/src/libressl/crypto/bn/bn_mod_sqrt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */ |
2 | | |
3 | | /* |
4 | | * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> |
5 | | * |
6 | | * Permission to use, copy, modify, and distribute this software for any |
7 | | * purpose with or without fee is hereby granted, provided that the above |
8 | | * copyright notice and this permission notice appear in all copies. |
9 | | * |
10 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | | */ |
18 | | |
19 | | #include <openssl/err.h> |
20 | | |
21 | | #include "bn_local.h" |
22 | | |
23 | | /* |
24 | | * Tonelli-Shanks according to H. Cohen "A Course in Computational Algebraic |
25 | | * Number Theory", Section 1.5.1, Springer GTM volume 138, Berlin, 1996. |
26 | | * |
27 | | * Under the assumption that p is prime and a is a quadratic residue, we know: |
28 | | * |
29 | | * a^[(p-1)/2] = 1 (mod p). (*) |
30 | | * |
31 | | * To find a square root of a (mod p), we handle three cases of increasing |
32 | | * complexity. In the first two cases, we can compute a square root using an |
33 | | * explicit formula, thus avoiding the probabilistic nature of Tonelli-Shanks. |
34 | | * |
35 | | * 1. p = 3 (mod 4). |
36 | | * |
37 | | * Set n = (p+1)/4. Then 2n = 1 + (p-1)/2 and (*) shows that x = a^n (mod p) |
38 | | * is a square root of a: x^2 = a^(2n) = a * a^[(p-1)/2] = a (mod p). |
39 | | * |
40 | | * 2. p = 5 (mod 8). |
41 | | * |
42 | | * This uses a simplification due to Atkin. By Theorem 1.4.7 and 1.4.9, the |
43 | | * Kronecker symbol (2/p) evaluates to (-1)^[(p^2-1)/8]. From p = 5 (mod 8) |
44 | | * we get (p^2-1)/8 = 1 (mod 2), so (2/p) = -1, and thus |
45 | | * |
46 | | * 2^[(p-1)/2] = -1 (mod p). (**) |
47 | | * |
48 | | * Set b = (2a)^[(p-5)/8]. With (p-1)/2 = 2 + (p-5)/2, (*) and (**) show |
49 | | * |
50 | | * i = 2 a b^2 is a square root of -1 (mod p). |
51 | | * |
52 | | * Indeed, i^2 = 2^2 a^2 b^4 = 2^[(p-1)/2] a^[(p-1)/2] = -1 (mod p). Because |
53 | | * of (i-1)^2 = -2i (mod p) and i (-i) = 1 (mod p), a square root of a is |
54 | | * |
55 | | * x = a b (i-1) |
56 | | * |
57 | | * as x^2 = a^2 b^2 (-2i) = a (2 a b^2) (-i) = a (mod p). |
58 | | * |
59 | | * 3. p = 1 (mod 8). |
60 | | * |
61 | | * This is the Tonelli-Shanks algorithm. For a prime p, the multiplicative |
62 | | * group of GF(p) is cyclic of order p - 1 = 2^s q, with odd q. Denote its |
63 | | * 2-Sylow subgroup by S. It is cyclic of order 2^s. The squares in S have |
64 | | * order dividing 2^(s-1). They are the even powers of any generator z of S. |
65 | | * If a is a quadratic residue, 1 = a^[(p-1)/2] = (a^q)^[2^(s-1)], so b = a^q |
66 | | * is a square in S. Therefore there is an integer k such that b z^(2k) = 1. |
67 | | * Set x = a^[(q+1)/2] z^k, and find x^2 = a (mod p). |
68 | | * |
69 | | * The problem is thus reduced to finding a generator z of the 2-Sylow |
70 | | * subgroup S of GF(p)* and finding k. An iterative constructions avoids |
