--- /dev/null
+/* -*-c-*-
+ *
+ * $Id: rsa-decrypt.c,v 1.1 1999/12/22 15:50:45 mdw Exp $
+ *
+ * RSA decryption
+ *
+ * (c) 1999 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Revision history --------------------------------------------------*
+ *
+ * $Log: rsa-decrypt.c,v $
+ * Revision 1.1 1999/12/22 15:50:45 mdw
+ * Initial RSA support.
+ *
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include "mp.h"
+#include "mpmont.h"
+#include "mprand.h"
+#include "rsa.h"
+
+/*----- Main code ---------------------------------------------------------*/
+
+/* --- @rsa_decrypt@ --- *
+ *
+ * Arguments: @rsa_param *rp@ = pointer to RSA parameters
+ * @mp *d@ = destination
+ * @mp *c@ = ciphertext message
+ * @grand *r@ = pointer to random number source for blinding
+ *
+ * Returns: Correctly decrypted message.
+ *
+ * Use: Performs RSA decryption, very carefully.
+ */
+
+mp *rsa_decrypt(rsa_param *rp, mp *d, mp *c, grand *r)
+{
+ mp *ki = MP_NEW;
+
+ /* --- If so desired, set up a blinding constant --- *
+ *
+ * Choose a constant %$k$% relatively prime to the modulus %$m$%. Compute
+ * %$c' = c k^e \bmod n$%, and %$k^{-1} \bmod n$%.
+ */
+
+ c = MP_COPY(c);
+ if (r) {
+ mp *k = MP_NEW, *g = MP_NEW;
+ mpmont mm;
+
+ do {
+ k = mprand_range(k, rp->n, r, 0);
+ mp_gcd(&g, 0, &ki, rp->n, k);
+ } while (MP_CMP(g, !=, MP_ONE));
+ mpmont_create(&mm, rp->n);
+ k = mpmont_expr(&mm, k, k, rp->e);
+ c = mpmont_mul(&mm, c, c, k);
+ mp_drop(k);
+ mp_drop(g);
+ }
+
+ /* --- Do the actual modular exponentiation --- *
+ *
+ * Use a slightly hacked version of the Chinese Remainder Theorem stuff.
+ *
+ * Let %$q' = q^{-1} \bmod p$%. Then note that
+ * %$c^d \equiv q (q'(c_p^{d_p} - c_q^{d_q}) \bmod p) + c_q^{d_q} \pmod n$%
+ */
+
+ {
+ mpmont mm;
+ mp *cp = MP_NEW, *cq = MP_NEW;
+
+ /* --- Work out the two halves of the result --- */
+
+ mp_div(0, &cp, c, rp->p);
+ mpmont_create(&mm, rp->p);
+ cp = mpmont_exp(&mm, cp, cp, rp->dp);
+ mpmont_destroy(&mm);
+
+ mp_div(0, &cq, c, rp->q);
+ mpmont_create(&mm, rp->q);
+ cq = mpmont_exp(&mm, cq, cq, rp->dq);
+ mpmont_destroy(&mm);
+
+ /* --- Combine the halves using the result above --- */
+
+ d = mp_sub(d, cp, cq);
+ if (cp->f & MP_NEG)
+ d = mp_add(d, d, rp->p);
+ d = mp_mul(d, d, rp->q_inv);
+ mp_div(0, &d, d, rp->p);
+
+ d = mp_mul(d, d, rp->q);
+ d = mp_add(d, d, cq);
+ if (MP_CMP(d, >=, rp->n))
+ d = mp_sub(d, d, rp->n);
+
+ /* --- Tidy away temporary variables --- */
+
+ mp_drop(cp);
+ mp_drop(cq);
+ }
+
+ /* --- Finally, possibly remove the blinding factor --- */
+
+ if (ki) {
+ d = mp_mul(d, d, ki);
+ mp_div(0, &d, d, rp->n);
+ mp_drop(ki);
+ }
+
+ /* --- Done --- */
+
+ mp_drop(c);
+ return (d);
+}
+
+/*----- That's all, folks -------------------------------------------------*/
--- /dev/null
+/* -*-c-*-
+ *
+ * $Id: rsa-gen.c,v 1.1 1999/12/22 15:50:45 mdw Exp $
+ *
+ * RSA parameter generation
+ *
+ * (c) 1999 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Revision history --------------------------------------------------*
+ *
+ * $Log: rsa-gen.c,v $
+ * Revision 1.1 1999/12/22 15:50:45 mdw
+ * Initial RSA support.
