 is a quadratic non-residue,
1114 // and such that g has order q
1115 for (g=3; ; ++g)
1116 if (Jacobi(g*g-4, p)==-1 && Lucas(q, g, p)==2)
1117 break;
1118 }
1119 }
1120 else
1121 {
1122 Integer minQ = Integer::Power2(qbits-1);
1123 Integer maxQ = Integer::Power2(qbits) - 1;
1124 Integer minP = Integer::Power2(pbits-1);
1125 Integer maxP = Integer::Power2(pbits) - 1;
1126
1127 do
1128 {
1129 q.Randomize(rng, minQ, maxQ, Integer::PRIME);
1130 } while (!p.Randomize(rng, minP, maxP, Integer::PRIME, delta%q, q));
1131
1132 // find a random g of order q
1133 if (delta==1)
1134 {
1135 do
1136 {
1137 Integer h(rng, 2, p-2, Integer::ANY);
1138 g = a_exp_b_mod_c(h, (p-1)/q, p);
1139 } while (g <= 1);
1140 CRYPTOPP_ASSERT(a_exp_b_mod_c(g, q, p)==1);
1141 }
1142 else
1143 {
1144 CRYPTOPP_ASSERT(delta==-1);
1145 do
1146 {
1147 Integer h(rng, 3, p-1, Integer::ANY);
1148 if (Jacobi(h*h-4, p)==1)
1149 continue;
1150 g = Lucas((p+1)/q, h, p);
1151 } while (g <= 2);
1152 CRYPTOPP_ASSERT(Lucas(q, g, p) == 2);
1153 }
1154 }
1155}
1156
1157NAMESPACE_END
1158
1159#endif
algparam.h
Classes for working with NameValuePairs.
MakeParameters
AlgorithmParameters MakeParameters(const char *name, const T &value, bool throwIfNotUsed=true)
Create an object that implements NameValuePairs.
Definition: algparam.h:508
AlgorithmParameters
An object that implements NameValuePairs.
Definition: algparam.h:426
Integer
Multiple precision integer with arithmetic operations.
Definition: integer.h:50
Integer::GetBit
bool GetBit(size_t i) const
Provides the i-th bit of the Integer.
Integer::IsPositive
bool IsPositive() const
Determines if the Integer is positive.
Definition: integer.h:345
Integer::ConvertToLong
signed long ConvertToLong() const
Convert the Integer to Long.
Integer::IsSquare
bool IsSquare() const
Determine whether this integer is a perfect square.
Integer::Zero
static const Integer & Zero()
Integer representing 0.
Integer::Randomize
void Randomize(RandomNumberGenerator &rng, size_t bitCount)
Set this Integer to random integer.
Integer::Power2
static Integer Power2(size_t e)
Exponentiates to a power of 2.
Integer::Squared
Integer Squared() const
Multiply this integer by itself.
Definition: integer.h:631
Integer::BitCount
unsigned int BitCount() const
Determines the number of bits required to represent the Integer.
Integer::WordCount
unsigned int WordCount() const
Determines the number of words required to represent the Integer.
Integer::ANY
@ ANY
a number with no special properties
Definition: integer.h:93
Integer::PRIME
@ PRIME
a number which is probabilistically prime
Definition: integer.h:95
Integer::Two
static const Integer & Two()
Integer representing 2.
Integer::IsNegative
bool IsNegative() const
Determines if the Integer is negative.
Definition: integer.h:339
Integer::IsOdd
bool IsOdd() const
Determines if the Integer is odd parity.
Definition: integer.h:354
Integer::InverseMod
Integer InverseMod(const Integer &n) const
Calculate multiplicative inverse.
Integer::One
static const Integer & One()
Integer representing 1.
Integer::IsEven
bool IsEven() const
Determines if the Integer is even parity.
Definition: integer.h:351
InvalidArgument
An invalid argument was detected.
Definition: cryptlib.h:203
MontgomeryRepresentation
Performs modular arithmetic in Montgomery representation for increased speed.
Definition: modarith.h:296
PrimeAndGenerator::Generate
void Generate(signed int delta, RandomNumberGenerator &rng, unsigned int pbits, unsigned qbits)
Generate a Prime and Generator.
PrimeSelector
Application callback to signal suitability of a cabdidate prime.
Definition: nbtheory.h:114
RandomNumberGenerator
Interface for random number generators.
Definition: cryptlib.h:1435
RandomNumberGenerator::GenerateWord32
virtual word32 GenerateWord32(word32 min=0, word32 max=0xffffffffUL)
Generate a random 32 bit word in the range min to max, inclusive.
Singleton
Restricts the instantiation of a class to one static object without locks.
Definition: misc.h:307
member_ptr
Pointer that overloads operator ->
Definition: smartptr.h:38
word
word64 word
Full word used for multiprecision integer arithmetic.
Definition: config_int.h:182
word32
unsigned int word32
32-bit unsigned datatype
Definition: config_int.h:62
word16
unsigned short word16
16-bit unsigned datatype
Definition: config_int.h:59
integer.h
Multiple precision integer with arithmetic operations.
misc.h
Utility functions for the Crypto++ library.