71 | | * the need for an explicit k, a generator is found by a randomized search. |
72 | | * |
73 | | * While we do not actually know that p is a prime number, we can still apply |
74 | | * the formulas in cases 1 and 2 and verify that we have indeed found a square |
75 | | * root of p. Similarly, in case 3, we can try to find a quadratic non-residue, |
76 | | * which will fail for example if p is a square. The iterative construction |
77 | | * may or may not find a candidate square root which we can then validate. |
78 | | */ |
79 | | |
80 | | /* |
81 | | * Handle the cases where p is 2, p isn't odd or p is one. Since BN_mod_sqrt() |
82 | | * can run on untrusted data, a primality check is too expensive. Also treat |
83 | | * the obvious cases where a is 0 or 1. |
84 | | */ |
85 | | |
86 | | static int |
87 | | bn_mod_sqrt_trivial_cases(int *done, BIGNUM *out_sqrt, const BIGNUM *a, |
88 | | const BIGNUM *p, BN_CTX *ctx) |
89 | 3.83k | { |
90 | 3.83k | *done = 1; |
91 | | |
92 | 3.83k | if (BN_abs_is_word(p, 2)) |
93 | 0 | return BN_set_word(out_sqrt, BN_is_odd(a)); |
94 | | |
95 | 3.83k | if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { |
96 | 0 | BNerror(BN_R_P_IS_NOT_PRIME); |
97 | 0 | return 0; |
98 | 0 | } |
99 | | |
100 | 3.83k | if (BN_is_zero(a) || BN_is_one(a)) |
101 | 19 | return BN_set_word(out_sqrt, BN_is_one(a)); |
102 | | |
103 | 3.81k | *done = 0; |
104 | | |
105 | 3.81k | return 1; |
106 | 3.83k | } |
107 | | |
108 | | /* |
109 | | * Case 1. We know that (a/p) = 1 and that p = 3 (mod 4). |
110 | | */ |
111 | | |
112 | | static int |
113 | | bn_mod_sqrt_p_is_3_mod_4(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, |
114 | | BN_CTX *ctx) |
115 | 1.32k | { |
116 | 1.32k | BIGNUM *n; |
117 | 1.32k | int ret = 0; |
118 | | |
119 | 1.32k | BN_CTX_start(ctx); |
120 | | |
121 | 1.32k | if ((n = BN_CTX_get(ctx)) == NULL) |
122 | 0 | goto err; |
123 | | |
124 | | /* Calculate n = (|p| + 1) / 4. */ |
125 | 1.32k | if (!BN_uadd(n, p, BN_value_one())) |
126 | 0 | goto err; |
127 | 1.32k | if (!BN_rshift(n, n, 2)) |
128 | 0 | goto err; |
129 | | |
130 | | /* By case 1 above, out_sqrt = a^n is a square root of a (mod p). */ |
131 | 1.32k | if (!BN_mod_exp_ct(out_sqrt, a, n, p, ctx)) |
132 | 0 | goto err; |
133 | | |
134 | 1.32k | ret = 1; |
135 | | |
136 | 1.32k | err: |
137 | 1.32k | BN_CTX_end(ctx); |
138 | | |
139 | 1.32k | return ret; |
140 | 1.32k | } |
141 | | |
142 | | /* |
143 | | * Case 2. We know that (a/p) = 1 and that p = 5 (mod 8). |
144 | | */ |
145 | | |
146 | | static int |
147 | | bn_mod_sqrt_p_is_5_mod_8(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, |
148 | | BN_CTX *ctx) |
149 | 567 | { |
150 | 567 | BIGNUM *b, *i, *n, *tmp; |
151 | 567 | int ret = 0; |
152 | | |
153 | 567 | BN_CTX_start(ctx); |
154 | | |
155 | 567 | if ((b = BN_CTX_get(ctx)) == NULL) |
156 | 0 | goto err; |
157 | 567 | if ((i = BN_CTX_get(ctx)) == NULL) |
