2020-02-23 14:08:57 +00:00
|
|
|
/*
|
|
|
|
|
* sshkeygen.h: routines used internally to key generation.
|
|
|
|
|
*/
|
|
|
|
|
|
2020-02-23 14:30:03 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
2020-02-23 14:08:57 +00:00
|
|
|
* A table of all the primes that fit in a 16-bit integer. Call
|
|
|
|
|
* init_primes_array to make sure it's been initialised.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define NSMALLPRIMES 6542 /* number of primes < 65536 */
|
|
|
|
|
extern const unsigned short *const smallprimes;
|
|
|
|
|
void init_smallprimes(void);
|
2020-02-23 14:30:03 +00:00
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* A system for making up random candidate integers during prime
|
|
|
|
|
* generation. This unconditionally ensures that the numbers have the
|
|
|
|
|
* right number of bits and are not divisible by any prime in the
|
|
|
|
|
* smallprimes[] array above. It can also impose further constraints,
|
|
|
|
|
* as documented below.
|
|
|
|
|
*/
|
|
|
|
|
typedef struct PrimeCandidateSource PrimeCandidateSource;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* pcs_new: you say how many bits you want the prime to have (with the
|
|
|
|
|
* usual semantics that an n-bit number is in the range [2^{n-1},2^n))
|
2020-02-24 19:09:08 +00:00
|
|
|
* and also optionally specify what you want its topmost 'nfirst' bits
|
|
|
|
|
* to be.
|
2020-02-23 14:30:03 +00:00
|
|
|
*
|
|
|
|
|
* (The 'first' system is used for RSA keys, where you need to arrange
|
|
|
|
|
* that the product of your two primes is in a more tightly
|
|
|
|
|
* constrained range than the factor of 4 you'd get by just generating
|
2020-02-24 19:09:08 +00:00
|
|
|
* two (n/2)-bit primes and multiplying them.)
|
2020-02-23 14:30:03 +00:00
|
|
|
*/
|
2020-02-24 19:09:08 +00:00
|
|
|
PrimeCandidateSource *pcs_new(unsigned bits);
|
|
|
|
|
PrimeCandidateSource *pcs_new_with_firstbits(unsigned bits,
|
|
|
|
|
unsigned first, unsigned nfirst);
|
2020-02-23 14:30:03 +00:00
|
|
|
|
|
|
|
|
/* Insist that generated numbers must be congruent to 'res' mod 'mod' */
|
|
|
|
|
void pcs_require_residue(PrimeCandidateSource *s, mp_int *mod, mp_int *res);
|
|
|
|
|
|
|
|
|
|
/* Convenience wrapper for the common case where res = 1 */
|
|
|
|
|
void pcs_require_residue_1(PrimeCandidateSource *s, mp_int *mod);
|
|
|
|
|
|
2020-02-29 06:33:26 +00:00
|
|
|
/* Same as pcs_require_residue_1, but also records that the modulus is
|
|
|
|
|
* known to be prime */
|
|
|
|
|
void pcs_require_residue_1_mod_prime(PrimeCandidateSource *s, mp_int *mod);
|
|
|
|
|
|
2020-02-23 14:30:03 +00:00
|
|
|
/* Insist that generated numbers must _not_ be congruent to 'res' mod
|
|
|
|
|
* 'mod'. This is used to avoid being 1 mod the RSA public exponent,
|
|
|
|
|
* which is small, so it only needs ordinary integer parameters. */
|
|
|
|
|
void pcs_avoid_residue_small(PrimeCandidateSource *s,
|
|
|
|
|
unsigned mod, unsigned res);
|
|
|
|
|
|
2020-02-29 06:46:13 +00:00
|
|
|
/* Exclude any prime that has no chance of being a Sophie Germain prime. */
|
|
|
|
|
void pcs_try_sophie_germain(PrimeCandidateSource *s);
|
|
|
|
|
|
PrimeCandidateSource: add one-shot mode.
If you want to generate a Sophie Germain / safe prime pair with this
code, then after you've made p, you need to test the primality of
2p+1.
