/src/botan/src/lib/math/numbertheory/numthry.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Number Theory Functions |
3 | | * (C) 1999-2011,2016,2018,2019 Jack Lloyd |
4 | | * (C) 2007,2008 Falko Strenzke, FlexSecure GmbH |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/numthry.h> |
10 | | |
11 | | #include <botan/reducer.h> |
12 | | #include <botan/rng.h> |
13 | | #include <botan/internal/ct_utils.h> |
14 | | #include <botan/internal/divide.h> |
15 | | #include <botan/internal/monty.h> |
16 | | #include <botan/internal/monty_exp.h> |
17 | | #include <botan/internal/mp_core.h> |
18 | | #include <botan/internal/primality.h> |
19 | | #include <algorithm> |
20 | | |
21 | | namespace Botan { |
22 | | |
23 | | /* |
24 | | * Tonelli-Shanks algorithm |
25 | | */ |
26 | 119 | BigInt sqrt_modulo_prime(const BigInt& a, const BigInt& p) { |
27 | 119 | BOTAN_ARG_CHECK(p > 1, "invalid prime"); |
28 | 119 | BOTAN_ARG_CHECK(a < p, "value to solve for must be less than p"); |
29 | 119 | BOTAN_ARG_CHECK(a >= 0, "value to solve for must not be negative"); |
30 | | |
31 | | // some very easy cases |
32 | 119 | if(p == 2 || a <= 1) { |
33 | 15 | return a; |
34 | 15 | } |
35 | | |
36 | 104 | BOTAN_ARG_CHECK(p.is_odd(), "invalid prime"); |
37 | | |
38 | 104 | if(jacobi(a, p) != 1) { // not a quadratic residue |
39 | 11 | return BigInt::from_s32(-1); |
40 | 11 | } |
41 | | |
42 | 93 | auto mod_p = Modular_Reducer::for_public_modulus(p); |
43 | 93 | auto monty_p = std::make_shared<Montgomery_Params>(p, mod_p); |
44 | | |
45 | | // If p == 3 (mod 4) there is a simple solution |
46 | 93 | if(p % 4 == 3) { |
47 | 11 | return monty_exp_vartime(monty_p, a, ((p + 1) >> 2)).value(); |
48 | 11 | } |
49 | | |
50 | | // Otherwise we have to use Shanks-Tonelli |
51 | 82 | size_t s = low_zero_bits(p - 1); |
52 | 82 | BigInt q = p >> s; |
53 | | |
54 | 82 | q -= 1; |
55 | 82 | q >>= 1; |
56 | | |
57 | 82 | BigInt r = monty_exp_vartime(monty_p, a, q).value(); |
58 | 82 | BigInt n = mod_p.multiply(a, mod_p.square(r)); |
59 | 82 | r = mod_p.multiply(r, a); |
60 | | |
61 | 82 | if(n == 1) { |
62 | 15 | return r; |
63 | 15 | } |
64 | | |
65 | | // find random quadratic nonresidue z |
66 | 67 | word z = 2; |
67 | 129 | for(;;) { |
68 | 129 | if(jacobi(BigInt::from_word(z), p) == -1) { // found one |
69 | 30 | break; |
70 | 30 | } |
71 | | |
72 | 99 | z += 1; // try next z |
73 | | |
74 | | /* |
75 | | * The expected number of tests to find a non-residue modulo a |
76 | | * prime is 2. If we have not found one after 256 then almost |
77 | | * certainly we have been given a non-prime p. |
78 | | */ |
79 | 99 | if(z >= 256) { |
80 | 0 | return BigInt::from_s32(-1); |
81 | 0 | } |
82 | 99 | } |
83 | | |
84 | 67 | BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1).value(); |
85 | | |
86 | 190 | while(n > 1) { |
87 | 123 | q = n; |
88 | | |
89 | 123 | size_t i = 0; |
90 | 1.17k | while(q != 1) { |
91 | 1.05k | q = mod_p.square(q); |
92 | 1.05k | ++i; |
93 | | |
94 | 1.05k | if(i >= s) { |
95 | 0 | return BigInt::from_s32(-1); |
96 | 0 | } |
97 | 1.05k | } |
98 | | |
99 | 123 | BOTAN_ASSERT_NOMSG(s >= (i + 1)); // No underflow! |
100 | 123 | c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1)).value(); |
101 | 123 | r = mod_p.multiply(r, c); |
102 | 123 | c = mod_p.square(c); |
103 | 123 | n = mod_p.multiply(n, c); |
104 | | |