158 | 0 | goto err; |
159 | 567 | if ((n = BN_CTX_get(ctx)) == NULL) |
160 | 0 | goto err; |
161 | 567 | if ((tmp = BN_CTX_get(ctx)) == NULL) |
162 | 0 | goto err; |
163 | | |
164 | | /* Calculate n = (|p| - 5) / 8. Since p = 5 (mod 8), simply shift. */ |
165 | 567 | if (!BN_rshift(n, p, 3)) |
166 | 0 | goto err; |
167 | 567 | BN_set_negative(n, 0); |
168 | | |
169 | | /* Compute tmp = 2a (mod p) for later use. */ |
170 | 567 | if (!BN_mod_lshift1(tmp, a, p, ctx)) |
171 | 0 | goto err; |
172 | | |
173 | | /* Calculate b = (2a)^n (mod p). */ |
174 | 567 | if (!BN_mod_exp_ct(b, tmp, n, p, ctx)) |
175 | 0 | goto err; |
176 | | |
177 | | /* Calculate i = 2 a b^2 (mod p). */ |
178 | 567 | if (!BN_mod_sqr(i, b, p, ctx)) |
179 | 0 | goto err; |
180 | 567 | if (!BN_mod_mul(i, tmp, i, p, ctx)) |
181 | 0 | goto err; |
182 | | |
183 | | /* A square root is out_sqrt = a b (i-1) (mod p). */ |
184 | 567 | if (!BN_sub_word(i, 1)) |
185 | 0 | goto err; |
186 | 567 | if (!BN_mod_mul(out_sqrt, a, b, p, ctx)) |
187 | 0 | goto err; |
188 | 567 | if (!BN_mod_mul(out_sqrt, out_sqrt, i, p, ctx)) |
189 | 0 | goto err; |
190 | | |
191 | 567 | ret = 1; |
192 | | |
193 | 567 | err: |
194 | 567 | BN_CTX_end(ctx); |
195 | | |
196 | 567 | return ret; |
197 | 567 | } |
198 | | |
199 | | /* |
200 | | * Case 3. We know that (a/p) = 1 and that p = 1 (mod 8). |
201 | | */ |
202 | | |
203 | | /* |
204 | | * Simple helper. To find a generator of the 2-Sylow subgroup of GF(p)*, we |
205 | | * need to find a quadratic non-residue of p, i.e., n such that (n/p) = -1. |
206 | | */ |
207 | | |
208 | | static int |
209 | | bn_mod_sqrt_n_is_non_residue(int *is_non_residue, const BIGNUM *n, |
210 | | const BIGNUM *p, BN_CTX *ctx) |
211 | 19.4k | { |
212 | 19.4k | switch (BN_kronecker(n, p, ctx)) { |
213 | 993 | case -1: |
214 | 993 | *is_non_residue = 1; |
215 | 993 | return 1; |
216 | 18.3k | case 1: |
217 | 18.3k | *is_non_residue = 0; |
218 | 18.3k | return 1; |
219 | 30 | case 0: |
220 | | /* n divides p, so ... */ |
221 | 30 | BNerror(BN_R_P_IS_NOT_PRIME); |
222 | 30 | return 0; |
223 | 0 | default: |
224 | 0 | return 0; |
225 | 19.4k | } |
226 | 19.4k | } |
227 | | |
228 | | /* |
229 | | * The following is the only non-deterministic part preparing Tonelli-Shanks. |
230 | | * |
231 | | * If we find n such that (n/p) = -1, then n^q (mod p) is a generator of the |
232 | | * 2-Sylow subgroup of GF(p)*. To find such n, first try some small numbers, |
233 | | * then random ones. |
234 | | */ |
235 | | |
236 | | static int |
237 | | bn_mod_sqrt_find_sylow_generator(BIGNUM *out_generator, const BIGNUM *p, |
238 | | const BIGNUM *q, BN_CTX *ctx) |
239 | 1.04k | { |
240 | 1.04k | BIGNUM *n, *p_abs; |
241 | 1.04k | int i, is_non_residue; |
242 | 1.04k | int ret = 0; |
243 | | |
244 | 1.04k | BN_CTX_start(ctx); |
245 | | |
246 | 1.04k | if ((n = BN_CTX_get(ctx)) == NULL) |
247 | 0 | goto err; |
248 | 1.04k | if ((p_abs = BN_CTX_get(ctx)) == NULL) |
