(_nettle_generate_pocklington_prime): New

function. Rely on mpz_probab_prime_p (for lack of a trial division function) for trial division. (nettle_random_prime): Rewritten. Uses the prime table for the smallest sizes, then trial division using a new set of tables, and then Maurer's algorithm, calling the new _nettle_generate_pocklington_prime for the final search. Rev: nettle/ChangeLog:1.80 Rev: nettle/bignum-random-prime.c:1.4 Rev: nettle/bignum.h:1.5
author: Niels Möller <nisse@lysator.liu.se> 2010-05-26 16:03:33 +0200
committer: Niels Möller <nisse@lysator.liu.se> 2010-05-26 16:03:33 +0200
commit: 6ce825c75b43b58febee7c70f45509fde389d9d9 (patch)
tree: 226be5d9b99a7f6da1175f28f35f0ff14a9dc954 /bignum-random-prime.c
parent: 7c49b0dc61ca2af55a0d465dbbfdb165f2105a62 (diff)
download: nettle-6ce825c75b43b58febee7c70f45509fde389d9d9.tar.gz
1 files changed, 212 insertions, 149 deletions
diff --git a/bignum-random-prime.c b/bignum-random-prime.c
index 601590ae..1fa7ee4a 100644
--- a/bignum-random-prime.c
+++ b/bignum-random-prime.c
@@ -45,73 +45,126 @@
 
 #include "macros.h"
 
-/* Use a table of p_2 = 3 to p_{172} = 1021, multiplied to 32-bit or
-   64-bit size. */
-
-struct sieve_element {
-  /* Product of some small primes. */
-  unsigned long prod;
-  /* Square of the smallest one. */
-  unsigned long p2;
+/* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers
+   of up to 20 bits. */
+
+#define NPRIMES 171
+#define TRIAL_DIV_BITS 20
+#define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1)
+
+/* A 20-bit number x is divisible by p iff
+
+     ((x * inverse) & TRIAL_DIV_MASK) <= limit
+*/
+struct trial_div_info {
+  uint32_t inverse; /* p^{-1} (mod 2^20) */
+  uint32_t limit;   /* floor( (2^20 - 1) / p) */
+};
+
+static const uint16_t
+primes[NPRIMES] = {
+  3,5,7,11,13,17,19,23,
+  29,31,37,41,43,47,53,59,
+  61,67,71,73,79,83,89,97,
+  101,103,107,109,113,127,131,137,
+  139,149,151,157,163,167,173,179,
+  181,191,193,197,199,211,223,227,
+  229,233,239,241,251,257,263,269,
+  271,277,281,283,293,307,311,313,
+  317,331,337,347,349,353,359,367,
+  373,379,383,389,397,401,409,419,
+  421,431,433,439,443,449,457,461,
+  463,467,479,487,491,499,503,509,
+  521,523,541,547,557,563,569,571,
+  577,587,593,599,601,607,613,617,
+  619,631,641,643,647,653,659,661,
+  673,677,683,691,701,709,719,727,
+  733,739,743,751,757,761,769,773,
+  787,797,809,811,821,823,827,829,
+  839,853,857,859,863,877,881,883,
+  887,907,911,919,929,937,941,947,
+  953,967,971,977,983,991,997,1009,
+  1013,1019,1021,
+};
+
+static const uint32_t
+prime_square[NPRIMES+1] = {
+  9,25,49,121,169,289,361,529,
+  841,961,1369,1681,1849,2209,2809,3481,
+  3721,4489,5041,5329,6241,6889,7921,9409,
+  10201,10609,11449,11881,12769,16129,17161,18769,
+  19321,22201,22801,24649,26569,27889,29929,32041,
+  32761,36481,37249,38809,39601,44521,49729,51529,
+  52441,54289,57121,58081,63001,66049,69169,72361,
+  73441,76729,78961,80089,85849,94249,96721,97969,
+  100489,109561,113569,120409,121801,124609,128881,134689,
+  139129,143641,146689,151321,157609,160801,167281,175561,
+  177241,185761,187489,192721,196249,201601,208849,212521,
+  214369,218089,229441,237169,241081,249001,253009,259081,
+  271441,273529,292681,299209,310249,316969,323761,326041,
+  332929,344569,351649,358801,361201,368449,375769,380689,
+  383161,398161,410881,413449,418609,426409,434281,436921,
+  452929,458329,466489,477481,491401,502681,516961,528529,
+  537289,546121,552049,564001,573049,579121,591361,597529,
+  619369,635209,654481,657721,674041,677329,683929,687241,
+  703921,727609,734449,737881,744769,769129,776161,779689,
+  786769,822649,829921,844561,863041,877969,885481,896809,
+  908209,935089,942841,954529,966289,982081,994009,1018081,
+  1026169,1038361,1042441,1L<<20
 };
 