+ *
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include <mLib/dstr.h>
+
+#include "grand.h"
+#include "mp.h"
+#include "pgen.h"
+#include "rsa.h"
+#include "strongprime.h"
+
+/*----- Main code ---------------------------------------------------------*/
+
+/* --- @rsa_gen@ --- *
+ *
+ * Arguments: @rsa_param *rp@ = pointer to block to be filled in
+ * @unsigned nbits@ = required modulus size in bits
+ * @grand *r@ = random number source
+ * @unsigned n@ = number of attempts to make
+ * @pgen_proc *event@ = event handler function
+ * @void *ectx@ = argument for the event handler
+ *
+ * Returns: Zero if all went well, nonzero otherwise.
+ *
+ * Use: Constructs a pair of strong RSA primes and other useful RSA
+ * parameters. A small encryption exponent is chosen if
+ * possible.
+ */
+
+int rsa_gen(rsa_param *rp, unsigned nbits, grand *r, unsigned n,
+ pgen_proc *event, void *ectx)
+{
+ mp *phi;
+ int i;
+ mp *g;
+
+ /* --- Generate strong primes %$p$% and %$q$% --- */
+
+ if ((rp->p = strongprime("p", MP_NEW, nbits/2, r, n, event, ectx)) == 0)
+ goto fail_p;
+ if ((rp->q = strongprime("q", MP_NEW, nbits/2, r, n, event, ectx)) == 0)
+ goto fail_q;
+
+ /* --- Work out the modulus and the CRT coefficient --- */
+
+ rp->n = mp_mul(MP_NEW, rp->p, rp->q);
+ rp->q_inv = MP_NEW; mp_gcd(0, 0, &rp->q_inv, rp->p, rp->q);
+
+ /* --- Work out %$\varphi(n) = (p - 1)(q - 1)$% --- *
+ *
+ * Save on further multiplications by noting that %$n = pq$% is known and
+ * that %$(p - 1)(q - 1) = pq - p - q + 1$%.
+ */
+
+ phi = mp_sub(MP_NEW, rp->n, rp->p);
+ phi = mp_sub(phi, phi, rp->q);
+ phi = mp_add(phi, phi, MP_ONE);
+
+ /* --- Decide on a public exponent --- *
+ *
+ * Simultaneously compute the private exponent.
+ */
+
+ rp->e = mp_create(1);
+ rp->d = MP_NEW;
+ g = MP_NEW;
+ for (i = 1; i < NPRIME; i++) {
+ rp->e->v[0] = primetab[i];
+ mp_gcd(&g, 0, &rp->d, phi, rp->e);
+ if (MP_CMP(g, ==, MP_ONE))
+ goto good_e;
+ }
+ goto fail_e;
+
+ /* --- Work out exponent residues --- */
+
+good_e:
+ rp->dp = MP_NEW; phi = mp_sub(phi, rp->p, MP_ONE);
+ mp_div(0, &rp->dp, rp->d, phi);
+
+ rp->dq = MP_NEW; phi = mp_sub(phi, rp->q, MP_ONE);
+ mp_div(0, &rp->dq, rp->d, phi);
+
+ /* --- Done --- */
+
+ mp_drop(phi);
+ mp_drop(g);
+ return (0);
+
+ /* --- Tidy up when something goes wrong --- */
+
+fail_e:
+ mp_drop(g);
+ mp_drop(phi);
+ mp_drop(rp->n);
+ mp_drop(rp->q_inv);
+ mp_drop(rp->q);
+fail_q:
+ mp_drop(rp->p);
+fail_p:
+ return (-1);
+}
+
+/*----- That's all, folks -------------------------------------------------*/
--- /dev/null
+/* -*-c-*-
+ *
+ * $Id: rsa-recover.c,v 1.1 1999/12/22 15:50:45 mdw Exp $
+ *
+ * Recover RSA parameters
+ *
+ * (c) 1999 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Revision history --------------------------------------------------*
+ *
+ * $Log: rsa-recover.c,v $
+ * Revision 1.1 1999/12/22 15:50:45 mdw
+ * Initial RSA support.
+ *
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include "mp.h"
+#include "mpmont.h"
+#include "rsa.h"
+
+/*----- Main code ---------------------------------------------------------*/
+
+/* --- @rsa_recover@ --- *
+ *
+ * Arguments: @rsa_param *rp@ = pointer to parameter block
+ *
+ * Returns: Zero if all went well, nonzero if the parameters make no
+ * sense.
+ *
+ * Use: Derives the full set of RSA parameters given a minimal set.