249 | 0 | goto err; |
250 | | |
251 | 16.1k | for (i = 2; i < 32; i++) { |
252 | 15.8k | if (!BN_set_word(n, i)) |
253 | 0 | goto err; |
254 | 15.8k | if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx)) |
255 | 19 | goto err; |
256 | 15.8k | if (is_non_residue) |
257 | 665 | goto found; |
258 | 15.8k | } |
259 | | |
260 | 358 | if (!bn_copy(p_abs, p)) |
261 | 0 | goto err; |
262 | 358 | BN_set_negative(p_abs, 0); |
263 | | |
264 | 3.60k | for (i = 0; i < 128; i++) { |
265 | 3.58k | if (!bn_rand_interval(n, 32, p_abs)) |
266 | 0 | goto err; |
267 | 3.58k | if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx)) |
268 | 11 | goto err; |
269 | 3.57k | if (is_non_residue) |
270 | 328 | goto found; |
271 | 3.57k | } |
272 | | |
273 | | /* |
274 | | * The probability to get here is < 2^(-128) for prime p. For squares |
275 | | * it is easy: for p = 1369 = 37^2 this happens in ~3% of runs. |
276 | | */ |
277 | | |
278 | 19 | BNerror(BN_R_TOO_MANY_ITERATIONS); |
279 | 19 | goto err; |
280 | | |
281 | 993 | found: |
282 | | /* |
283 | | * If p is prime, n^q generates the 2-Sylow subgroup S of GF(p)*. |
284 | | */ |
285 | | |
286 | 993 | if (!BN_mod_exp_ct(out_generator, n, q, p, ctx)) |
287 | 0 | goto err; |
288 | | |
289 | | /* Sanity: p is not necessarily prime, so we could have found 0 or 1. */ |
290 | 993 | if (BN_is_zero(out_generator) || BN_is_one(out_generator)) { |
291 | 0 | BNerror(BN_R_P_IS_NOT_PRIME); |
292 | 0 | goto err; |
293 | 0 | } |
294 | | |
295 | 993 | ret = 1; |
296 | | |
297 | 1.04k | err: |
298 | 1.04k | BN_CTX_end(ctx); |
299 | | |
300 | 1.04k | return ret; |
301 | 993 | } |
302 | | |
303 | | /* |
304 | | * Initialization step for Tonelli-Shanks. |
305 | | * |
306 | | * In the end, b = a^q (mod p) and x = a^[(q+1)/2] (mod p). Cohen optimizes this |
307 | | * to minimize taking powers of a. This is a bit confusing and distracting, so |
308 | | * factor this into a separate function. |
309 | | */ |
310 | | |
311 | | static int |
312 | | bn_mod_sqrt_tonelli_shanks_initialize(BIGNUM *b, BIGNUM *x, const BIGNUM *a, |
313 | | const BIGNUM *p, const BIGNUM *q, BN_CTX *ctx) |
314 | 993 | { |
315 | 993 | BIGNUM *k; |
316 | 993 | int ret = 0; |
317 | | |
318 | 993 | BN_CTX_start(ctx); |
319 | | |
320 | 993 | if ((k = BN_CTX_get(ctx)) == NULL) |
321 | 0 | goto err; |
322 | | |
323 | | /* k = (q-1)/2. Since q is odd, we can shift. */ |
324 | 993 | if (!BN_rshift1(k, q)) |
325 | 0 | goto err; |
326 | | |
327 | | /* x = a^[(q-1)/2] (mod p). */ |
328 | 993 | if (!BN_mod_exp_ct(x, a, k, p, ctx)) |
329 | 0 | goto err; |
330 | | |
331 | | /* b = ax^2 = a^q (mod p). */ |
332 | 993 | if (!BN_mod_sqr(b, x, p, ctx)) |
333 | 0 | goto err; |
334 | 993 | if (!BN_mod_mul(b, a, b, p, ctx)) |
335 | 0 | goto err; |
336 | | |
337 | | /* x = ax = a^[(q+1)/2] (mod p). */ |
338 | 993 | if (!BN_mod_mul(x, a, x, p, ctx)) |
339 | 0 | goto err; |
340 | | |
341 | 993 | ret = 1; |
