/src/botan/src/lib/math/numbertheory/make_prm.cpp

Source (jump to first uncovered line)
/*
* Prime Generation
* (C) 1999-2007,2018 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/numthry.h>
#include <botan/rng.h>
#include <botan/internal/bit_ops.h>
#include <botan/loadstor.h>
#include <algorithm>

namespace Botan {

namespace {

class Prime_Sieve final
   {
   public:
      Prime_Sieve(const BigInt& init_value, size_t sieve_size) :
         m_sieve(std::min(sieve_size, PRIME_TABLE_SIZE))
         {
         for(size_t i = 0; i != m_sieve.size(); ++i)
            m_sieve[i] = static_cast<uint16_t>(init_value % PRIMES[i]);
         }

      void step(word increment)
         {
         for(size_t i = 0; i != m_sieve.size(); ++i)
            {
            m_sieve[i] = (m_sieve[i] + increment) % PRIMES[i];
            }
         }

      bool passes(bool check_2p1 = false) const
         {
         for(size_t i = 0; i != m_sieve.size(); ++i)
            {
            /*
            In this case, p is a multiple of PRIMES[i]
            */
            if(m_sieve[i] == 0)
               return false;

            if(check_2p1)
               {
               /*
               In this case, 2*p+1 will be a multiple of PRIMES[i]

               So if potentially generating a safe prime, we want to
               avoid this value because 2*p+1 will certainly not be prime.

               See "Safe Prime Generation with a Combined Sieve" M. Wiener
               https://eprint.iacr.org/2003/186.pdf
               */
               if(m_sieve[i] == (PRIMES[i] - 1) / 2)
                  return false;
               }
            }

         return true;
         }

   private:
      std::vector<uint16_t> m_sieve;
   };

}


/*
* Generate a random prime
*/
BigInt random_prime(RandomNumberGenerator& rng,
                    size_t bits, const BigInt& coprime,
                    size_t equiv, size_t modulo,
                    size_t prob)
   {
   if(coprime.is_negative())
      {
      throw Invalid_Argument("random_prime: coprime must be >= 0");
      }
   if(modulo == 0)
      {
      throw Invalid_Argument("random_prime: Invalid modulo value");
      }

   equiv %= modulo;

   if(equiv == 0)
      throw Invalid_Argument("random_prime Invalid value for equiv/modulo");

   // Handle small values:
   if(bits <= 1)
      {
      throw Invalid_Argument("random_prime: Can't make a prime of " +
                             std::to_string(bits) + " bits");
      }
   else if(bits == 2)
      {
      return ((rng.next_byte() % 2) ? 2 : 3);
      }
   else if(bits == 3)
      {
      return ((rng.next_byte() % 2) ? 5 : 7);
      }
   else if(bits == 4)
      {
      return ((rng.next_byte() % 2) ? 11 : 13);
      }
   else if(bits <= 16)
      {
      for(;;)
         {
         // This is slightly biased, but for small primes it does not seem to matter
         const uint8_t b0 = rng.next_byte();
         const uint8_t b1 = rng.next_byte();
         const size_t idx = make_uint16(b0, b1) % PRIME_TABLE_SIZE;
         const uint16_t small_prime = PRIMES[idx];

         if(high_bit(small_prime) == bits)
            return small_prime;
         }
      }

   const size_t MAX_ATTEMPTS = 32*1024;

   while(true)
      {
      BigInt p(rng, bits);

      // Force lowest and two top bits on
      p.set_bit(bits - 1);
      p.set_bit(bits - 2);
      p.set_bit(0);

      // Force p to be equal to equiv mod modulo
      p += (modulo - (p % modulo)) + equiv;

      Prime_Sieve sieve(p, bits);

      size_t counter = 0;
      while(true)
         {
         ++counter;

         if(counter > MAX_ATTEMPTS)
            {
            break; // don't try forever, choose a new starting point
            }

         p += modulo;

         sieve.step(modulo);

         if(sieve.passes(true) == false)
            continue;

         if(coprime > 1)
            {
            /*
            * Check if gcd(p - 1, coprime) != 1 by computing the inverse. The
            * gcd algorithm is not constant time, but modular inverse is (for
            * odd modulus anyway). This avoids a side channel attack against RSA
            * key generation, though RSA keygen should be using generate_rsa_prime.
            */
            if(inverse_mod(p - 1, coprime).is_zero())
               continue;
            }

         if(p.bits() > bits)
            break;

         if(is_prime(p, rng, prob, true))
            return p;
         }
      }
   }

BigInt generate_rsa_prime(RandomNumberGenerator& keygen_rng,
                          RandomNumberGenerator& prime_test_rng,
                          size_t bits,
                          const BigInt& coprime,
                          size_t prob)
   {
   if(bits < 512)
      throw Invalid_Argument("generate_rsa_prime bits too small");