-static const struct sieve_element
-sieve_table[] = {
-  {111546435, 9}, /* 3 -- 23 */
-  {58642669, 841}, /* 29 -- 43 */
-  {600662303, 2209}, /* 47 -- 67 */
-  {33984931, 5041}, /* 71 -- 83 */
-  {89809099, 7921}, /* 89 -- 103 */
-  {167375713, 11449}, /* 107 -- 127 */
-  {371700317, 17161}, /* 131 -- 149 */
-  {645328247, 22801}, /* 151 -- 167 */
-  {1070560157, 29929}, /* 173 -- 191 */
-  {1596463769, 37249}, /* 193 -- 211 */
-  {11592209, 49729}, /* 223 -- 229 */
-  {13420567, 54289}, /* 233 -- 241 */
-  {16965341, 63001}, /* 251 -- 263 */
-  {20193023, 72361}, /* 269 -- 277 */
-  {23300239, 78961}, /* 281 -- 293 */
-  {29884301, 94249}, /* 307 -- 313 */
-  {35360399, 100489}, /* 317 -- 337 */
-  {42749359, 120409}, /* 347 -- 353 */
-  {49143869, 128881}, /* 359 -- 373 */
-  {56466073, 143641}, /* 379 -- 389 */
-  {65111573, 157609}, /* 397 -- 409 */
-  {76027969, 175561}, /* 419 -- 431 */
-  {84208541, 187489}, /* 433 -- 443 */
-  {94593973, 201601}, /* 449 -- 461 */
-  {103569859, 214369}, /* 463 -- 479 */
-  {119319383, 237169}, /* 487 -- 499 */
-  {133390067, 253009}, /* 503 -- 521 */
-  {154769821, 273529}, /* 523 -- 547 */
-  {178433279, 310249}, /* 557 -- 569 */
-  {193397129, 326041}, /* 571 -- 587 */
-  {213479407, 351649}, /* 593 -- 601 */
-  {229580147, 368449}, /* 607 -- 617 */
-  {250367549, 383161}, /* 619 -- 641 */
-  {271661713, 413449}, /* 643 -- 653 */
-  {293158127, 434281}, /* 659 -- 673 */
-  {319512181, 458329}, /* 677 -- 691 */
-  {357349471, 491401}, /* 701 -- 719 */
-  {393806449, 528529}, /* 727 -- 739 */
-  {422400701, 552049}, /* 743 -- 757 */
-  {452366557, 579121}, /* 761 -- 773 */
-  {507436351, 619369}, /* 787 -- 809 */
-  {547978913, 657721}, /* 811 -- 823 */
-  {575204137, 683929}, /* 827 -- 839 */
-  {627947039, 727609}, /* 853 -- 859 */
-  {666785731, 744769}, /* 863 -- 881 */
-  {710381447, 779689}, /* 883 -- 907 */
-  {777767161, 829921}, /* 911 -- 929 */
-  {834985999, 877969}, /* 937 -- 947 */
-  {894826021, 908209}, /* 953 -- 971 */
-  {951747481, 954529}, /* 977 -- 991 */
-  {1019050649, 994009}, /* 997 -- 1013 */
-  {1040399, 1038361}, /* 1019 -- 1021 */
+static const struct trial_div_info
+trial_div_table[NPRIMES] = {
+  {699051,349525},{838861,209715},{748983,149796},{953251,95325},
+  {806597,80659},{61681,61680},{772635,55188},{866215,45590},
+  {180789,36157},{1014751,33825},{793517,28339},{1023001,25575},