The easiest way to do that is to make a PrimeCandidateSource that is
so constrained as to only be able to deliver 2p+1 as a candidate, and
then run the ordinary prime generation system. The problem is that the
prime generation loops forever, so if 2p+1 _isn't_ prime, it will just
keep testing the same number over and over again and failing the test.
To solve this, I add a 'one-shot mode' to the PrimeCandidateSource
itself, which will cause it to return NULL if asked to generate a
second candidate. Then the prime-generation loops all detect that and
return NULL in turn. However, for clients that _don't_ set a pcs into
one-shot mode, the API remains unchanged: pcs_generate will not return
until it's found a prime (by its own criteria).
This feels like a bit of a bodge, API-wise. But the other two obvious
approaches turn out more awkward.
One option is to extract the Pockle from the PrimeGenerationContext
and use that to directly test primality of 2p+1 based on p - but that
way you don't get to _probabilistically_ generate safe primes, because
that kind of PGC has no Pockle in the first place. (And you can't make
one separately, because you can't convince it that an only
probabilistically generated p is prime!)
Another option is to add a test() method to PrimeGenerationPolicy,
that sits alongside generate(). Then, having generated p, you just
_test_ 2p+1. But then in the provable case you have to explain to it
that it should use p as part of the proof, so that API would get
awkward in its own way.
So this is actually the least disruptive way to do it!
2020-02-29 06:47:12 +00:00
|
|
|
/* Mark a PrimeCandidateSource as one-shot, so that the prime generation
|
|
|
|
|
* function will return NULL if an attempt fails, rather than looping. */
|
|
|
|
|
void pcs_set_oneshot(PrimeCandidateSource *s);
|
|
|
|
|
|
2020-02-23 14:30:03 +00:00
|
|
|
/* Prepare a PrimeCandidateSource to actually generate numbers. This
|
|
|
|
|
* function does last-minute computation that has to be delayed until
|
|
|
|
|
* all constraints have been input. */
|
|
|
|
|
void pcs_ready(PrimeCandidateSource *s);
|
|
|
|
|
|
|
|
|
|
/* Actually generate a candidate integer. You must free the result, of
|
|
|
|
|
* course. */
|
|
|
|
|
mp_int *pcs_generate(PrimeCandidateSource *s);
|
|
|
|
|
|
|
|
|
|
/* Free a PrimeCandidateSource. */
|
|
|
|
|
void pcs_free(PrimeCandidateSource *s);
|
|
|
|
|
|
|
|
|
|
/* Return some internal fields of the PCS. Used by testcrypt for
|
|
|
|
|
* unit-testing this system. */
|
|
|
|
|
void pcs_inspect(PrimeCandidateSource *pcs, mp_int **limit_out,
|
|
|
|
|
mp_int **factor_out, mp_int **addend_out);
|
2020-02-24 19:09:08 +00:00
|
|
|
|
|
|
|
|
/* Query functions for primegen to use */
|
|
|
|
|
unsigned pcs_get_bits(PrimeCandidateSource *pcs);
|
2020-02-29 06:47:56 +00:00
|
|
|
unsigned pcs_get_bits_remaining(PrimeCandidateSource *pcs);
|
|
|
|
|
mp_int *pcs_get_upper_bound(PrimeCandidateSource *pcs);
|
2020-02-29 06:33:26 +00:00
|
|
|
mp_int **pcs_get_known_prime_factors(PrimeCandidateSource *pcs, size_t *nout);
|
2020-02-24 19:09:08 +00:00
|
|
|
|
2020-02-29 16:44:56 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* A system for doing Miller-Rabin probabilistic primality tests.