105 | | // s decreases as the algorithm proceeds |
106 | 123 | BOTAN_ASSERT_NOMSG(s >= i); |
107 | 123 | s = i; |
108 | 123 | } |
109 | | |
110 | 67 | return r; |
111 | 67 | } |
112 | | |
113 | | /* |
114 | | * Calculate the Jacobi symbol |
115 | | */ |
116 | 4.16k | int32_t jacobi(const BigInt& a, const BigInt& n) { |
117 | 4.16k | if(n.is_even() || n < 2) { |
118 | 396 | throw Invalid_Argument("jacobi: second argument must be odd and > 1"); |
119 | 396 | } |
120 | | |
121 | 3.76k | BigInt x = a % n; |
122 | 3.76k | BigInt y = n; |
123 | 3.76k | int32_t J = 1; |
124 | | |
125 | 165k | while(y > 1) { |
126 | 162k | x %= y; |
127 | 162k | if(x > y / 2) { |
128 | 74.6k | x = y - x; |
129 | 74.6k | if(y % 4 == 3) { |
130 | 37.3k | J = -J; |
131 | 37.3k | } |
132 | 74.6k | } |
133 | 162k | if(x.is_zero()) { |
134 | 122 | return 0; |
135 | 122 | } |
136 | | |
137 | 162k | size_t shifts = low_zero_bits(x); |
138 | 162k | x >>= shifts; |
139 | 162k | if(shifts % 2) { |
140 | 51.0k | word y_mod_8 = y % 8; |
141 | 51.0k | if(y_mod_8 == 3 || y_mod_8 == 5) { |
142 | 25.6k | J = -J; |
143 | 25.6k | } |
144 | 51.0k | } |
145 | | |
146 | 162k | if(x % 4 == 3 && y % 4 == 3) { |
147 | 39.8k | J = -J; |
148 | 39.8k | } |
149 | 162k | std::swap(x, y); |
150 | 162k | } |
151 | 3.64k | return J; |
152 | 3.76k | } |
153 | | |
154 | | /* |
155 | | * Square a BigInt |
156 | | */ |
157 | 84 | BigInt square(const BigInt& x) { |
158 | 84 | BigInt z = x; |
159 | 84 | secure_vector<word> ws; |
160 | 84 | z.square(ws); |
161 | 84 | return z; |
162 | 84 | } |
163 | | |
164 | | /* |
165 | | * Return the number of 0 bits at the end of n |
166 | | */ |
167 | 223k | size_t low_zero_bits(const BigInt& n) { |
168 | 223k | size_t low_zero = 0; |
169 | | |
170 | 223k | auto seen_nonempty_word = CT::Mask<word>::cleared(); |
171 | | |
172 | 11.6M | for(size_t i = 0; i != n.size(); ++i) { |
173 | 11.4M | const word x = n.word_at(i); |
174 | | |
175 | | // ctz(0) will return sizeof(word) |
176 | 11.4M | const size_t tz_x = ctz(x); |
177 | | |
178 | | // if x > 0 we want to count tz_x in total but not any |
179 | | // further words, so set the mask after the addition |
180 | 11.4M | low_zero += seen_nonempty_word.if_not_set_return(tz_x); |
181 | | |
182 | 11.4M | seen_nonempty_word |= CT::Mask<word>::expand(x); |
183 | 11.4M | } |
184 | | |
185 | | // if we saw no words with x > 0 then n == 0 and the value we have |
186 | | // computed is meaningless. Instead return BigInt::zero() in that case. |
187 | 223k | return static_cast<size_t>(seen_nonempty_word.if_set_return(low_zero)); |
188 | 223k | } |
189 | | |
190 | | /* |
191 | | * Calculate the GCD in constant time |
192 | | */ |
193 | 529 | BigInt gcd(const BigInt& a, const BigInt& b) { |
194 | 529 | if(a.is_zero()) { |
195 | 20 | return abs(b); |
196 | 20 | } |
197 | 509 | if(b.is_zero()) { |
198 | 53 | return abs(a); |
199 | 53 | } |
200 | | |
201 | 456 | const size_t sz = std::max(a.sig_words(), b.sig_words()); |
202 | 456 | auto u = BigInt::with_capacity(sz); |
203 | 456 | auto v = BigInt::with_capacity(sz); |
204 | 456 | u += a; |
205 | 456 | v += b; |
206 | | |
207 | 456 | CT::poison_all(u, v); |
208 | | |
209 | 456 | u.set_sign(BigInt::Positive); |
210 | 456 | v.set_sign(BigInt::Positive); |
211 | | |
212 | | // In the worst case we have two fully populated big ints. After right |
