Merge pull request #230 from libtom/math/miller-rabin

sjaeckel · web-flow · commit 5e71ac27e239 · 2017-06-22T12:44:33.000+02:00
Fix number of Miller-Rabin rounds
diff --git a/src/headers/tomcrypt_math.h b/src/headers/tomcrypt_math.h
@@ -24,6 +24,12 @@
    typedef void rsa_key;
 #endif
 
+#ifndef LTC_MILLER_RABIN_REPS
+   /* Number of rounds of the Miller-Rabin test
+    * "Reasonable values of reps are between 15 and 50." c.f. gmp doc of mpz_probab_prime_p() */
+   #define LTC_MILLER_RABIN_REPS    35
+#endif
+
 /** math descriptor */
 typedef struct {
    /** Name of the math provider */
@@ -345,7 +351,7 @@ typedef struct {
 
    /** Primality testing
        @param a     The integer to test
-       @param b     The number of tests that shall be executed
+       @param b     The number of Miller-Rabin tests that shall be executed
        @param c     The destination of the result (FP_YES if prime)
        @return CRYPT_OK on success
    */
@@ -472,13 +478,13 @@ typedef struct {
    int (*submod)(void *a, void *b, void *c, void *d);
 
 /* ---- misc stuff ---- */
+
    /** Make a pseudo-random mpi
       @param  a     The mpi to make random
       @param  size  The desired length
       @return CRYPT_OK on success
    */
    int (*rand)(void *a, int size);
-
 } ltc_math_descriptor;
 
 extern ltc_math_descriptor ltc_mp;
diff --git a/src/math/gmp_desc.c b/src/math/gmp_desc.c
@@ -446,7 +446,7 @@ static int isprime(void *a, int b, int *c)
    LTC_ARGCHK(a != NULL);
    LTC_ARGCHK(c != NULL);
    if (b == 0) {
-       b = 8;
+       b = LTC_MILLER_RABIN_REPS;
    } /* if */
    *c = mpz_probab_prime_p(a, b) > 0 ? LTC_MP_YES : LTC_MP_NO;
    return CRYPT_OK;
diff --git a/src/math/ltm_desc.c b/src/math/ltm_desc.c
@@ -404,7 +404,7 @@ static int isprime(void *a, int b, int *c)
    LTC_ARGCHK(a != NULL);
    LTC_ARGCHK(c != NULL);
    if (b == 0) {
-       b = 8;
+       b = LTC_MILLER_RABIN_REPS;
    } /* if */
    err = mpi_to_ltc_error(mp_prime_is_prime(a, b, c));
    *c = (*c == MP_YES) ? LTC_MP_YES : LTC_MP_NO;
diff --git a/src/math/rand_prime.c b/src/math/rand_prime.c
@@ -66,7 +66,7 @@ int rand_prime(void *N, long len, prng_state *prng, int wprng)
       }
 
       /* test */
-      if ((err = mp_prime_is_prime(N, 8, &res)) != CRYPT_OK) {
+      if ((err = mp_prime_is_prime(N, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) {
          XFREE(buf);
          return err;
       }
diff --git a/src/math/tfm_desc.c b/src/math/tfm_desc.c
@@ -415,8 +415,10 @@ static int isprime(void *a, int b, int *c)
 {
    LTC_ARGCHK(a != NULL);
    LTC_ARGCHK(c != NULL);
-   (void)b;
-   *c = (fp_isprime(a) == FP_YES) ? LTC_MP_YES : LTC_MP_NO;
+   if (b == 0) {
+       b = LTC_MILLER_RABIN_REPS;
+   } /* if */
+   *c = (fp_isprime_ex(a, b) == FP_YES) ? LTC_MP_YES : LTC_MP_NO;
    return CRYPT_OK;
 }
 
diff --git a/src/pk/dsa/dsa_make_key.c b/src/pk/dsa/dsa_make_key.c
@@ -75,11 +75,23 @@ static int dsa_make_params(prng_state *prng, int wprng, int group_size, int modu
   L = modulus_size * 8;
   N = group_size * 8;
 
