--- /dev/null
+/* -*-c-*-
+ *
+ * Blum-Blum-Shub secure random number generator
+ *
+ * (c) 1999 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <mLib/bits.h>
+#include <mLib/sub.h>
+
+#include "arena.h"
+#include "bbs.h"
+#include "grand.h"
+#include "mp.h"
+#include "mpbarrett.h"
+#include "mpint.h"
+#include "mprand.h"
+#include "paranoia.h"
+
+/*----- Main code ---------------------------------------------------------*/
+
+/* --- @bbs_create@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state to initialize
+ * @mp *m@ = modulus (must be a Blum integer)
+ * @mp *x@ = initial seed for generator
+ *
+ * Returns: ---
+ *
+ * Use: Initializes a BBS generator. The generator is stepped once
+ * after initialization, as for @bbs_seed@.
+ */
+
+void bbs_create(bbs *b, mp *m, mp *x)
+{
+ mpw kw;
+ mp k;
+
+ mpbarrett_create(&b->mb, m);
+ kw = mp_bits(m) - 1;
+ mp_build(&k, &kw, &kw + 1);
+ b->k = mp_bits(&k) - 1;
+ b->x = 0;
+ bbs_seed(b, x);
+}
+
+/* --- @bbs_destroy@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state
+ *
+ * Returns: ---
+ *
+ * Use: Destroys a generator state when it's no longer wanted.
+ */
+
+void bbs_destroy(bbs *b)
+{
+ mp_drop(b->x);
+ mpbarrett_destroy(&b->mb);
+}
+
+/* --- @bbs_step@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state
+ *
+ * Returns: ---
+ *
+ * Use: Steps the generator once. This isn't too useful in client
+ * code.
+ */
+
+void bbs_step(bbs *b)
+{
+ mp *x = b->x;
+ x = mp_sqr(x, x);
+ x = mpbarrett_reduce(&b->mb, x, x);
+ b->x = x;
+ b->b = b->k;
+ b->r = b->x->v[0];
+}
+
+/* --- @bbs_set@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state
+ * @mp *x@ = new residue to set
+ *
+ * Returns: ---
+ *
+ * Use: Sets a new quadratic residue. The generator is stepped once.
+ */
+
+void bbs_set(bbs *b, mp *x)
+{
+ mp_drop(b->x);
+ b->x = MP_COPY(x);
+ bbs_step(b);
+}
+
+/* --- @bbs_seed@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state
+ * @mp *x@ = new seed to set
+ *
+ * Returns ---
+ *
+ * Use: Sets a new seed. The generator is stepped until the residue
+ * has clearly wrapped around.
+ */
+
+void bbs_seed(bbs *b, mp *x)
+{
+ mp *y;
+ x = MP_COPY(x);
+ for (;;) {
+ y = mp_sqr(MP_NEW, x);
+ y = mpbarrett_reduce(&b->mb, y, y);
+ if (MP_CMP(y, <, x))
+ break;
+ mp_drop(x);
+ x = y;
+ }
+ mp_drop(x);
+ bbs_set(b, y);
+ mp_drop(y);
+}
+
+/* --- @bbs_bits@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state
+ * @unsigned bits@ = number of bits wanted
+ *
+ * Returns: Bits extracted from the BBS generator.
+ *
+ * Use: Extracts a requested number of bits from the BBS generator.
+ */
+
+uint32 bbs_bits(bbs *b, unsigned bits)
+{
+ uint32 x = 0;
+ mpw m;
+
+ /* --- Keep turning the handle until there's enough in the reservoir --- */
+
+ while (bits >= b->b) {
+ bits -= b->b;
+ m = (1 << b->b) - 1;
+ x |= (b->r & m) << bits;
+ bbs_step(b);
+ }
+
+ /* --- Extract the last few bits needed --- */
+
+ if (bits) {
+ m = (1 << bits) - 1;
+ b->b -= bits;
+ x |= (b->r >> b->b) & m;
+ }
+
+ /* --- Done --- */
+
+ return (x);
+}
+
+/* --- @bbs_wrap@ --- *
+ *
+ * Arguments: @bbs *b@ = pointer to BBS generator state
+ *
+ * Returns: ---
+ *
+ * Use: Steps the generator if any of the reservoir bits are used.