213 | | // shifting so many times, we'll have reached the result for sure. |
214 | 456 | const size_t loop_cnt = u.bits() + v.bits(); |
215 | | |
216 | 456 | using WordMask = CT::Mask<word>; |
217 | | |
218 | | // This temporary is big enough to hold all intermediate results of the |
219 | | // algorithm. No reallocation will happen during the loop. |
220 | | // Note however, that `ct_cond_assign()` will invalidate the 'sig_words' |
221 | | // cache, which _does not_ shrink the capacity of the underlying buffer. |
222 | 456 | auto tmp = BigInt::with_capacity(sz); |
223 | 456 | size_t factors_of_two = 0; |
224 | 1.36M | for(size_t i = 0; i != loop_cnt; ++i) { |
225 | 1.36M | auto both_odd = WordMask::expand(u.is_odd()) & WordMask::expand(v.is_odd()); |
226 | | |
227 | | // Subtract the smaller from the larger if both are odd |
228 | 1.36M | auto u_gt_v = WordMask::expand(bigint_cmp(u._data(), u.size(), v._data(), v.size()) > 0); |
229 | 1.36M | bigint_sub_abs(tmp.mutable_data(), u._data(), sz, v._data(), sz); |
230 | 1.36M | u.ct_cond_assign((u_gt_v & both_odd).as_bool(), tmp); |
231 | 1.36M | v.ct_cond_assign((~u_gt_v & both_odd).as_bool(), tmp); |
232 | | |
233 | 1.36M | const auto u_is_even = WordMask::expand(u.is_even()); |
234 | 1.36M | const auto v_is_even = WordMask::expand(v.is_even()); |
235 | 1.36M | BOTAN_DEBUG_ASSERT((u_is_even | v_is_even).as_bool()); |
236 | | |
237 | | // When both are even, we're going to eliminate a factor of 2. |
238 | | // We have to reapply this factor to the final result. |
239 | 1.36M | factors_of_two += (u_is_even & v_is_even).if_set_return(1); |
240 | | |
241 | | // remove one factor of 2, if u is even |
242 | 1.36M | bigint_shr2(tmp.mutable_data(), u._data(), sz, 1); |
243 | 1.36M | u.ct_cond_assign(u_is_even.as_bool(), tmp); |
244 | | |
245 | | // remove one factor of 2, if v is even |
246 | 1.36M | bigint_shr2(tmp.mutable_data(), v._data(), sz, 1); |
247 | 1.36M | v.ct_cond_assign(v_is_even.as_bool(), tmp); |
248 | 1.36M | } |
249 | | |
250 | | // The GCD (without factors of two) is either in u or v, the other one is |
251 | | // zero. The non-zero variable _must_ be odd, because all factors of two were |
252 | | // removed in the loop iterations above. |
253 | 456 | BOTAN_DEBUG_ASSERT(u.is_zero() || v.is_zero()); |
254 | 456 | BOTAN_DEBUG_ASSERT(u.is_odd() || v.is_odd()); |
255 | | |
256 | | // make sure that the GCD (without factors of two) is in u |
257 | 456 | u.ct_cond_assign(u.is_even() /* .is_zero() would not be constant time */, v); |
258 | | |
259 | | // re-apply the factors of two |
260 | 456 | u.ct_shift_left(factors_of_two); |
261 | | |
262 | 456 | CT::unpoison_all(u, v); |
263 | | |
264 | 456 | return u; |
265 | 509 | } |
266 | | |
267 | | /* |
268 | | * Calculate the LCM |
269 | | */ |
270 | 191 | BigInt lcm(const BigInt& a, const BigInt& b) { |
271 | 191 | if(a == b) { |
272 | 7 | return a; |
273 | 7 | } |
274 | | |
275 | 184 | auto ab = a * b; |
276 | 184 | ab.set_sign(BigInt::Positive); // ignore the signs of a & b |
277 | 184 | const auto g = gcd(a, b); |
278 | 184 | return ct_divide(ab, g); |
279 | 191 | } |
280 | | |
281 | | /* |
282 | | * Modular Exponentiation |
283 | | */ |
284 | 582 | BigInt power_mod(const BigInt& base, const BigInt& exp, const BigInt& mod) { |
285 | 582 | if(mod.is_negative() || mod == 1) { |
286 | 33 | return BigInt::zero(); |