+  {48771,24385},{870095,22310},{217629,19784},{710899,17772},
+  {825109,17189},{281707,15650},{502135,14768},{258553,14364},
+  {464559,13273},{934875,12633},{1001449,11781},{172961,10810},
+  {176493,10381},{203607,10180},{568387,9799},{788837,9619},
+  {770193,9279},{1032063,8256},{544299,8004},{619961,7653},
+  {550691,7543},{182973,7037},{229159,6944},{427445,6678},
+  {701195,6432},{370455,6278},{90917,6061},{175739,5857},
+  {585117,5793},{225087,5489},{298817,5433},{228877,5322},
+  {442615,5269},{546651,4969},{244511,4702},{83147,4619},
+  {769261,4578},{841561,4500},{732687,4387},{978961,4350},
+  {133683,4177},{65281,4080},{629943,3986},{374213,3898},
+  {708079,3869},{280125,3785},{641833,3731},{618771,3705},
+  {930477,3578},{778747,3415},{623751,3371},{40201,3350},
+  {122389,3307},{950371,3167},{1042353,3111},{18131,3021},
+  {285429,3004},{549537,2970},{166487,2920},{294287,2857},
+  {919261,2811},{636339,2766},{900735,2737},{118605,2695},
+  {10565,2641},{188273,2614},{115369,2563},{735755,2502},
+  {458285,2490},{914767,2432},{370513,2421},{1027079,2388},
+  {629619,2366},{462401,2335},{649337,2294},{316165,2274},
+  {484655,2264},{65115,2245},{326175,2189},{1016279,2153},
+  {990915,2135},{556859,2101},{462791,2084},{844629,2060},
+  {404537,2012},{457123,2004},{577589,1938},{638347,1916},
+  {892325,1882},{182523,1862},{1002505,1842},{624371,1836},
+  {69057,1817},{210787,1786},{558769,1768},{395623,1750},
+  {992745,1744},{317855,1727},{384877,1710},{372185,1699},
+  {105027,1693},{423751,1661},{408961,1635},{908331,1630},
+  {74551,1620},{36933,1605},{617371,1591},{506045,1586},
+  {24929,1558},{529709,1548},{1042435,1535},{31867,1517},
+  {166037,1495},{928781,1478},{508975,1458},{4327,1442},
+  {779637,1430},{742091,1418},{258263,1411},{879631,1396},
+  {72029,1385},{728905,1377},{589057,1363},{348621,1356},
+  {671515,1332},{710453,1315},{84249,1296},{959363,1292},
+  {685853,1277},{467591,1274},{646643,1267},{683029,1264},
+  {439927,1249},{254461,1229},{660713,1223},{554195,1220},
+  {202911,1215},{753253,1195},{941457,1190},{776635,1187},
+  {509511,1182},{986147,1156},{768879,1151},{699431,1140},
+  {696417,1128},{86169,1119},{808997,1114},{25467,1107},
+  {201353,1100},{708087,1084},{1018339,1079},{341297,1073},
+  {434151,1066},{96287,1058},{950765,1051},{298257,1039},
+  {675933,1035},{167731,1029},{815445,1027},
 };
 