342 | | |
343 | 993 | err: |
344 | 993 | BN_CTX_end(ctx); |
345 | | |
346 | 993 | return ret; |
347 | 993 | } |
348 | | |
349 | | /* |
350 | | * Find smallest exponent m such that b^(2^m) = 1 (mod p). Assuming that a |
351 | | * is a quadratic residue and p is a prime, we know that 1 <= m < r. |
352 | | */ |
353 | | |
354 | | static int |
355 | | bn_mod_sqrt_tonelli_shanks_find_exponent(int *out_exponent, const BIGNUM *b, |
356 | | const BIGNUM *p, int r, BN_CTX *ctx) |
357 | 22.6k | { |
358 | 22.6k | BIGNUM *x; |
359 | 22.6k | int m; |
360 | 22.6k | int ret = 0; |
361 | | |
362 | 22.6k | BN_CTX_start(ctx); |
363 | | |
364 | 22.6k | if ((x = BN_CTX_get(ctx)) == NULL) |
365 | 0 | goto err; |
366 | | |
367 | | /* |
368 | | * If r <= 1, the Tonelli-Shanks iteration should have terminated as |
369 | | * r == 1 implies b == 1. |
370 | | */ |
371 | 22.6k | if (r <= 1) { |
372 | 2 | BNerror(BN_R_P_IS_NOT_PRIME); |
373 | 2 | goto err; |
374 | 2 | } |
375 | | |
376 | | /* |
377 | | * Sanity check to ensure taking squares actually does something: |
378 | | * If b is 1, the Tonelli-Shanks iteration should have terminated. |
379 | | * If b is 0, something's very wrong, in particular p can't be prime. |
380 | | */ |
381 | 22.6k | if (BN_is_zero(b) || BN_is_one(b)) { |
382 | 0 | BNerror(BN_R_P_IS_NOT_PRIME); |
383 | 0 | goto err; |
384 | 0 | } |
385 | | |
386 | 22.6k | if (!bn_copy(x, b)) |
387 | 0 | goto err; |
388 | | |
389 | 1.03M | for (m = 1; m < r; m++) { |
390 | 1.03M | if (!BN_mod_sqr(x, x, p, ctx)) |
391 | 0 | goto err; |
392 | 1.03M | if (BN_is_one(x)) |
393 | 22.5k | break; |
394 | 1.03M | } |
395 | | |
396 | 22.6k | if (m >= r) { |
397 | | /* This means a is not a quadratic residue. As (a/p) = 1, ... */ |
398 | 152 | BNerror(BN_R_P_IS_NOT_PRIME); |
399 | 152 | goto err; |
400 | 152 | } |
401 | | |
402 | 22.5k | *out_exponent = m; |
403 | | |
404 | 22.5k | ret = 1; |
405 | | |
406 | 22.6k | err: |
407 | 22.6k | BN_CTX_end(ctx); |
408 | | |
409 | 22.6k | return ret; |
410 | 22.5k | } |
411 | | |
412 | | /* |
413 | | * The update step. With the minimal m such that b^(2^m) = 1 (mod m), |
414 | | * set t = y^[2^(r-m-1)] (mod p) and update x = xt, y = t^2, b = by. |
415 | | * This preserves the loop invariants a b = x^2, y^[2^(r-1)] = -1 and |
416 | | * b^[2^(r-1)] = 1. |
417 | | */ |
418 | | |
419 | | static int |
420 | | bn_mod_sqrt_tonelli_shanks_update(BIGNUM *b, BIGNUM *x, BIGNUM *y, |
421 | | const BIGNUM *p, int m, int r, BN_CTX *ctx) |
422 | 22.5k | { |
423 | 22.5k | BIGNUM *t; |
424 | 22.5k | int ret = 0; |
425 | | |
426 | 22.5k | BN_CTX_start(ctx); |
427 | | |
428 | 22.5k | if ((t = BN_CTX_get(ctx)) == NULL) |
429 | 0 | goto err; |
430 | | |
431 | | /* t = y^[2^(r-m-1)] (mod p). */ |
432 | 22.5k | if (!BN_set_bit(t, r - m - 1)) |
433 | 0 | goto err; |
434 | 22.5k | if (!BN_mod_exp_ct(t, y, t, p, ctx)) |
435 | 0 | goto err; |
436 | | |
437 | | /* x = xt (mod p). */ |