287 | 33 | } |
288 | | |
289 | 549 | if(base.is_zero() || mod.is_zero()) { |
290 | 30 | if(exp.is_zero()) { |
291 | 11 | return BigInt::one(); |
292 | 11 | } |
293 | 19 | return BigInt::zero(); |
294 | 30 | } |
295 | | |
296 | 519 | auto reduce_mod = Modular_Reducer::for_secret_modulus(mod); |
297 | | |
298 | 519 | const size_t exp_bits = exp.bits(); |
299 | | |
300 | 519 | if(mod.is_odd()) { |
301 | 233 | auto monty_params = std::make_shared<Montgomery_Params>(mod, reduce_mod); |
302 | 233 | return monty_exp(monty_params, reduce_mod.reduce(base), exp, exp_bits).value(); |
303 | 233 | } |
304 | | |
305 | | /* |
306 | | Support for even modulus is just a convenience and not considered |
307 | | cryptographically important, so this implementation is slow ... |
308 | | */ |
309 | 286 | BigInt accum = BigInt::one(); |
310 | 286 | BigInt g = reduce_mod.reduce(base); |
311 | 286 | BigInt t; |
312 | | |
313 | 16.5k | for(size_t i = 0; i != exp_bits; ++i) { |
314 | 16.2k | t = reduce_mod.multiply(g, accum); |
315 | 16.2k | g = reduce_mod.square(g); |
316 | 16.2k | accum.ct_cond_assign(exp.get_bit(i), t); |
317 | 16.2k | } |
318 | 286 | return accum; |
319 | 519 | } |
320 | | |
321 | 173 | BigInt is_perfect_square(const BigInt& C) { |
322 | 173 | if(C < 1) { |
323 | 13 | throw Invalid_Argument("is_perfect_square requires C >= 1"); |
324 | 13 | } |
325 | 160 | if(C == 1) { |
326 | 0 | return BigInt::one(); |
327 | 0 | } |
328 | | |
329 | 160 | const size_t n = C.bits(); |
330 | 160 | const size_t m = (n + 1) / 2; |
331 | 160 | const BigInt B = C + BigInt::power_of_2(m); |
332 | | |
333 | 160 | BigInt X = BigInt::power_of_2(m) - 1; |
334 | 160 | BigInt X2 = (X * X); |
335 | | |
336 | 1.08k | for(;;) { |
337 | 1.08k | X = (X2 + C) / (2 * X); |
338 | 1.08k | X2 = (X * X); |
339 | | |
340 | 1.08k | if(X2 < B) { |
341 | 160 | break; |
342 | 160 | } |
343 | 1.08k | } |
344 | | |
345 | 160 | if(X2 == C) { |
346 | 5 | return X; |
347 | 155 | } else { |
348 | 155 | return BigInt::zero(); |
349 | 155 | } |
350 | 160 | } |
351 | | |
352 | | /* |
353 | | * Test for primality using Miller-Rabin |
354 | | */ |
355 | 274 | bool is_prime(const BigInt& n, RandomNumberGenerator& rng, size_t prob, bool is_random) { |
356 | 274 | if(n == 2) { |
357 | 0 | return true; |
358 | 0 | } |
359 | 274 | if(n <= 1 || n.is_even()) { |
360 | 12 | return false; |
361 | 12 | } |
362 | | |
363 | 262 | const size_t n_bits = n.bits(); |
364 | | |
365 | | // Fast path testing for small numbers (<= 65521) |
366 | 262 | if(n_bits <= 16) { |
367 | 181 | const uint16_t num = static_cast<uint16_t>(n.word_at(0)); |
368 | | |
369 | 181 | return std::binary_search(PRIMES, PRIMES + PRIME_TABLE_SIZE, num); |
370 | 181 | } |
371 | | |
372 | 81 | auto mod_n = Modular_Reducer::for_secret_modulus(n); |
373 | | |
374 | 81 | if(rng.is_seeded()) { |
375 | 81 | const size_t t = miller_rabin_test_iterations(n_bits, prob, is_random); |
376 | | |
377 | 81 | if(is_miller_rabin_probable_prime(n, mod_n, rng, t) == false) { |
378 | 3 | return false; |
379 | 3 | } |
380 | | |
381 | 78 | if(is_random) { |
382 | 0 | return true; |
383 | 78 | } else { |
384 | 78 | return is_lucas_probable_prime(n, mod_n); |
385 | 78 | } |
386 | 78 | } else { |
387 | 0 | return is_bailie_psw_probable_prime(n, mod_n); |
388 | 0 | } |
389 | 81 | } |
390 | | |
391 | | } // namespace Botan |