Merge pull request #230 from libtom/math/miller-rabin

Fix number of Miller-Rabin rounds
2017-06-22 12:44:33 +02:00 · 2017-06-22 12:44:33 +02:00 · 5e71ac27e2
commit 5e71ac27e2
parent 6f85293672 26b57032e7
6 changed files with 29 additions and 9 deletions
--- a/src/headers/tomcrypt_math.h
+++ b/src/headers/tomcrypt_math.h
@ -24,6 +24,12 @@
   typedef void rsa_key;
 #endif

+#ifndef LTC_MILLER_RABIN_REPS
+   /* Number of rounds of the Miller-Rabin test
+    * "Reasonable values of reps are between 15 and 50." c.f. gmp doc of mpz_probab_prime_p() */
+   #define LTC_MILLER_RABIN_REPS    35
+#endif
+
 /** math descriptor */
 typedef struct {
   /** Name of the math provider */
@ -345,7 +351,7 @@ typedef struct {

   /** Primality testing
       @param a     The integer to test
-       @param b     The number of tests that shall be executed
+       @param b     The number of Miller-Rabin tests that shall be executed
       @param c     The destination of the result (FP_YES if prime)
       @return CRYPT_OK on success
   */
@ -472,13 +478,13 @@ typedef struct {
   int (*submod)(void *a, void *b, void *c, void *d);

 /* ---- misc stuff ---- */
+
   /** Make a pseudo-random mpi
      @param  a     The mpi to make random
      @param  size  The desired length
      @return CRYPT_OK on success
   */
   int (*rand)(void *a, int size);
-
 } ltc_math_descriptor;

 extern ltc_math_descriptor ltc_mp;
--- a/src/math/gmp_desc.c
+++ b/src/math/gmp_desc.c
@ -446,7 +446,7 @@ static int isprime(void *a, int b, int *c)
   LTC_ARGCHK(a != NULL);
   LTC_ARGCHK(c != NULL);
   if (b == 0) {
-       b = 8;
+       b = LTC_MILLER_RABIN_REPS;
   } /* if */
   *c = mpz_probab_prime_p(a, b) > 0 ? LTC_MP_YES : LTC_MP_NO;
   return CRYPT_OK;
--- a/src/math/ltm_desc.c
+++ b/src/math/ltm_desc.c
@ -404,7 +404,7 @@ static int isprime(void *a, int b, int *c)
   LTC_ARGCHK(a != NULL);
   LTC_ARGCHK(c != NULL);
   if (b == 0) {
-       b = 8;
+       b = LTC_MILLER_RABIN_REPS;
   } /* if */
   err = mpi_to_ltc_error(mp_prime_is_prime(a, b, c));
   *c = (*c == MP_YES) ? LTC_MP_YES : LTC_MP_NO;
--- a/src/math/rand_prime.c
+++ b/src/math/rand_prime.c
@ -66,7 +66,7 @@ int rand_prime(void *N, long len, prng_state *prng, int wprng)
      }

      /* test */
-      if ((err = mp_prime_is_prime(N, 8, &res)) != CRYPT_OK) {
+      if ((err = mp_prime_is_prime(N, LTC_MILLER_RABIN_REPS, &res)) != CRYPT_OK) {
         XFREE(buf);
         return err;
      }
--- a/src/math/tfm_desc.c
+++ b/src/math/tfm_desc.c
@ -415,8 +415,10 @@ static int isprime(void *a, int b, int *c)
 {
   LTC_ARGCHK(a != NULL);
   LTC_ARGCHK(c != NULL);
-   (void)b;
-   *c = (fp_isprime(a) == FP_YES) ? LTC_MP_YES : LTC_MP_NO;
+   if (b == 0) {
+       b = LTC_MILLER_RABIN_REPS;
+   } /* if */
+   *c = (fp_isprime_ex(a, b) == FP_YES) ? LTC_MP_YES : LTC_MP_NO;
   return CRYPT_OK;
 }

--- a/src/pk/dsa/dsa_make_key.c
+++ b/src/pk/dsa/dsa_make_key.c
@ -75,11 +75,23 @@ static int dsa_make_params(prng_state *prng, int wprng, int group_size, int modu
  L = modulus_size * 8;
  N = group_size * 8;

+  /* XXX-TODO no Lucas test */
+#ifdef LTC_MPI_HAS_LUCAS_TEST
  /* M-R tests (when followed by one Lucas test) according FIPS-186-4 - Appendix C.3 - table C.1 */
  mr_tests_p = (L <= 2048) ? 3 : 2;
  if      (N <= 160)  { mr_tests_q = 19; }
  else if (N <= 224)  { mr_tests_q = 24; }
  else                { mr_tests_q = 27; }
+#else
+  /* M-R tests (without Lucas test) according FIPS-186-4 - Appendix C.3 - table C.1 */
+  if      (L <= 1024) { mr_tests_p = 40; }
+  else if (L <= 2048) { mr_tests_p = 56; }
+  else                { mr_tests_p = 64; }
+
+  if      (N <= 160)  { mr_tests_q = 40; }
+  else if (N <= 224)  { mr_tests_q = 56; }
+  else                { mr_tests_q = 64; }
+#endif

  if (N <= 256) {
    hash = register_hash(&sha256_desc);
@ -122,7 +134,7 @@ static int dsa_make_params(prng_state *prng, int wprng, int group_size, int modu
      if ((err = mp_mod(U, t2N1, U)) != CRYPT_OK)                                { goto cleanup; }
      if ((err = mp_add(t2N1, U, q)) != CRYPT_OK)                                { goto cleanup; }
      if (!mp_isodd(q)) mp_add_d(q, 1, q);
-      if ((err = mp_prime_is_prime(q, mr_tests_q, &res)) != CRYPT_OK)            { goto cleanup; }       /* XXX-TODO rounds are ignored; no Lucas test */
+      if ((err = mp_prime_is_prime(q, mr_tests_q, &res)) != CRYPT_OK)            { goto cleanup; }
      if (res == LTC_MP_YES) found_q = 1;
    }

@ -149,7 +161,7 @@ static int dsa_make_params(prng_state *prng, int wprng, int group_size, int modu
      if ((err = mp_sub(X, p, p))    != CRYPT_OK)                                { goto cleanup; }
      if (mp_cmp(p, t2L1) != LTC_MP_LT) {
        /* p >= 2^(L-1) */
-        if ((err = mp_prime_is_prime(p, mr_tests_p, &res)) != CRYPT_OK)          { goto cleanup; }       /* XXX-TODO rounds are ignored; no Lucas test */
+        if ((err = mp_prime_is_prime(p, mr_tests_p, &res)) != CRYPT_OK)          { goto cleanup; }
        if (res == LTC_MP_YES) {
          found_p = 1;
        }