   /*
   * The restriction on coprime <= 64 bits is arbitrary but generally speaking
   * very large RSA public exponents are a bad idea both for performance and due
   * to attacks on small d.
   */
   if(coprime <= 1 || coprime.is_even() || coprime.bits() > 64)
      throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");

   const size_t MAX_ATTEMPTS = 32*1024;

   while(true)
      {
      BigInt p(keygen_rng, bits);

      // Force lowest and two top bits on
      p.set_bit(bits - 1);
      p.set_bit(bits - 2);
      p.set_bit(0);

      Prime_Sieve sieve(p, bits);

      const word step = 2;

      size_t counter = 0;
      while(true)
         {
         ++counter;

         if(counter > MAX_ATTEMPTS)
            {
            break; // don't try forever, choose a new starting point
            }

         p += step;

         sieve.step(step);

         if(sieve.passes() == false)
            continue;

         /*
         * Check if p - 1 and coprime are relatively prime by computing the inverse.
         *
         * We avoid gcd here because that algorithm is not constant time.
         * Modular inverse is (for odd modulus anyway).
         *
         * We earlier verified that coprime argument is odd. Thus the factors of 2
         * in (p - 1) cannot possibly be factors in coprime, so remove them from p - 1.
         * Using an odd modulus allows the const time algorithm to be used.
         *
         * This assumes coprime < p - 1 which is always true for RSA.
         */
         BigInt p1 = p - 1;
         p1 >>= low_zero_bits(p1);
         if(inverse_mod(coprime, p1).is_zero())
            {
            BOTAN_DEBUG_ASSERT(gcd(p1, coprime) > 1);
            continue;
            }

         BOTAN_DEBUG_ASSERT(gcd(p1, coprime) == 1);

         if(p.bits() > bits)
            break;

         if(is_prime(p, prime_test_rng, prob, true))
            return p;
         }
      }
   }

/*
* Generate a random safe prime
*/
BigInt random_safe_prime(RandomNumberGenerator& rng, size_t bits)
   {
   if(bits <= 64)
      throw Invalid_Argument("random_safe_prime: Can't make a prime of " +
                             std::to_string(bits) + " bits");

   BigInt q, p;
   for(;;)
      {
      /*
      Generate q == 2 (mod 3)

      Otherwise [q == 1 (mod 3) case], 2*q+1 == 3 (mod 3) and not prime.

      Initially allow a very high error prob (1/2**8) to allow for fast checks,
      then if 2*q+1 turns out to be a prime go back and strongly check q.
      */
      q = random_prime(rng, bits - 1, 0, 2, 3, 8);
      p = (q << 1) + 1;

      if(is_prime(p, rng, 128, true))
         {
         // We did only a weak check before, go back and verify q before returning
         if(is_prime(q, rng, 128, true))
            return p;
         }
      }
   }