|
|
|
|
|
* These benefit from having set up some context beforehand, if you're
|
|
|
|
|
* going to do more than one of them on the same candidate prime, so
|
|
|
|
|
* we declare an object type here to store that context.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
typedef struct MillerRabin MillerRabin;
|
|
|
|
|
|
|
|
|
|
/* Make and free a Miller-Rabin context. */
|
|
|
|
|
MillerRabin *miller_rabin_new(mp_int *p);
|
|
|
|
|
void miller_rabin_free(MillerRabin *mr);
|
|
|
|
|
|
|
|
|
|
/* Perform a single Miller-Rabin test, using a random witness value. */
|
|
|
|
|
bool miller_rabin_test_random(MillerRabin *mr);
|
|
|
|
|
|
|
|
|
|
/* Suggest how many tests are needed to make it sufficiently unlikely
|
|
|
|
|
* that a composite number will pass them all */
|
|
|
|
|
unsigned miller_rabin_checks_needed(unsigned bits);
|
|
|
|
|
|
|
|
|
|
/* An extension to the M-R test, which iterates until it either finds
|
|
|
|
|
* a witness value that is potentially a primitive root, or one
|
|
|
|
|
* that proves the number to be composite. */
|
|
|
|
|
mp_int *miller_rabin_find_potential_primitive_root(MillerRabin *mr);
|
|
|
|
|
|
2020-02-23 15:16:30 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* A system for proving numbers to be prime, using the Pocklington
|
|
|
|
|
* test, which requires knowing a partial factorisation of p-1
|
|
|
|
|
* (specifically, factors whose product is at least cbrt(p)) and a
|
|
|
|
|
* primitive root.
|
|
|
|
|
*
|
|
|
|
|
* The API consists of instantiating a 'Pockle' object, which
|
|
|
|
|
* internally stores a list of numbers you've already convinced it is
|
|
|
|
|
* prime, and can accept further primes if you give a satisfactory
|
|
|
|
|
* certificate of their primality based on primes it already knows
|
|
|
|
|
* about.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
typedef struct Pockle Pockle;
|
|
|
|
|
|
|
|
|
|
/* In real use, you only really need to know whether the Pockle
|
|
|
|
|
* successfully accepted your prime. But for testcrypt, it's useful to
|
|
|
|
|
* expose many different failure modes so we can try to provoke them
|
|
|
|
|
* all in unit tests and check they're working. */
|
|
|
|
|
#define POCKLE_STATUSES(X) \
|
|
|
|
|
X(POCKLE_OK) \
|
|
|
|
|
X(POCKLE_SMALL_PRIME_NOT_SMALL) \
|
|
|
|
|
X(POCKLE_SMALL_PRIME_NOT_PRIME) \
|
|
|
|
|
X(POCKLE_PRIME_SMALLER_THAN_2) \
|
|
|
|
|
X(POCKLE_FACTOR_NOT_KNOWN_PRIME) \
|
|
|
|
|
X(POCKLE_FACTOR_NOT_A_FACTOR) \
|
|
|
|
|
X(POCKLE_PRODUCT_OF_FACTORS_TOO_SMALL) \
|
|
|
|
|
X(POCKLE_FERMAT_TEST_FAILED) \
|
|
|
|
|
X(POCKLE_DISCRIMINANT_IS_SQUARE) \
|
|
|
|
|
X(POCKLE_WITNESS_POWER_IS_1) \
|
|
|
|
|
X(POCKLE_WITNESS_POWER_NOT_COPRIME) \
|
|
|
|
|
/* end of list */
|
|
|
|
|
|
|
|
|
|
#define DEFINE_ENUM(id) id,
|
|
|
|
|
typedef enum PockleStatus { POCKLE_STATUSES(DEFINE_ENUM) } PockleStatus;
|
|
|
|
|
#undef DEFINE_ENUM
|
|
|
|
|
|
|
|
|
|
/* Make a new empty Pockle, containing no primes. */
|
|
|
|
|
Pockle *pockle_new(void);
|
|
|
|
|
|
|
|
|
|
/* Insert a prime below 2^32 into the Pockle. No evidence is required:
|
|
|
|
|
* Pockle will check it itself. */
|
|
|
|
|
PockleStatus pockle_add_small_prime(Pockle *pockle, mp_int *p);
|
|
|
|
|
|
|
|
|
|
/* Insert a general prime into the Pockle. You must provide a list of
|
|
|
|
|
* prime factors of p-1, whose product exceeds the cube root of p, and
|
|
|
|
|
* also a primitive root mod p. */
|
|
|
|
|
PockleStatus pockle_add_prime(Pockle *pockle, mp_int *p,
|
|
|
|
|
mp_int **factors, size_t nfactors,
|
|
|
|
|
mp_int *primitive_root);
|
|
|
|
|
|
|
|
|
|
/* If you call pockle_mark, and later pass the returned value to
|
|
|
|
|
* pockle_release, it will free all the primes that were added to the
|
|
|
|
|
* Pockle between those two calls. Useful in recursive algorithms, to
|
|
|
|
|
* stop the Pockle growing unboundedly if the recursion keeps having
|
|
|
|
|
* to backtrack. */
|
|
|
|
|
size_t pockle_mark(Pockle *pockle);
|
|
|
|
|
void pockle_release(Pockle *pockle, size_t mark);
|
|
|
|
|
|
|
|
|
|
/* Free a Pockle. */
|
|
|
|
|
void pockle_free(Pockle *pockle);
|
|
|
|
|
|
Generate MPU certificates for proven primes.