STDMIN
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition: misc.h:655
SafeConvert
bool SafeConvert(T1 from, T2 &to)
Tests whether a conversion from -> to is safe to perform.
Definition: misc.h:710
UnsignedMin
const T1 UnsignedMin(const T1 &a, const T2 &b)
Safe comparison of values that could be negative and incorrectly promoted.
Definition: misc.h:694
modarith.h
Class file for performing modular arithmetic.
CryptoPP
Crypto++ library namespace.
nbtheory.h
Classes and functions for number theoretic operations.
Jacobi
CRYPTOPP_DLL int Jacobi(const Integer &a, const Integer &b)
Calculate the Jacobi symbol.
IsPrime
CRYPTOPP_DLL bool IsPrime(const Integer &p)
Verifies a number is probably prime.
GetPrimeTable
CRYPTOPP_DLL const word16 * GetPrimeTable(unsigned int &size)
The Small Prime table.
MihailescuProvablePrime
CRYPTOPP_DLL Integer MihailescuProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
Generates a provable prime.
IsStrongLucasProbablePrime
CRYPTOPP_DLL bool IsStrongLucasProbablePrime(const Integer &n)
Determine if a number is probably prime.
DiscreteLogWorkFactor
CRYPTOPP_DLL unsigned int DiscreteLogWorkFactor(unsigned int bitlength)
Estimate work factor.
ModularExponentiation
Integer ModularExponentiation(const Integer &x, const Integer &e, const Integer &m)
Modular exponentiation.
Definition: nbtheory.h:216
ModularSquareRoot
CRYPTOPP_DLL Integer ModularSquareRoot(const Integer &a, const Integer &p)
Extract a modular square root.
IsSmallPrime
CRYPTOPP_DLL bool IsSmallPrime(const Integer &p)
Tests whether a number is a small prime.
SolveModularQuadraticEquation
CRYPTOPP_DLL bool SolveModularQuadraticEquation(Integer &r1, Integer &r2, const Integer &a, const Integer &b, const Integer &c, const Integer &p)
Solve a Modular Quadratic Equation.
RabinMillerTest
CRYPTOPP_DLL bool RabinMillerTest(RandomNumberGenerator &rng, const Integer &n, unsigned int rounds)
Determine if a number is probably prime.
MaurerProvablePrime
CRYPTOPP_DLL Integer MaurerProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
Generates a provable prime.
Lucas
CRYPTOPP_DLL Integer Lucas(const Integer &e, const Integer &p, const Integer &n)
Calculate the Lucas value.
InverseLucas
CRYPTOPP_DLL Integer InverseLucas(const Integer &e, const Integer &m, const Integer &p, const Integer &q, const Integer &u)
Calculate the inverse Lucas value.
VerifyPrime
CRYPTOPP_DLL bool VerifyPrime(RandomNumberGenerator &rng, const Integer &p, unsigned int level=1)
Verifies a number is probably prime.
ModularRoot
CRYPTOPP_DLL Integer ModularRoot(const Integer &a, const Integer &dp, const Integer &dq, const Integer &p, const Integer &q, const Integer &u)
Extract a modular root.
EuclideanMultiplicativeInverse
Integer EuclideanMultiplicativeInverse(const Integer &a, const Integer &b)
Calculate multiplicative inverse.
Definition: nbtheory.h:166
SmallDivisorsTest
CRYPTOPP_DLL bool SmallDivisorsTest(const Integer &p)
Tests whether a number is divisible by a small prime.
IsLucasProbablePrime
CRYPTOPP_DLL bool IsLucasProbablePrime(const Integer &n)
Determine if a number is probably prime.
GCD
Integer GCD(const Integer &a, const Integer &b)
Calculate the greatest common divisor.
Definition: nbtheory.h:143
TrialDivision
CRYPTOPP_DLL bool TrialDivision(const Integer &p, unsigned bound)
Tests whether a number is divisible by a small prime.
FactoringWorkFactor
CRYPTOPP_DLL unsigned int FactoringWorkFactor(unsigned int bitlength)
Estimate work factor.
IsFermatProbablePrime
CRYPTOPP_DLL bool IsFermatProbablePrime(const Integer &n, const Integer &b)
Determine if a number is probably prime.
CRT
CRYPTOPP_DLL Integer CRT(const Integer &xp, const Integer &p, const Integer &xq, const Integer &q, const Integer &u)
Chinese Remainder Theorem.
IsStrongProbablePrime
CRYPTOPP_DLL bool IsStrongProbablePrime(const Integer &n, const Integer &b)
Determine if a number is probably prime.
FirstPrime
CRYPTOPP_DLL bool FirstPrime(Integer &p, const Integer &max, const Integer &equiv, const Integer &mod, const PrimeSelector *pSelector)
Finds a random prime of special form.
pch.h
Precompiled header file.
smartptr.h
Classes for automatic resource management.
stdcpp.h
Common C++ header files.
trap.h
Debugging and diagnostic assertions.
CRYPTOPP_ASSERT
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition: trap.h:68
Generated on Thu Dec 25 2025 00:00:00 for Crypto++ by doxygen 1.9.6