}

Coverage Report

Created: 2019-09-11 14:12

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Prime Generation
3		* (C) 1999-2007,2018 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/numthry.h>
9		#include <botan/rng.h>
10		#include <botan/internal/bit_ops.h>
11		#include <botan/loadstor.h>
12		#include <algorithm>
13
14		namespace Botan {
15
16		namespace {
17
18		class Prime_Sieve final
19		{
20		public:
21		Prime_Sieve(const BigInt& init_value, size_t sieve_size) :
22		m_sieve(std::min(sieve_size, PRIME_TABLE_SIZE))
23	1	{
24	257	for(size_t i = 0; i != m_sieve.size(); ++i)
25	256	m_sieve[i] = static_cast<uint16_t>(init_value % PRIMES[i]);
26	1	}
27
28		void step(word increment)
29	999	{
30	256k	for(size_t i = 0; i != m_sieve.size(); ++i)
31	255k	{
32	255k	m_sieve[i] = (m_sieve[i] + increment) % PRIMES[i];
33	255k	}
34	999	}
35
36		bool passes(bool check_2p1 = false) const
37	999	{
38	7.25k	for(size_t i = 0; i != m_sieve.size(); ++i)
39	7.23k	{
40	7.23k	/*
41	7.23k	In this case, p is a multiple of PRIMES[i]
42	7.23k	*/
43	7.23k	if(m_sieve[i] == 0)
44	495	return false;
45	6.74k
46	6.74k	if(check_2p1)
47	6.74k	{
48	6.74k	/*
49	6.74k	In this case, 2*p+1 will be a multiple of PRIMES[i]
50	6.74k
51	6.74k	So if potentially generating a safe prime, we want to
52	6.74k	avoid this value because 2*p+1 will certainly not be prime.
53	6.74k
54	6.74k	See "Safe Prime Generation with a Combined Sieve" M. Wiener
55	6.74k	https://eprint.iacr.org/2003/186.pdf
56	6.74k	*/
57	6.74k	if(m_sieve[i] == (PRIMES[i] - 1) / 2)
58	489	return false;
59	6.74k	}
60	6.74k	}
61	999
62	999	return true;
63	999	}
64
65		private:
66		std::vector<uint16_t> m_sieve;
67		};
68
69		}
70
71
72		/*
73		* Generate a random prime
74		*/
75		BigInt random_prime(RandomNumberGenerator& rng,
76		size_t bits, const BigInt& coprime,
77		size_t equiv, size_t modulo,
78		size_t prob)
79	1	{
80	1	if(coprime.is_negative())
81	0	{
82	0	throw Invalid_Argument("random_prime: coprime must be >= 0");
83	0	}
84	1	if(modulo == 0)
85	0	{
86	0	throw Invalid_Argument("random_prime: Invalid modulo value");
87	0	}
88	1
89	1	equiv %= modulo;
90	1
91	1	if(equiv == 0)
92	0	throw Invalid_Argument("random_prime Invalid value for equiv/modulo");
93	1
94	1	// Handle small values:
95	1	if(bits <= 1)
96	0	{
97	0	throw Invalid_Argument("random_prime: Can't make a prime of " +
98	0	std::to_string(bits) + " bits");
99	0	}
100	1	else if(bits == 2)
101	0	{
102	0	return ((rng.next_byte() % 2) ? 2 : 3);
103	0	}
104	1	else if(bits == 3)
105	0	{
106	0	return ((rng.next_byte() % 2) ? 5 : 7);
107	0	}
108	1	else if(bits == 4)
109	0	{
110	0	return ((rng.next_byte() % 2) ? 11 : 13);
111	0	}
112	1	else if(bits <= 16)
113	0	{
114	0	for(;;)
115	0	{
116	0	// This is slightly biased, but for small primes it does not seem to matter
117	0	const uint8_t b0 = rng.next_byte();
118	0	const uint8_t b1 = rng.next_byte();
119	0	const size_t idx = make_uint16(b0, b1) % PRIME_TABLE_SIZE;
120	0	const uint16_t small_prime = PRIMES[idx];
121	0
122	0	if(high_bit(small_prime) == bits)
123	0	return small_prime;
124	0	}
125	0	}
126	1
127	1	const size_t MAX_ATTEMPTS = 32*1024;
128	1
129	1	while(true)
130	1	{
131	1	BigInt p(rng, bits);
132	1
133	1	// Force lowest and two top bits on
134	1	p.set_bit(bits - 1);
135	1	p.set_bit(bits - 2);
136	1	p.set_bit(0);
137	1
138	1	// Force p to be equal to equiv mod modulo
139	1	p += (modulo - (p % modulo)) + equiv;
140	1
141	1	Prime_Sieve sieve(p, bits);
142	1
143	1	size_t counter = 0;
144	999	while(true)
145	999	{
146	999	++counter;
147	999
148	999	if(counter > MAX_ATTEMPTS)
149	0	{
150	0	break; // don't try forever, choose a new starting point
151	0	}
152	999
153	999	p += modulo;
154	999
155	999	sieve.step(modulo);