Conveniently checkable certificates of primality aren't a new concept.
I didn't invent them, and I wasn't the first to implement them. Given
that, I thought it might be useful to be able to independently verify
a prime generated by PuTTY's provable prime system. Then, even if you
don't trust _this_ code, you might still trust someone else's
verifier, or at least be less willing to believe that both were
colluding.
The Perl module Math::Prime::Util is the only free software I've found
that defines a specific text-file format for certificates of
primality. The MPU format (as it calls it) supports various different
methods of certifying the primality of a number (most of which, like
Pockle's, depend on having previously proved some smaller number(s) to
be prime). The system implemented by Pockle is on its list: MPU calls
it by the name "BLS5".
So this commit introduces extra stored data inside Pockle so that it
remembers not just _that_ it believes certain numbers to be prime, but
also _why_ it believed each one to be prime. Then there's an extra
method in the Pockle API to translate its internal data structures
into the text of an MPU certificate for any number it knows about.
Math::Prime::Util doesn't come with a command-line verification tool,
unfortunately; only a Perl function which you feed a string argument.
So also in this commit I add test/mpu-check.pl, which is a trivial
command-line client of that function.
At the moment, this new piece of API is only exposed via testcrypt. I
could easily put some user interface into the key generation tools
that would save a few primality certificates alongside the private
key, but I have yet to think of any good reason to do it. Mostly this
facility is intended for debugging and cross-checking of the
_algorithm_, not of any particular prime.
2020-02-29 06:44:13 +00:00
|
|
|
/* Generate a certificate of primality for a prime already known to
|
|
|
|
|
* the Pockle, in a format acceptable to Math::Prime::Util. */
|
|
|
|
|
strbuf *pockle_mpu(Pockle *pockle, mp_int *p);
|
|
|
|
|
|
2020-02-23 15:29:40 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Callback API that allows key generation to report progress to its
|
|
|
|
|
* caller.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
typedef struct ProgressReceiverVtable ProgressReceiverVtable;
|
|
|
|
|
typedef struct ProgressReceiver ProgressReceiver;
|
|
|
|
|
typedef union ProgressPhase ProgressPhase;
|
|
|
|
|
|
|
|
|
|
union ProgressPhase {
|
|
|
|
|
int n;
|
|
|
|
|
void *p;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct ProgressReceiver {
|
|
|
|
|
const ProgressReceiverVtable *vt;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct ProgressReceiverVtable {
|
2020-02-29 17:11:01 +00:00
|
|
|
ProgressPhase (*add_linear)(ProgressReceiver *prog, double overall_cost);
|
2020-02-23 15:29:40 +00:00
|
|
|
ProgressPhase (*add_probabilistic)(ProgressReceiver *prog,
|
|
|
|
|
double cost_per_attempt,
|
|
|
|
|
double attempt_probability);
|
|
|
|
|
void (*ready)(ProgressReceiver *prog);
|
|
|
|
|
void (*start_phase)(ProgressReceiver *prog, ProgressPhase phase);
|
2020-02-29 17:11:01 +00:00
|
|
|
void (*report)(ProgressReceiver *prog, double progress);