+ * This can be used to `wrap up' after a Blum-Goldwasser
+ * encryption, for example, producing the final value to be sent
+ * along with the ciphertext.
+ *
+ * If a generator is seeded, %$b$% bits are extracted, and then
+ * @bbs_wrap@ is called, the generator will have been stepped
+ * %$\lceil b/k \rceil$% times.
+ */
+
+void bbs_wrap(bbs *b)
+{
+ if (b->b < b->k)
+ bbs_step(b);
+}
+
+/*----- Generic random number generator interface -------------------------*/
+
+typedef struct gctx {
+ grand r;
+ bbs b;
+} gctx;
+
+static void gdestroy(grand *r)
+{
+ gctx *g = (gctx *)r;
+ bbs_destroy(&g->b);
+ BURN(*g);
+ S_DESTROY(g);
+}
+
+static int gmisc(grand *r, unsigned op, ...)
+{
+ gctx *g = (gctx *)r;
+ va_list ap;
+ int rc = 0;
+ va_start(ap, op);
+
+ switch (op) {
+ case GRAND_CHECK:
+ switch (va_arg(ap, unsigned)) {
+ case GRAND_CHECK:
+ case GRAND_SEEDINT:
+ case GRAND_SEEDUINT32:
+ case GRAND_SEEDMP:
+ case GRAND_SEEDRAND:
+ case BBS_SET:
+ case BBS_STEP:
+ case BBS_STEPSZ:
+ case BBS_BITS:
+ case BBS_WRAP:
+ case BBS_FF:
+ case BBS_FFN:
+ case BBS_REW:
+ case BBS_REWN:
+ case BBS_MOD:
+ case BBS_STATE:
+ rc = 1;
+ break;
+ default:
+ rc = 0;
+ break;
+ }
+ break;
+ case GRAND_SEEDINT: {
+ mp *x = mp_fromuint(MP_NEW, va_arg(ap, unsigned));
+ bbs_seed(&g->b, x);
+ mp_drop(x);
+ } break;
+ case GRAND_SEEDUINT32: {
+ mp *x = mp_fromuint32(MP_NEW, va_arg(ap, uint32));
+ bbs_seed(&g->b, x);
+ mp_drop(x);
+ } break;
+ case GRAND_SEEDMP:
+ bbs_seed(&g->b, va_arg(ap, mp *));
+ break;
+ case GRAND_SEEDRAND: {
+ grand *rr = va_arg(ap, grand *);
+ mp *m = mprand(MP_NEW, mp_bits(g->b.mb.m) - 1, rr, 0);
+ bbs_seed(&g->b, m);
+ mp_drop(m);
+ } break;
+ case BBS_SET:
+ bbs_set(&g->b, va_arg(ap, mp *));
+ break;
+ case BBS_STEP:
+ bbs_step(&g->b);
+ break;
+ case BBS_STEPSZ:
+ rc = g->b.k;
+ break;
+ case BBS_BITS: {
+ unsigned nb = va_arg(ap, unsigned);
+ uint32 *w = va_arg(ap, uint32 *);
+ *w = bbs_bits(&g->b, nb);
+ } break;
+ case BBS_WRAP:
+ bbs_wrap(&g->b);
+ break;
+ case BBS_FF: {
+ const bbs_priv *bp = va_arg(ap, const bbs_priv *);
+ mp *n = va_arg(ap, mp *);
+ bbs_ff(&g->b, bp, n);
+ } break;
+ case BBS_FFN: {
+ const bbs_priv *bp = va_arg(ap, const bbs_priv *);
+ unsigned long n = va_arg(ap, unsigned long);
+ bbs_ffn(&g->b, bp, n);
+ } break;
+ case BBS_REW: {
+ const bbs_priv *bp = va_arg(ap, const bbs_priv *);
+ mp *n = va_arg(ap, mp *);
+ bbs_rew(&g->b, bp, n);
+ } break;
