3
* Generation of RSA keypairs
6
/* nettle, low-level cryptographics library
8
* Copyright (C) 2002 Niels M�ller
10
* The nettle library is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU Lesser General Public License as published by
12
* the Free Software Foundation; either version 2.1 of the License, or (at your
13
* option) any later version.
15
* The nettle library is distributed in the hope that it will be useful, but
16
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
18
* License for more details.
20
* You should have received a copy of the GNU Lesser General Public License
21
* along with the nettle library; see the file COPYING.LIB. If not, write to
22
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
38
#include "nettle-internal.h"
49
#define NUMBER_OF_PRIMES 167
51
static const unsigned long primes[NUMBER_OF_PRIMES] = {
52
3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67,
53
71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139,
54
149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211,
55
223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281,
56
283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367,
57
373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
58
449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523,
59
541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613,
60
617, 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691,
61
701, 709, 719, 727, 733, 739, 743, 751, 757, 761, 769, 773, 787,
62
797, 809, 811, 821, 823, 827, 829, 839, 853, 857, 859, 863, 877,
63
881, 883, 887, 907, 911, 919, 929, 937, 941, 947, 953, 967, 971,
67
/* NOTE: The mpz_nextprime in current GMP is unoptimized. */
69
bignum_next_prime(mpz_t p, mpz_t n, int count,
70
void *progress_ctx, nettle_progress_func progress)
73
TMP_DECL(moduli, unsigned long, NUMBER_OF_PRIMES);
75
unsigned long difference;
76
unsigned prime_limit = NUMBER_OF_PRIMES;
78
/* First handle tiny numbers */
79
if (mpz_cmp_ui(n, 2) <= 0)
87
if (mpz_cmp_ui(p, 8) < 0)
92
if (mpz_cmp_ui(p, primes[prime_limit-1]) <= 0)
93
/* Use only 3, 5 and 7 */
96
/* Compute residues modulo small odd primes */
97
TMP_ALLOC(moduli, prime_limit);
100
for (i = 0; i < prime_limit; i++)
101
moduli[i] = mpz_fdiv_ui(p, primes[i]);
104
for (difference = 0; ; difference += 2)
109
if (difference >= ULONG_MAX - 10)
110
{ /* Should not happen, at least not very often... */
111
mpz_add_ui(p, p, difference);
115
/* First check residues */
116
for (i = 0; i < prime_limit; i++)
120
moduli[i] = (moduli[i] + 2) % primes[i];
125
mpz_add_ui(p, p, difference);
129
progress(progress_ctx, '.');
131
/* Fermat test, with respect to 2 */
133
mpz_powm(tmp, tmp, p, p);
134
if (mpz_cmp_ui(tmp, 2) != 0)
138
progress(progress_ctx, '+');
140
/* Miller-Rabin test */
141
if (mpz_probab_prime_p(p, count))
147
/* Returns a random prime of size BITS */
149
bignum_random_prime(mpz_t x, unsigned bits,
150
void *random_ctx, nettle_random_func random,
151
void *progress_ctx, nettle_progress_func progress)
157
nettle_mpz_random_size(x, random_ctx, random, bits);
158
mpz_setbit(x, bits - 1);
160
/* Miller-rabin count of 25 is probably much overkill. */
161
bignum_next_prime(x, x, 25, progress_ctx, progress);
163
if (mpz_sizeinbase(x, 2) == bits)
169
rsa_generate_keypair(struct rsa_public_key *pub,
170
struct rsa_private_key *key,
171
void *random_ctx, nettle_random_func random,
172
void *progress_ctx, nettle_progress_func progress,
183
/* We should choose e randomly. Is the size reasonable? */
184
if ((e_size < 16) || (e_size > n_size) )
189
/* We have a fixed e. Check that it makes sense */
192
if (!mpz_tstbit(pub->e, 0))
195
/* And 3 or larger */
196
if (mpz_cmp_ui(pub->e, 3) < 0)
200
if (n_size < RSA_MINIMUM_N_BITS)
203
mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp);
205
/* Generate primes */
208
/* Generate p, such that gcd(p-1, e) = 1 */
211
bignum_random_prime(key->p, (n_size+1)/2,
213
progress_ctx, progress);
214
mpz_sub_ui(p1, key->p, 1);
216
/* If e was given, we must chose p such that p-1 has no factors in
221
mpz_gcd(tmp, pub->e, p1);
223
if (mpz_cmp_ui(tmp, 1) == 0)
225
else if (progress) progress(progress_ctx, 'c');
229
progress(progress_ctx, '\n');
231
/* Generate q, such that gcd(q-1, e) = 1 */
234
bignum_random_prime(key->q, n_size/2,
236
progress_ctx, progress);
237
mpz_sub_ui(q1, key->q, 1);
239
/* If e was given, we must chose q such that q-1 has no factors in
244
mpz_gcd(tmp, pub->e, q1);
246
if (mpz_cmp_ui(tmp, 1) == 0)
248
else if (progress) progress(progress_ctx, 'c');
251
/* Now we have the primes. Is the product of the right size? */
252
mpz_mul(pub->n, key->p, key->q);
254
if (mpz_sizeinbase(pub->n, 2) != n_size)
255
/* We might get an n of size n_size-1. Then just try again. */
259
"\nWanted size: %d, p-size: %d, q-size: %d, n-size: %d\n",
261
mpz_sizeinbase(key->p,2),
262
mpz_sizeinbase(key->q,2),
263
mpz_sizeinbase(pub->n,2));
267
progress(progress_ctx, 'b');
268
progress(progress_ctx, '\n');
274
progress(progress_ctx, '\n');
276
/* c = q^{-1} (mod p) */
277
if (mpz_invert(key->c, key->q, key->p))
278
/* This should succeed everytime. But if it doesn't,
281
else if (progress) progress(progress_ctx, '?');
284
mpz_mul(phi, p1, q1);
286
/* If we didn't have a given e, generate one now. */
292
nettle_mpz_random_size(pub->e,
296
/* Make sure it's odd and that the most significant bit is
298
mpz_setbit(pub->e, 0);
299
mpz_setbit(pub->e, e_size - 1);
301
/* Needs gmp-3, or inverse might be negative. */
302
if (mpz_invert(key->d, pub->e, phi))
305
if (progress) progress(progress_ctx, 'e');
308
if (retried && progress)
309
progress(progress_ctx, '\n');
313
/* Must always succeed, as we already that e
314
* doesn't have any common factor with p-1 or q-1. */
315
int res = mpz_invert(key->d, pub->e, phi);
319
/* Done! Almost, we must compute the auxillary private values. */
321
mpz_fdiv_r(key->a, key->d, p1);
324
mpz_fdiv_r(key->b, key->d, q1);
326
/* c was computed earlier */
328
pub->size = key->size = (mpz_sizeinbase(pub->n, 2) + 7) / 8;
329
assert(pub->size >= RSA_MINIMUM_N_OCTETS);
331
mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp);
336
#endif /* WITH_PUBLIC_KEY */