438 | 22.5k | if (!BN_mod_mul(x, x, t, p, ctx)) |
439 | 0 | goto err; |
440 | | |
441 | | /* y = t^2 = y^[2^(r-m)] (mod p). */ |
442 | 22.5k | if (!BN_mod_sqr(y, t, p, ctx)) |
443 | 0 | goto err; |
444 | | |
445 | | /* b = by (mod p). */ |
446 | 22.5k | if (!BN_mod_mul(b, b, y, p, ctx)) |
447 | 0 | goto err; |
448 | | |
449 | 22.5k | ret = 1; |
450 | | |
451 | 22.5k | err: |
452 | 22.5k | BN_CTX_end(ctx); |
453 | | |
454 | 22.5k | return ret; |
455 | 22.5k | } |
456 | | |
457 | | static int |
458 | | bn_mod_sqrt_p_is_1_mod_8(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, |
459 | | BN_CTX *ctx) |
460 | 1.04k | { |
461 | 1.04k | BIGNUM *b, *q, *x, *y; |
462 | 1.04k | int e, m, r; |
463 | 1.04k | int ret = 0; |
464 | | |
465 | 1.04k | BN_CTX_start(ctx); |
466 | | |
467 | 1.04k | if ((b = BN_CTX_get(ctx)) == NULL) |
468 | 0 | goto err; |
469 | 1.04k | if ((q = BN_CTX_get(ctx)) == NULL) |
470 | 0 | goto err; |
471 | 1.04k | if ((x = BN_CTX_get(ctx)) == NULL) |
472 | 0 | goto err; |
473 | 1.04k | if ((y = BN_CTX_get(ctx)) == NULL) |
474 | 0 | goto err; |
475 | | |
476 | | /* |
477 | | * Factor p - 1 = 2^e q with odd q. Since p = 1 (mod 8), we know e >= 3. |
478 | | */ |
479 | | |
480 | 1.04k | e = 1; |
481 | 57.6k | while (!BN_is_bit_set(p, e)) |
482 | 56.6k | e++; |
483 | 1.04k | if (!BN_rshift(q, p, e)) |
484 | 0 | goto err; |
485 | | |
486 | 1.04k | if (!bn_mod_sqrt_find_sylow_generator(y, p, q, ctx)) |
487 | 49 | goto err; |
488 | | |
489 | | /* |
490 | | * Set b = a^q (mod p) and x = a^[(q+1)/2] (mod p). |
491 | | */ |
492 | 993 | if (!bn_mod_sqrt_tonelli_shanks_initialize(b, x, a, p, q, ctx)) |
493 | 0 | goto err; |
494 | | |
495 | | /* |
496 | | * The Tonelli-Shanks iteration. Starting with r = e, the following loop |
497 | | * invariants hold at the start of the loop. |
498 | | * |
499 | | * a b = x^2 (mod p) |
500 | | * y^[2^(r-1)] = -1 (mod p) |
501 | | * b^[2^(r-1)] = 1 (mod p) |
502 | | * |
503 | | * In particular, if b = 1 (mod p), x is a square root of a. |
504 | | * |
505 | | * Since p - 1 = 2^e q, we have 2^(e-1) q = (p - 1) / 2, so in the first |
506 | | * iteration this follows from (a/p) = 1, (n/p) = -1, y = n^q, b = a^q. |
507 | | * |
508 | | * In subsequent iterations, t = y^[2^(r-m-1)], where m is the smallest |
509 | | * m such that b^(2^m) = 1. With x = xt (mod p) and b = bt^2 (mod p) the |
510 | | * first invariant is preserved, the second and third follow from |
511 | | * y = t^2 (mod p) and r = m as well as the choice of m. |
512 | | * |
513 | | * Finally, r is strictly decreasing in each iteration. If p is prime, |
514 | | * let S be the 2-Sylow subgroup of GF(p)*. We can prove the algorithm |
515 | | * stops: Let S_r be the subgroup of S consisting of elements of order |
516 | | * dividing 2^r. Then S_r = <y> and b is in S_(r-1). The S_r form a |
517 | | * descending filtration of S and when r = 1, then b = 1. |
518 | | */ |
519 | | |
520 | 23.5k | for (r = e; r >= 1; r = m) { |