+ case BBS_REWN: {
+ const bbs_priv *bp = va_arg(ap, const bbs_priv *);
+ unsigned long n = va_arg(ap, unsigned long);
+ bbs_rewn(&g->b, bp, n);
+ } break;
+ case BBS_MOD: {
+ mp **n = va_arg(ap, mp **);
+ if (*n) MP_DROP(*n);
+ *n = MP_COPY(g->b.mb.m);
+ } break;
+ case BBS_STATE: {
+ mp **n = va_arg(ap, mp **);
+ if (*n) MP_DROP(*n);
+ *n = MP_COPY(g->b.x);
+ } break;
+ default:
+ GRAND_BADOP;
+ break;
+ }
+
+ va_end(ap);
+ return (rc);
+}
+
+static octet gbyte(grand *r)
+{
+ gctx *g = (gctx *)r;
+ return (bbs_bits(&g->b, 8));
+}
+
+static uint32 gword(grand *r)
+{
+ gctx *g = (gctx *)r;
+ return (bbs_bits(&g->b, 32));
+}
+
+static const grand_ops gops = {
+ "bbs",
+ GRAND_CRYPTO, 0,
+ gmisc, gdestroy,
+ gword, gbyte, gword, grand_range, grand_fill
+};
+
+/* --- @bbs_rand@ --- *
+ *
+ * Arguments: @mp *m@ = modulus
+ * @mp *x@ = initial seed
+ *
+ * Returns: Pointer to a generic generator.
+ *
+ * Use: Constructs a generic generator interface over a
+ * Blum-Blum-Shub generator.
+ */
+
+grand *bbs_rand(mp *m, mp *x)
+{
+ gctx *g = S_CREATE(gctx);
+ g->r.ops = &gops;
+ bbs_create(&g->b, m, x);
+ return (&g->r);
+}
+
+/*----- Test rig ----------------------------------------------------------*/
+
+#ifdef TEST_RIG
+
+static int verify(dstr *v)
+{
+ mp *n = *(mp **)v[0].buf;
+ mp *x = *(mp **)v[1].buf;
+ grand *b = bbs_rand(n, x);
+ dstr d = DSTR_INIT;
+ int ok = 1;
+
+ dstr_ensure(&d, v[2].len);
+ b->ops->fill(b, d.buf, v[2].len);
+ d.len = v[2].len;
+ if (memcmp(d.buf, v[2].buf, v[2].len) != 0) {
+ fputs("\n*** bbs failure\n", stderr);
+ fputs("n = ", stderr); mp_writefile(n, stderr, 10); fputc('\n', stderr);
+ fputs("x = ", stderr); mp_writefile(x, stderr, 10); fputc('\n', stderr);
+ fputs("expected = ", stderr); type_hex.dump(&v[2], stderr);
+ fputc('\n', stderr);
+ fputs(" found = ", stderr); type_hex.dump(&d, stderr);
+ fputc('\n', stderr);
+ fprintf(stderr, "k = %u\n", ((gctx *)b)->b.k);
+ ok = 0;
+ }
+ b->ops->destroy(b);
+ mp_drop(x);
+ mp_drop(n);
+ dstr_destroy(&d);
+ assert(mparena_count(MPARENA_GLOBAL) == 0);
+ return (ok);
+}
+
+static test_chunk tests[] = {
+ { "bbs", verify, { &type_mp, &type_mp, &type_hex, 0 } },
+ { 0, 0, { 0 } }
+};
+
+int main(int argc, char *argv[])
+{
+ sub_init();
+ test_run(argc, argv, tests, SRCDIR "/t/bbs");
+ return (0);
+}
+
+#endif
+
+/*----- That's all, folks -------------------------------------------------*/
projects / u / mdw / catacomb / blobdiff