156	999
157	999	if(sieve.passes(true) == false)
158	984	continue;
159	15
160	15	if(coprime > 1)
161	0	{
162	0	/*
163	0	* Check if gcd(p - 1, coprime) != 1 by computing the inverse. The
164	0	* gcd algorithm is not constant time, but modular inverse is (for
165	0	* odd modulus anyway). This avoids a side channel attack against RSA
166	0	* key generation, though RSA keygen should be using generate_rsa_prime.
167	0	*/
168	0	if(inverse_mod(p - 1, coprime).is_zero())
169	0	continue;
170	15	}
171	15
172	15	if(p.bits() > bits)
173	0	break;
174	15
175	15	if(is_prime(p, rng, prob, true))
176	1	return p;
177	15	}
178	1	}
179	1	}
180
181		BigInt generate_rsa_prime(RandomNumberGenerator& keygen_rng,
182		RandomNumberGenerator& prime_test_rng,
183		size_t bits,
184		const BigInt& coprime,
185		size_t prob)
186	0	{
187	0	if(bits < 512)
188	0	throw Invalid_Argument("generate_rsa_prime bits too small");
189	0
190	0	/*
191	0	* The restriction on coprime <= 64 bits is arbitrary but generally speaking
192	0	* very large RSA public exponents are a bad idea both for performance and due
193	0	* to attacks on small d.
194	0	*/
195	0	if(coprime <= 1 \|\| coprime.is_even() \|\| coprime.bits() > 64)
196	0	throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");
197	0
198	0	const size_t MAX_ATTEMPTS = 32*1024;
199	0
200	0	while(true)
201	0	{
202	0	BigInt p(keygen_rng, bits);
203	0
204	0	// Force lowest and two top bits on
205	0	p.set_bit(bits - 1);
206	0	p.set_bit(bits - 2);
207	0	p.set_bit(0);
208	0
209	0	Prime_Sieve sieve(p, bits);
210	0
211	0	const word step = 2;
212	0
213	0	size_t counter = 0;
214	0	while(true)
215	0	{
216	0	++counter;
217	0
218	0	if(counter > MAX_ATTEMPTS)
219	0	{
220	0	break; // don't try forever, choose a new starting point
221	0	}
222	0
223	0	p += step;
224	0
225	0	sieve.step(step);
226	0
227	0	if(sieve.passes() == false)
228	0	continue;
229	0
230	0	/*
231	0	* Check if p - 1 and coprime are relatively prime by computing the inverse.
232	0	*
233	0	* We avoid gcd here because that algorithm is not constant time.
234	0	* Modular inverse is (for odd modulus anyway).
235	0	*
236	0	* We earlier verified that coprime argument is odd. Thus the factors of 2
237	0	* in (p - 1) cannot possibly be factors in coprime, so remove them from p - 1.
238	0	* Using an odd modulus allows the const time algorithm to be used.
239	0	*
240	0	* This assumes coprime < p - 1 which is always true for RSA.
241	0	*/
242	0	BigInt p1 = p - 1;
243	0	p1 >>= low_zero_bits(p1);
244	0	if(inverse_mod(coprime, p1).is_zero())
245	0	{
246	0	BOTAN_DEBUG_ASSERT(gcd(p1, coprime) > 1);
247	0	continue;
248	0	}
249	0
250	0	BOTAN_DEBUG_ASSERT(gcd(p1, coprime) == 1);
251	0
252	0	if(p.bits() > bits)
253	0	break;
254	0
255	0	if(is_prime(p, prime_test_rng, prob, true))
256	0	return p;
257	0	}
258	0	}
259	0	}
260
261		/*
262		* Generate a random safe prime
263		*/
264		BigInt random_safe_prime(RandomNumberGenerator& rng, size_t bits)
265	0	{
266	0	if(bits <= 64)
267	0	throw Invalid_Argument("random_safe_prime: Can't make a prime of " +
268	0	std::to_string(bits) + " bits");
269	0
270	0	BigInt q, p;
271	0	for(;;)
272	0	{
273	0	/*
274	0	Generate q == 2 (mod 3)
275	0
276	0	Otherwise [q == 1 (mod 3) case], 2*q+1 == 3 (mod 3) and not prime.
277	0
278	0	Initially allow a very high error prob (1/2**8) to allow for fast checks,
279	0	then if 2*q+1 turns out to be a prime go back and strongly check q.
280	0	*/
281	0	q = random_prime(rng, bits - 1, 0, 2, 3, 8);
282	0	p = (q << 1) + 1;
283	0
284	0	if(is_prime(p, rng, 128, true))
285	0	{
286	0	// We did only a weak check before, go back and verify q before returning
287	0	if(is_prime(q, rng, 128, true))
288	0	return p;
289	0	}
290	0	}
291	0	}
292
293		}