+ */
+
+int rsa_recover(rsa_param *rp)
+{
+ /* --- If there is no modulus, calculate it --- */
+
+ if (!rp->n) {
+ if (!rp->p || !rp->q)
+ return (-1);
+ rp->n = mp_mul(MP_NEW, rp->p, rp->q);
+ }
+
+ /* --- If there are no factors, compute them --- */
+
+ else if (!rp->p || !rp->q) {
+
+ /* --- If one is missing, use simple division to recover the other --- */
+
+ if (rp->p || rp->q) {
+ mp *r = MP_NEW;
+ if (rp->p)
+ mp_div(&rp->q, &r, rp->n, rp->p);
+ else
+ mp_div(&rp->p, &r, rp->n, rp->q);
+ if (MP_CMP(r, !=, MP_ZERO)) {
+ mp_drop(r);
+ return (-1);
+ }
+ mp_drop(r);
+ }
+
+ /* --- Otherwise use the public and private moduli --- */
+
+ else if (rp->e && rp->d) {
+ mp *t;
+ unsigned s;
+ mpscan ms;
+ mp a; mpw aw;
+ mp *m1;
+ mpmont mm;
+ int i;
+ mp *z = MP_NEW;
+
+ /* --- Work out the appropriate exponent --- *
+ *
+ * I need to compute %$s$% and %$t$% such that %$2^s t = e d - 1$%, and
+ * %$t$% is odd.
+ */
+
+ t = mp_mul(MP_NEW, rp->e, rp->d);
+ t = mp_sub(t, t, MP_ONE);
+ s = 0;
+ mp_scan(&ms, t);
+ for (;;) {
+ MP_STEP(&ms);
+ if (MP_BIT(&ms))
+ break;
+ s++;
+ }
+ t = mp_lsr(t, t, s);
+
+ /* --- Set up for the exponentiation --- */
+
+ mpmont_create(&mm, rp->n);
+ m1 = mp_sub(MP_NEW, rp->n, mm.r);
+
+ /* --- Now for the main loop --- *
+ *
+ * Choose candidate integers and attempt to factor the modulus.
+ */
+
+ mp_build(&a, &aw, &aw + 1);
+ i = 0;
+ for (;;) {
+ again:
+
+ /* --- Choose a random %$a$% and calculate %$z = a^t \bmod n$% --- *
+ *
+ * If %$z \equiv 1$% or %$z \equiv -1 \pmod n$% then this iteration
+ * is a failure.
+ */
+
+ aw = primetab[i++];
+ z = mpmont_expr(&mm, z, &a, t);
+ if (MP_CMP(z, ==, mm.r) || MP_CMP(z, ==, m1))
+ continue;
+
+ /* --- Now square until something interesting happens --- *
+ *
+ * Compute %$z^{2i} \bmod n$%. Eventually, I'll either get %$-1$% or
+ * %$1$%. If the former, the number is uninteresting, and I need to
+ * restart. If the latter, the previous number minus 1 has a common
+ * factor with %$n$%.
+ */
+
+ for (;;) {
+ mp *zz = mp_sqr(MP_NEW, z);
+ zz = mpmont_reduce(&mm, zz, zz);
+ if (MP_CMP(zz, ==, mm.r)) {
+ mp_drop(zz);
+ goto done;
+ } else if (MP_CMP(zz, ==, m1)) {
+ mp_drop(zz);
+ goto again;
+ }
+ mp_drop(z);
+ z = zz;
+ }
+ }
+
+ /* --- Do the factoring --- *
+ *
+ * Here's how it actually works. I've found an interesting square
+ * root of %$1 \pmod n$%. Any square root of 1 must be congruent to
+ * %$\pm 1$% modulo both %$p$% and %$q$%. Both congruent to %$1$% is
+ * boring, as is both congruent to %$-1$%. Subtracting one from the
+ * result makes it congruent to %$0$% modulo %$p$% or %$q$% (and
+ * nobody cares which), and hence can be extracted by a GCD
+ * operation.