-#define SIEVE_SIZE (sizeof(sieve_table) / sizeof(sieve_table[0]))
+/* Element j gives the index of the first prime of size 3+j bits */
+static uint8_t
+prime_by_size[9] = {
+  1,3,5,10,17,30,53,96,171
+};
 
 /* Combined Miller-Rabin test to the base a, and checking the
    conditions from Pocklington's theorem. */
@@ -176,19 +229,14 @@ miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
   return is_prime;
 }
 
-/* Generate random prime of a given size. Maurer's algorithm (Alg.
-   6.42 Handbook of applied cryptography), but with ratio = 1/2 (like
-   the variant in fips186-3). FIXME: Force primes to start with two
-   one bits? */
-
 /* The algorithm is based on the following special case of
    Pocklington's theorem:
 
-   Assume that n = 1 + r q, where q is a prime, q > sqrt(n) - 1. If we
+   Assume that n = 1 + f q, where q is a prime, q > sqrt(n) - 1. If we
    can find an a such that
 
      a^{n-1} = 1 (mod n)
-     gcd(a^r - 1, n) = 1
+     gcd(a^f - 1, n) = 1
 
    then n is prime.
 
@@ -203,42 +251,98 @@ miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a)
 
    If n is specified as k bits, we need q of size ceil(k/2) + 1 bits
    (or more) to make the theorem apply.
- */
+*/
+
+/* Generate a prime number p of size bits with 2 p0q dividing (p-1).
+   p0 must be of size >= ceil(bits/2) + 1. The extra factor q can be
+   omitted. */
 void
-nettle_random_prime(mpz_t p, unsigned bits,
-		    void *ctx, nettle_random_func random)
+_nettle_generate_pocklington_prime (mpz_t p, unsigned bits,
+				    void *ctx, nettle_random_func random, 
+				    const mpz_t p0,
+				    const mpz_t q,
+				    const mpz_t p0q)
 {
-  assert (bits >= 6);
-  if (bits < 20)
+  mpz_t i, r, pm1,a;
+  
+  assert (2*mpz_sizeinbase (p0, 2) > bits + 1);
+
+  mpz_init (i);
+  mpz_init (r);
+  mpz_init (pm1);
+  mpz_init (a);
+
+  /* i = floor (2^{bits-2} / p0q) */
+  mpz_init_set_ui (i, 1);
+  mpz_mul_2exp (i, i, bits-2);
+  mpz_fdiv_q (i, i, p0q);
+
+  for (;;)
     {
-      unsigned long highbit;
-      uint8_t buf[3];
-      unsigned long x;
-      unsigned j;
+      uint8_t buf[1];
 
-      /* Small cases:
+      /* Generate r in the range i + 1 <= r <= 2*i */
+      nettle_mpz_random (r, ctx, random, i);
+      mpz_add (r, r, i);
+      mpz_add_ui (r, r, 1);
 
-	 3 bits: 5 or 7
-	 4 bits: 11, 13, 15
-	 5 bits: 17, 19, 23, 29, 31
+      /* Set p = 2*r*p0q + 1 */
+      mpz_mul_2exp(r, r, 1);
+      mpz_mul (pm1, r, p0q);
+      mpz_add_ui (p, pm1, 1);
 
-	 With 3 bits, no sieving is done, since candidates are smaller
-	 than 3^2 = 9 (and this is ok; all odd 3-bit numbers are
-	 prime).
+      assert(mpz_sizeinbase(p, 2) == bits);
+
+      /* Should use GMP trial division interface when that
+	 materializes, we don't need any testing beyond trial
+	 division. */
+      if (!mpz_probab_prime_p (p, 1))
+	continue;
+
+      random(ctx, sizeof(buf), buf);
+	  
+      mpz_set_ui (a, buf[0] + 2);
+
+      if (q)
+	mpz_mul (r, r, q);
+      
+      if (miller_rabin_pocklington(p, pm1, r, a))
+	break;
+    }
+  mpz_clear (i);
+  mpz_clear (r);
+  mpz_clear (pm1);
+  mpz_clear (a);
+}
 
-	 With 4 bits, sieving with the first value, 3*5*...*23 doesn't
-	 work, since this includes the primes 11 and 13 in the
-	 interval. Of the odd numbers in the interval, 9, 11, 13, 15,
-	 only the factors of three need be discarded.
+/* Generate random prime of a given size. Maurer's algorithm (Alg.
+   6.42 Handbook of applied cryptography), but with ratio = 1/2 (like
+   the variant in fips186-3). FIXME: Force primes to start with two
+   one bits? */
+void
+nettle_random_prime(mpz_t p, unsigned bits,
+		    void *ctx, nettle_random_func random)
+{
+  assert (bits >= 3);
+  if (bits <= 10)
+    {
+      unsigned first;
+      unsigned choices;
+      uint8_t buf;
 