|
2020-02-23 15:29:40 +00:00
|
|
|
void (*report_attempt)(ProgressReceiver *prog);
|
|
|
|
|
void (*report_phase_complete)(ProgressReceiver *prog);
|
|
|
|
|
};
|
|
|
|
|
|
2020-02-29 17:11:01 +00:00
|
|
|
static inline ProgressPhase progress_add_linear(ProgressReceiver *prog,
|
|
|
|
|
double c)
|
|
|
|
|
{ return prog->vt->add_linear(prog, c); }
|
2020-02-23 15:29:40 +00:00
|
|
|
static inline ProgressPhase progress_add_probabilistic(ProgressReceiver *prog,
|
|
|
|
|
double c, double p)
|
|
|
|
|
{ return prog->vt->add_probabilistic(prog, c, p); }
|
|
|
|
|
static inline void progress_ready(ProgressReceiver *prog)
|
|
|
|
|
{ prog->vt->ready(prog); }
|
|
|
|
|
static inline void progress_start_phase(
|
|
|
|
|
ProgressReceiver *prog, ProgressPhase phase)
|
|
|
|
|
{ prog->vt->start_phase(prog, phase); }
|
2020-02-29 17:11:01 +00:00
|
|
|
static inline void progress_report(ProgressReceiver *prog, double progress)
|
|
|
|
|
{ prog->vt->report(prog, progress); }
|
2020-02-23 15:29:40 +00:00
|
|
|
static inline void progress_report_attempt(ProgressReceiver *prog)
|
|
|
|
|
{ prog->vt->report_attempt(prog); }
|
|
|
|
|
static inline void progress_report_phase_complete(ProgressReceiver *prog)
|
|
|
|
|
{ prog->vt->report_phase_complete(prog); }
|
|
|
|
|
|
2020-02-29 17:11:01 +00:00
|
|
|
ProgressPhase null_progress_add_linear(
|
|
|
|
|
ProgressReceiver *prog, double c);
|
2020-02-23 15:29:40 +00:00
|
|
|
ProgressPhase null_progress_add_probabilistic(
|
|
|
|
|
ProgressReceiver *prog, double c, double p);
|
|
|
|
|
void null_progress_ready(ProgressReceiver *prog);
|
|
|
|
|
void null_progress_start_phase(ProgressReceiver *prog, ProgressPhase phase);
|
2020-02-29 17:11:01 +00:00
|
|
|
void null_progress_report(ProgressReceiver *prog, double progress);
|
2020-02-23 15:29:40 +00:00
|
|
|
void null_progress_report_attempt(ProgressReceiver *prog);
|
|
|
|
|
void null_progress_report_phase_complete(ProgressReceiver *prog);
|
|
|
|
|
extern const ProgressReceiverVtable null_progress_vt;
|
|
|
|
|
|
|
|
|
|
/* A helper function for dreaming up progress cost estimates. */
|
|
|
|
|
double estimate_modexp_cost(unsigned bits);
|
|
|
|
|
|
2020-02-24 19:09:08 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* The top-level API for generating primes.
|
|
|
|
|
*/
|
|
|
|
|
|
2020-02-29 09:10:47 +00:00
|
|
|
typedef struct PrimeGenerationPolicy PrimeGenerationPolicy;
|
|
|
|
|
typedef struct PrimeGenerationContext PrimeGenerationContext;
|
2020-02-23 15:29:40 +00:00
|
|
|
|
2020-02-29 09:10:47 +00:00
|
|
|
struct PrimeGenerationContext {
|
|
|
|
|
const PrimeGenerationPolicy *vt;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct PrimeGenerationPolicy {
|
|
|
|
|
ProgressPhase (*add_progress_phase)(const PrimeGenerationPolicy *policy,
|
|
|
|
|
ProgressReceiver *prog, unsigned bits);
|
|
|
|
|
PrimeGenerationContext *(*new_context)(
|
|
|
|
|
const PrimeGenerationPolicy *policy);
|
|
|
|
|
void (*free_context)(PrimeGenerationContext *ctx);
|
|
|
|
|
mp_int *(*generate)(
|
|
|
|
|
PrimeGenerationContext *ctx,
|
|
|
|
|
PrimeCandidateSource *pcs, ProgressReceiver *prog);
|
Generate MPU certificates for proven primes.