521 | | /* |
522 | | * Termination condition. If b == 1 then x is a square root. |
523 | | */ |
524 | 23.5k | if (BN_is_one(b)) |
525 | 839 | goto done; |
526 | | |
527 | | /* Find smallest exponent 1 <= m < r such that b^(2^m) == 1. */ |
528 | 22.6k | if (!bn_mod_sqrt_tonelli_shanks_find_exponent(&m, b, p, r, ctx)) |
529 | 154 | goto err; |
530 | | |
531 | | /* |
532 | | * With t = y^[2^(r-m-1)], update x = xt, y = t^2, b = by. |
533 | | */ |
534 | 22.5k | if (!bn_mod_sqrt_tonelli_shanks_update(b, x, y, p, m, r, ctx)) |
535 | 0 | goto err; |
536 | | |
537 | | /* |
538 | | * Sanity check to make sure we don't loop indefinitely. |
539 | | * bn_mod_sqrt_tonelli_shanks_find_exponent() ensures m < r. |
540 | | */ |
541 | 22.5k | if (r <= m) |
542 | 0 | goto err; |
543 | 22.5k | } |
544 | | |
545 | | /* |
546 | | * If p is prime, we should not get here. |
547 | | */ |
548 | | |
549 | 0 | BNerror(BN_R_NOT_A_SQUARE); |
550 | 0 | goto err; |
551 | | |
552 | 839 | done: |
553 | 839 | if (!bn_copy(out_sqrt, x)) |
554 | 0 | goto err; |
555 | | |
556 | 839 | ret = 1; |
557 | | |
558 | 1.04k | err: |
559 | 1.04k | BN_CTX_end(ctx); |
560 | | |
561 | 1.04k | return ret; |
562 | 839 | } |
563 | | |
564 | | /* |
565 | | * Choose the smaller of sqrt and |p| - sqrt. |
566 | | */ |
567 | | |
568 | | static int |
569 | | bn_mod_sqrt_normalize(BIGNUM *sqrt, const BIGNUM *p, BN_CTX *ctx) |
570 | 2.72k | { |
571 | 2.72k | BIGNUM *x; |
572 | 2.72k | int ret = 0; |
573 | | |
574 | 2.72k | BN_CTX_start(ctx); |
575 | | |
576 | 2.72k | if ((x = BN_CTX_get(ctx)) == NULL) |
577 | 0 | goto err; |
578 | | |
579 | 2.72k | if (!BN_lshift1(x, sqrt)) |
580 | 0 | goto err; |
581 | | |
582 | 2.72k | if (BN_ucmp(x, p) > 0) { |
583 | 1.46k | if (!BN_usub(sqrt, p, sqrt)) |
584 | 0 | goto err; |
585 | 1.46k | } |
586 | | |
587 | 2.72k | ret = 1; |
588 | | |
589 | 2.72k | err: |
590 | 2.72k | BN_CTX_end(ctx); |
591 | | |
592 | 2.72k | return ret; |
593 | 2.72k | } |
594 | | |
595 | | /* |
596 | | * Verify that a = (sqrt_a)^2 (mod p). Requires that a is reduced (mod p). |
597 | | */ |
598 | | |
599 | | static int |
600 | | bn_mod_sqrt_verify(const BIGNUM *a, const BIGNUM *sqrt_a, const BIGNUM *p, |
601 | | BN_CTX *ctx) |
602 | 2.74k | { |
603 | 2.74k | BIGNUM *x; |
604 | 2.74k | int ret = 0; |
605 | | |
606 | 2.74k | BN_CTX_start(ctx); |
607 | | |
608 | 2.74k | if ((x = BN_CTX_get(ctx)) == NULL) |
609 | 0 | goto err; |
610 | | |
611 | 2.74k | if (!BN_mod_sqr(x, sqrt_a, p, ctx)) |
612 | 0 | goto err; |
613 | | |
614 | 2.74k | if (BN_cmp(x, a) != 0) { |
615 | 381 | BNerror(BN_R_NOT_A_SQUARE); |
616 | 381 | goto err; |
617 | 381 | } |
618 | | |
619 | 2.36k | ret = 1; |
620 | | |
621 | 2.74k | err: |
622 | 2.74k | BN_CTX_end(ctx); |
623 | | |
624 | 2.74k | return ret; |
625 | 2.36k | } |
626 | | |
627 | | static int |
628 | | bn_mod_sqrt_internal(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, |
629 | | BN_CTX *ctx) |