+  /* XXX-TODO no Lucas test */
+#ifdef LTC_MPI_HAS_LUCAS_TEST
   /* M-R tests (when followed by one Lucas test) according FIPS-186-4 - Appendix C.3 - table C.1 */
   mr_tests_p = (L <= 2048) ? 3 : 2;
   if      (N <= 160)  { mr_tests_q = 19; }
   else if (N <= 224)  { mr_tests_q = 24; }
   else                { mr_tests_q = 27; }
+#else
+  /* M-R tests (without Lucas test) according FIPS-186-4 - Appendix C.3 - table C.1 */
+  if      (L <= 1024) { mr_tests_p = 40; }
+  else if (L <= 2048) { mr_tests_p = 56; }
+  else                { mr_tests_p = 64; }
+
+  if      (N <= 160)  { mr_tests_q = 40; }
+  else if (N <= 224)  { mr_tests_q = 56; }
+  else                { mr_tests_q = 64; }
+#endif
 
   if (N <= 256) {
     hash = register_hash(&sha256_desc);
@@ -122,7 +134,7 @@ static int dsa_make_params(prng_state *prng, int wprng, int group_size, int modu
       if ((err = mp_mod(U, t2N1, U)) != CRYPT_OK)                                { goto cleanup; }
       if ((err = mp_add(t2N1, U, q)) != CRYPT_OK)                                { goto cleanup; }
       if (!mp_isodd(q)) mp_add_d(q, 1, q);
-      if ((err = mp_prime_is_prime(q, mr_tests_q, &res)) != CRYPT_OK)            { goto cleanup; }       /* XXX-TODO rounds are ignored; no Lucas test */
+      if ((err = mp_prime_is_prime(q, mr_tests_q, &res)) != CRYPT_OK)            { goto cleanup; }
       if (res == LTC_MP_YES) found_q = 1;
     }
 
@@ -149,7 +161,7 @@ static int dsa_make_params(prng_state *prng, int wprng, int group_size, int modu
       if ((err = mp_sub(X, p, p))    != CRYPT_OK)                                { goto cleanup; }
       if (mp_cmp(p, t2L1) != LTC_MP_LT) {
         /* p >= 2^(L-1) */
-        if ((err = mp_prime_is_prime(p, mr_tests_p, &res)) != CRYPT_OK)          { goto cleanup; }       /* XXX-TODO rounds are ignored; no Lucas test */
+        if ((err = mp_prime_is_prime(p, mr_tests_p, &res)) != CRYPT_OK)          { goto cleanup; }
         if (res == LTC_MP_YES) {
           found_p = 1;
         }

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ int rand_prime(void N, long len, prng_state prng, int wprng)`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`/* test */`
`69`		`- if ((err = mp_prime_is_prime(N, 8, &res)) != CRYPT_OK) {`
	`69`	`+ if ((err = mp_prime_is_prime(N, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) {`
`70`	`70`	`XFREE(buf);`
`71`	`71`	`return err;`
`72`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -415,8 +415,10 @@ static int isprime(void a, int b, int c)`
`415`	`415`	`{`
`416`	`416`	`LTC_ARGCHK(a != NULL);`
`417`	`417`	`LTC_ARGCHK(c != NULL);`
`418`		`- (void)b;`
`419`		`- *c = (fp_isprime(a) == FP_YES) ? LTC_MP_YES : LTC_MP_NO;`
	`418`	`+ if (b == 0) {`
	`419`	`+ b = LTC_MILLER_RABIN_REPS;`
	`420`	`+ } /* if */`
	`421`	`+ *c = (fp_isprime_ex(a, b) == FP_YES) ? LTC_MP_YES : LTC_MP_NO;`
`420`	`422`	`return CRYPT_OK;`
`421`	`423`	`}`
`422`	`424`