Conveniently checkable certificates of primality aren't a new concept.
I didn't invent them, and I wasn't the first to implement them. Given
that, I thought it might be useful to be able to independently verify
a prime generated by PuTTY's provable prime system. Then, even if you
don't trust _this_ code, you might still trust someone else's
verifier, or at least be less willing to believe that both were
colluding.
The Perl module Math::Prime::Util is the only free software I've found
that defines a specific text-file format for certificates of
primality. The MPU format (as it calls it) supports various different
methods of certifying the primality of a number (most of which, like
Pockle's, depend on having previously proved some smaller number(s) to
be prime). The system implemented by Pockle is on its list: MPU calls
it by the name "BLS5".
So this commit introduces extra stored data inside Pockle so that it
remembers not just _that_ it believes certain numbers to be prime, but
also _why_ it believed each one to be prime. Then there's an extra
method in the Pockle API to translate its internal data structures
into the text of an MPU certificate for any number it knows about.
Math::Prime::Util doesn't come with a command-line verification tool,
unfortunately; only a Perl function which you feed a string argument.
So also in this commit I add test/mpu-check.pl, which is a trivial
command-line client of that function.
At the moment, this new piece of API is only exposed via testcrypt. I
could easily put some user interface into the key generation tools
that would save a few primality certificates alongside the private
key, but I have yet to think of any good reason to do it. Mostly this
facility is intended for debugging and cross-checking of the
_algorithm_, not of any particular prime.
2020-02-29 06:44:13 +00:00
|
|
|
strbuf *(*mpu_certificate)(PrimeGenerationContext *ctx, mp_int *p);
|
2020-02-29 09:10:47 +00:00
|
|
|
|
|
|
|
|
const void *extra; /* additional data a particular impl might need */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static inline ProgressPhase primegen_add_progress_phase(
|
|
|
|
|
PrimeGenerationContext *ctx, ProgressReceiver *prog, unsigned bits)
|
|
|
|
|
{ return ctx->vt->add_progress_phase(ctx->vt, prog, bits); }
|
|
|
|
|
static inline PrimeGenerationContext *primegen_new_context(
|
|
|
|
|
const PrimeGenerationPolicy *policy)
|
|
|
|
|
{ return policy->new_context(policy); }
|
|
|
|
|
static inline void primegen_free_context(PrimeGenerationContext *ctx)
|
|
|
|
|
{ ctx->vt->free_context(ctx); }
|
|
|
|
|
static inline mp_int *primegen_generate(
|
|
|
|
|
PrimeGenerationContext *ctx,
|
|
|
|
|
PrimeCandidateSource *pcs, ProgressReceiver *prog)
|
|
|
|
|
{ return ctx->vt->generate(ctx, pcs, prog); }
|
Generate MPU certificates for proven primes.
Conveniently checkable certificates of primality aren't a new concept.
I didn't invent them, and I wasn't the first to implement them. Given
that, I thought it might be useful to be able to independently verify
a prime generated by PuTTY's provable prime system. Then, even if you
don't trust _this_ code, you might still trust someone else's
verifier, or at least be less willing to believe that both were
colluding.
The Perl module Math::Prime::Util is the only free software I've found
that defines a specific text-file format for certificates of
primality. The MPU format (as it calls it) supports various different
methods of certifying the primality of a number (most of which, like
Pockle's, depend on having previously proved some smaller number(s) to
be prime). The system implemented by Pockle is on its list: MPU calls
it by the name "BLS5".
So this commit introduces extra stored data inside Pockle so that it
remembers not just _that_ it believes certain numbers to be prime, but
also _why_ it believed each one to be prime. Then there's an extra
method in the Pockle API to translate its internal data structures
into the text of an MPU certificate for any number it knows about.
Math::Prime::Util doesn't come with a command-line verification tool,
unfortunately; only a Perl function which you feed a string argument.
So also in this commit I add test/mpu-check.pl, which is a trivial
command-line client of that function.
At the moment, this new piece of API is only exposed via testcrypt. I
could easily put some user interface into the key generation tools
that would save a few primality certificates alongside the private
key, but I have yet to think of any good reason to do it. Mostly this
facility is intended for debugging and cross-checking of the
_algorithm_, not of any particular prime.