-	 With 5 bits, we still sieve with only the first value, which
-	 includes three of the primes in the interval. Of the odd
-	 numbers in the interval, 17, 19, (21), 23, (25), (27), 29,
-	 31, we need to discard multiples of 3 and 5 only.
+      random (ctx, sizeof(buf), &buf);
 
-	 With 6 bits, we sieve with only the first value (since 63 <
-	 29^2), and there's no problem.
-       */
+      first = prime_by_size[bits-3];
+      choices = prime_by_size[bits-2] - first;
+      
+      mpz_set_ui (p, primes[first + buf % choices]);
+    }
+  else if (bits <= 20)
+    {
+      unsigned long highbit;
+      uint8_t buf[3];
+      unsigned long x;
+      unsigned j;
       
       highbit = 1L << (bits - 1);
 
@@ -248,69 +352,28 @@ nettle_random_prime(mpz_t p, unsigned bits,
       x &= (highbit - 1);
       x |= highbit | 1;
 
-      mpz_set_ui (p, x);      
-      for (j = 0; j < SIEVE_SIZE && x >= sieve_table[j].p2; j++)
-	if (mpz_gcd_ui (NULL, p, sieve_table[j].prod) != 1)
-	  goto again;
+      for (j = 0; prime_square[j] <= x; j++)
+	{
+	  unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK;
+	  if (q <= trial_div_table[j].limit)
+	    goto again;
+	}
+      mpz_set_ui (p, x);
     }
   else
     {
-      mpz_t q, r, nm1, t, a, i;
-      unsigned j;
+      mpz_t q;
 
       mpz_init (q);
-      mpz_init (r);
-      mpz_init (nm1);
-      mpz_init (t);
-      mpz_init (a);
-      mpz_init (i);
 
      /* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62
 	in Handbook of Applied Cryptography (which seems to be
 	incorrect for odd k). */
       nettle_random_prime (q, (bits+3)/2, ctx, random);
 
-      /* i = floor (2^{bits-2} / q) */
-      mpz_init_set_ui (i, 1);
-      mpz_mul_2exp (i, i, bits-2);
-      mpz_fdiv_q (i, i, q);
-
-      for (;;)
-	{
-	  uint8_t buf[1];
-
-	  /* Generate r in the range i + 1 <= r <= 2*i */
-	  nettle_mpz_random (r, ctx, random, i);
-	  mpz_add (r, r, i);
-	  mpz_add_ui (r, r, 1);
-
-	  /* Set p = 2*r*q + 1 */
-	  mpz_mul_2exp(r, r, 1);
-	  mpz_mul (nm1, r, q);
-	  mpz_add_ui (p, nm1, 1);
-
-	  assert(mpz_sizeinbase(p, 2) == bits);
-
-	  for (j = 0; j < SIEVE_SIZE; j++)
-	    {
-	      if (mpz_gcd_ui (NULL, p, sieve_table[j].prod) != 1)
-		goto composite;
-	    }
-
-	  random(ctx, sizeof(buf), buf);
-	  
-	  mpz_set_ui (a, buf[0] + 2);
-
-	  if (miller_rabin_pocklington(p, nm1, r, a))
-	    break;
-	composite:
-	  ;
-	}
+      _nettle_generate_pocklington_prime (p, bits, ctx, random,
+					  q, NULL, q);
+      
       mpz_clear (q);
-      mpz_clear (r);
-      mpz_clear (nm1);
-      mpz_clear (t);
-      mpz_clear (a);
-      mpz_clear (i);
     }
 }
author	Niels Möller <nisse@lysator.liu.se>	2010-05-26 16:03:33 +0200
committer	Niels Möller <nisse@lysator.liu.se>	2010-05-26 16:03:33 +0200
commit	6ce825c75b43b58febee7c70f45509fde389d9d9 (patch)
tree	226be5d9b99a7f6da1175f28f35f0ff14a9dc954 /bignum-random-prime.c
parent	7c49b0dc61ca2af55a0d465dbbfdb165f2105a62 (diff)
download	nettle-6ce825c75b43b58febee7c70f45509fde389d9d9.tar.gz