630 | 3.83k | { |
631 | 3.83k | BIGNUM *a_mod_p, *sqrt; |
632 | 3.83k | BN_ULONG lsw; |
633 | 3.83k | int done; |
634 | 3.83k | int kronecker; |
635 | 3.83k | int ret = 0; |
636 | | |
637 | 3.83k | BN_CTX_start(ctx); |
638 | | |
639 | 3.83k | if ((a_mod_p = BN_CTX_get(ctx)) == NULL) |
640 | 0 | goto err; |
641 | 3.83k | if ((sqrt = BN_CTX_get(ctx)) == NULL) |
642 | 0 | goto err; |
643 | | |
644 | 3.83k | if (!BN_nnmod(a_mod_p, a, p, ctx)) |
645 | 0 | goto err; |
646 | | |
647 | 3.83k | if (!bn_mod_sqrt_trivial_cases(&done, sqrt, a_mod_p, p, ctx)) |
648 | 0 | goto err; |
649 | 3.83k | if (done) |
650 | 19 | goto verify; |
651 | | |
652 | | /* |
653 | | * Make sure that the Kronecker symbol (a/p) == 1. In case p is prime |
654 | | * this is equivalent to a having a square root (mod p). The cost of |
655 | | * BN_kronecker() is O(log^2(n)). This is small compared to the cost |
656 | | * O(log^4(n)) of Tonelli-Shanks. |
657 | | */ |
658 | | |
659 | 3.81k | if ((kronecker = BN_kronecker(a_mod_p, p, ctx)) == -2) |
660 | 0 | goto err; |
661 | 3.81k | if (kronecker <= 0) { |
662 | | /* This error is only accurate if p is known to be a prime. */ |
663 | 882 | BNerror(BN_R_NOT_A_SQUARE); |
664 | 882 | goto err; |
665 | 882 | } |
666 | | |
667 | 2.93k | lsw = BN_lsw(p); |
668 | | |
669 | 2.93k | if (lsw % 4 == 3) { |
670 | 1.32k | if (!bn_mod_sqrt_p_is_3_mod_4(sqrt, a_mod_p, p, ctx)) |
671 | 0 | goto err; |
672 | 1.60k | } else if (lsw % 8 == 5) { |
673 | 567 | if (!bn_mod_sqrt_p_is_5_mod_8(sqrt, a_mod_p, p, ctx)) |
674 | 0 | goto err; |
675 | 1.04k | } else if (lsw % 8 == 1) { |
676 | 1.04k | if (!bn_mod_sqrt_p_is_1_mod_8(sqrt, a_mod_p, p, ctx)) |
677 | 203 | goto err; |
678 | 1.04k | } else { |
679 | | /* Impossible to hit since the trivial cases ensure p is odd. */ |
680 | 0 | BNerror(BN_R_P_IS_NOT_PRIME); |
681 | 0 | goto err; |
682 | 0 | } |
683 | | |
684 | 2.72k | if (!bn_mod_sqrt_normalize(sqrt, p, ctx)) |
685 | 0 | goto err; |
686 | | |
687 | 2.74k | verify: |
688 | 2.74k | if (!bn_mod_sqrt_verify(a_mod_p, sqrt, p, ctx)) |
689 | 381 | goto err; |
690 | | |
691 | 2.36k | if (!bn_copy(out_sqrt, sqrt)) |
692 | 0 | goto err; |
693 | | |
694 | 2.36k | ret = 1; |
695 | | |
696 | 3.83k | err: |
697 | 3.83k | BN_CTX_end(ctx); |
698 | | |
699 | 3.83k | return ret; |
700 | 2.36k | } |
701 | | |
702 | | BIGNUM * |
703 | | BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) |
704 | 3.83k | { |
705 | 3.83k | BIGNUM *out_sqrt; |
706 | | |
707 | 3.83k | if ((out_sqrt = in) == NULL) |
708 | 0 | out_sqrt = BN_new(); |
709 | 3.83k | if (out_sqrt == NULL) |
710 | 0 | goto err; |
711 | | |
712 | 3.83k | if (!bn_mod_sqrt_internal(out_sqrt, a, p, ctx)) |
713 | 1.46k | goto err; |
714 | | |
715 | 2.36k | return out_sqrt; |
716 | | |
717 | 1.46k | err: |
718 | 1.46k | if (out_sqrt != in) |
719 | 0 | BN_free(out_sqrt); |
720 | | |
721 | 1.46k | return NULL; |
722 | 3.83k | } |
723 | | LCRYPTO_ALIAS(BN_mod_sqrt); |