+ */
+
+ done:
+ z = mpmont_reduce(&mm, z, z);
+ z = mp_sub(z, z, MP_ONE);
+ rp->p = MP_NEW;
+ mp_gcd(&rp->p, 0, 0, rp->n, z);
+ rp->q = MP_NEW;
+ mp_div(&rp->q, 0, rp->n, rp->p);
+ mp_drop(z);
+ mp_drop(t);
+ mp_drop(m1);
+ mpmont_destroy(&mm);
+ }
+ }
+
+ /* --- If %$e$% or %$d$% is missing, recalculate it --- */
+
+ if (!rp->e || !rp->d) {
+ mp *phi;
+ mp *g = MP_NEW;
+
+ /* --- Compute %$\varphi(n)$% --- */
+
+ phi = mp_sub(MP_NEW, rp->n, rp->p);
+ phi = mp_sub(phi, phi, rp->q);
+ phi = mp_add(phi, phi, MP_ONE);
+
+ /* --- Recover the other exponent --- */
+
+ if (rp->e)
+ mp_gcd(&g, 0, &rp->d, phi, rp->e);
+ else if (rp->d)
+ mp_gcd(&g, 0, &rp->e, phi, rp->d);
+ else {
+ mp_drop(phi);
+ return (-1);
+ }
+
+ mp_drop(phi);
+ if (MP_CMP(g, !=, MP_ONE)) {
+ mp_drop(g);
+ return (-1);
+ }
+ mp_drop(g);
+ }
+
+ /* --- Compute %$q^{-1} \bmod p$% --- */
+
+ if (!rp->q_inv)
+ mp_gcd(0, 0, &rp->q_inv, rp->p, rp->q);
+
+ /* --- Compute %$d \bmod (p - 1)$% and %$d \bmod (q - 1)$% --- */
+
+ if (!rp->dp) {
+ mp *p1 = mp_sub(MP_NEW, rp->p, MP_ONE);
+ mp_div(0, &rp->dp, rp->d, p1);
+ mp_drop(p1);
+ }
+ if (!rp->dq) {
+ mp *q1 = mp_sub(MP_NEW, rp->q, MP_ONE);
+ mp_div(0, &rp->dq, rp->d, q1);
+ mp_drop(q1);
+ }
+
+ /* --- Done --- */
+
+ return (0);
+}
+
+/*----- That's all, folks -------------------------------------------------*/
--- /dev/null
+/* -*-c-*-
+ *
+ * $Id: rsa.h,v 1.1 1999/12/22 15:50:45 mdw Exp $
+ *
+ * The RSA public-key cryptosystem
+ *
+ * (c) 1999 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Revision history --------------------------------------------------*
+ *
+ * $Log: rsa.h,v $
+ * Revision 1.1 1999/12/22 15:50:45 mdw
+ * Initial RSA support.
+ *
+ */
+
+#ifndef CATACOMB_RSA_H
+#define CATACOMB_RSA_H
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+/*----- Header files ------------------------------------------------------*/
+
+#ifndef CATACOMB_GRAND_H
+# include "grand.h"
+#endif
+
+#ifndef CATACOMB_MP_H
+# include "mp.h"
+#endif
+
+#ifndef CATACOMB_PGEN_H
+# include "pgen.h"
+#endif
+
+/*----- Data structures ---------------------------------------------------*/
+
+typedef struct rsa_param {
+ mp *p, *q;
+ mp *n;
+ mp *q_inv;
+ mp *e, *d, *dp, *dq;
+} rsa_param;
+
+/*----- Functions provided ------------------------------------------------*/
+
+/* --- @rsa_gen@ --- *
+ *
+ * Arguments: @rsa_param *rp@ = pointer to block to be filled in
+ * @unsigned nbits@ = required modulus size in bits
+ * @grand *r@ = random number source
+ * @unsigned n@ = number of attempts to make
+ * @pgen_proc *event@ = event handler function
+ * @void *ectx@ = argument for the event handler
+ *
+ * Returns: Zero if all went well, nonzero otherwise.
+ *
+ * Use: Constructs a pair of strong RSA primes and other useful RSA
+ * parameters. A small encryption exponent is chosen if
+ * possible.
+ */
+
+extern int rsa_gen(rsa_param */*rp*/, unsigned /*nbits*/,
+ grand */*r*/, unsigned /*n*/,
+ pgen_proc */*event*/, void */*ectx*/);
+
+/* --- @rsa_decrypt@ --- *
+ *
+ * Arguments: @rsa_param *rp@ = pointer to RSA parameters
+ * @mp *d@ = destination
+ * @mp *c@ = ciphertext message
+ * @grand *r@ = pointer to random number source for blinding
+ *
+ * Returns: Correctly decrypted message.
+ *
+ * Use: Performs RSA decryption, very carefully.
+ */
+
+extern mp *rsa_decrypt(rsa_param */*rp*/, mp */*d*/, mp */*c*/,
+ grand */*r*/);
+
+/* --- @rsa_recover@ --- *
+ *
+ * Arguments: @rsa_param *rp@ = pointer to parameter block
+ *
+ * Returns: Zero if all went well, nonzero if the parameters make no
+ * sense.
+ *
+ * Use: Derives the full set of RSA parameters given a minimal set.
+ */
+
+extern int rsa_recover(rsa_param */*rp*/);
+
+/*----- That's all, folks -------------------------------------------------*/
+
+#ifdef __cplusplus
+ }
+#endif
+
+#endif
projects / u / mdw / catacomb / commitdiff