2020-02-29 06:44:13 +00:00
|
|
|
static inline strbuf *primegen_mpu_certificate(
|
|
|
|
|
PrimeGenerationContext *ctx, mp_int *p)
|
|
|
|
|
{ return ctx->vt->mpu_certificate(ctx, p); }
|
2020-02-29 09:10:47 +00:00
|
|
|
|
|
|
|
|
extern const PrimeGenerationPolicy primegen_probabilistic;
|
New system for generating provable prime numbers.
This uses all the facilities I've been adding in previous commits. It
implements Maurer's algorithm for generating a prime together with a
Pocklington certificate of its primality, by means of recursing to
generate smaller primes to be factors of p-1 for the Pocklington
check, then doing a test Miller-Rabin iteration to quickly exclude
obvious composites, and then doing the full Pocklington check.
In my case, this means I add each prime I generate to a Pockle. So the
algorithm says: recursively generate some primes and add them to the
PrimeCandidateSource, then repeatedly get a candidate value back from
the pcs, check it with M-R, and feed it to the Pockle. If the Pockle
accepts it, then we're done (and the Pockle will then know that value
is prime when our recursive caller uses it in turn, if we have one).
A small refinement to that algorithm is that I iterate M-R until the
witness value I tried is such that it at least _might_ be a primitive
root - which is to say that M-R didn't get 1 by evaluating any power
of it smaller than n-1. That way, there's less chance of the Pockle
rejecting the witness value. And sooner or later M-R must _either_
tell me I've got a potential primitive-root witness _or_ tell me it's
shown the number to be composite.
2020-02-23 15:37:42 +00:00
|
|
|
extern const PrimeGenerationPolicy primegen_provable_fast;
|
|
|
|
|
extern const PrimeGenerationPolicy primegen_provable_maurer_simple;
|
|
|
|
|
extern const PrimeGenerationPolicy primegen_provable_maurer_complex;
|
2020-02-23 15:29:40 +00:00
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* The overall top-level API for generating entire key pairs.
|
|
|
|
|
*/
|
|
|
|
|
|
RSA generation: option to generate strong primes.
A 'strong' prime, as defined by the Handbook of Applied Cryptography,
is a prime p such that each of p-1 and p+1 has a large prime factor,
and that the large factor q of p-1 is such that q-1 in turn _also_ has
a large prime factor.
HoAC says that making your RSA key using primes of this form defeats
some factoring algorithms - but there are other faster algorithms to
which it makes no difference. So this is probably not a useful
precaution in practice. However, it has been recommended in the past
by some official standards, and it's easy to implement given the new
general facility in PrimeCandidateSource that lets you ask for your
prime to satisfy an arbitrary modular congruence. (And HoAC also says
there's no particular reason _not_ to use strong primes.) So I provide
it as an option, just in case anyone wants to select it.
The change to the key generation algorithm is entirely in sshrsag.c,
and is neatly independent of the prime-generation system in use. If
you're using Maurer provable prime generation, then the known factor q
of p-1 can be used to help certify p, and the one for q-1 to help with
q in turn; if you switch to probabilistic prime generation then you
still get an RSA key with the right structure, except that every time
the definition says 'prime factor' you just append '(probably)'.
(The probabilistic version of this procedure is described as 'Gordon's
algorithm' in HoAC section 4.4.2.)
2020-03-02 06:52:09 +00:00
|
|
|
int rsa_generate(RSAKey *key, int bits, bool strong,
|
|
|
|
|
PrimeGenerationContext *pgc, ProgressReceiver *prog);
|
2021-04-22 17:28:35 +00:00
|
|
|
int dsa_generate(struct dsa_key *key, int bits, PrimeGenerationContext *pgc,
|
2020-02-29 09:10:47 +00:00
|
|
|
ProgressReceiver *prog);
|
2020-02-23 15:29:40 +00:00
|
|
|
int ecdsa_generate(struct ecdsa_key *key, int bits);
|
|
|
|
|
int eddsa_generate(struct eddsa_key *key, int bits);
|