+++ /dev/null
-/* -*-c-*-
- *
- * $Id: rsa-decrypt.c,v 1.2 2000/06/17 11:57:56 mdw Exp $
- *
- * RSA decryption
- *
- * (c) 1999 Straylight/Edgeware
- */
-
-/*----- Licensing notice --------------------------------------------------*
- *
- * This file is part of Catacomb.
- *
- * Catacomb is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Library General Public License as
- * published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * Catacomb is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Library General Public License for more details.
- *
- * You should have received a copy of the GNU Library General Public
- * License along with Catacomb; if not, write to the Free
- * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- * MA 02111-1307, USA.
- */
-
-/*----- Revision history --------------------------------------------------*
- *
- * $Log: rsa-decrypt.c,v $
- * Revision 1.2 2000/06/17 11:57:56 mdw
- * Improve bulk performance by making better use of Montgomery
- * multiplication and separating out initialization and finalization from
- * the main code.
- *
- * Revision 1.1 1999/12/22 15:50:45 mdw
- * Initial RSA support.
- *
- */
-
-/*----- Header files ------------------------------------------------------*/
-
-#include "mp.h"
-#include "mpmont.h"
-#include "mprand.h"
-#include "rsa.h"
-
-/*----- Main code ---------------------------------------------------------*/
-
-/* --- @rsa_deccreate@ --- *
- *
- * Arguments: @rsa_decctx *rd@ = pointer to an RSA decryption context
- * @rsa_priv *rp@ = pointer to RSA private key
- * @grand *r@ = pointer to random number source for blinding
- *
- * Returns: ---
- *
- * Use: Initializes an RSA decryption context. Keeping a context
- * for several decryption or signing operations provides a minor
- * performance benefit.
- *
- * The random number source may be null if blinding is not
- * desired. This improves decryption speed, at the risk of
- * permitting timing attacks.
- */
-
-void rsa_deccreate(rsa_decctx *rd, rsa_param *rp, grand *r)
-{
- rd->rp = rp;
- rd->r = r;
- if (r)
- mpmont_create(&rd->nm, rp->n);
- mpmont_create(&rd->pm, rp->p);
- mpmont_create(&rd->qm, rp->q);
-}
-
-/* --- @rsa_decdestroy@ --- *
- *
- * Arguments: @rsa_decctx *rd@ = pointer to an RSA decryption context
- *
- * Returns: ---
- *
- * Use: Destroys an RSA decryption context.
- */
-
-void rsa_decdestroy(rsa_decctx *rd)
-{
- if (rd->r)
- mpmont_destroy(&rd->nm);
- mpmont_destroy(&rd->pm);
- mpmont_destroy(&rd->qm);
-}
-
-/* --- @rsa_dec@ --- *
- *
- * Arguments: @rsa_decctx *rd@ = pointer to RSA decryption context
- * @mp *d@ = destination
- * @mp *c@ = ciphertext message
- *
- * Returns: The recovered plaintext message.
- *
- * Use: Performs RSA decryption. This function takes advantage of
- * knowledge of the key factors in order to speed up
- * decryption. It also blinds the ciphertext prior to
- * decryption and unblinds it afterwards to thwart timing
- * attacks.
- */
-
-mp *rsa_dec(rsa_decctx *rd, mp *d, mp *c)
-{
- mp *ki = MP_NEW;
- rsa_param *rp = rd->rp;
-
- /* --- If so desired, set up a blinding constant --- *
- *
- * Choose a constant %$k$% relatively prime to the modulus %$m$%. Compute
- * %$c' = c k^e \bmod n$%, and %$k^{-1} \bmod n$%. Don't bother with the
- * CRT stuff here because %$e$% is chosen to be small.
- */
-
- c = MP_COPY(c);
- if (rd->r) {
- mp *k = MP_NEWSEC, *g = MP_NEW;
-
- do {
- k = mprand_range(k, rp->n, rd->r, 0);
- mp_gcd(&g, 0, &ki, rp->n, k);
- } while (MP_CMP(g, !=, MP_ONE));
- k = mpmont_expr(&rd->nm, k, k, rp->e);
- c = mpmont_mul(&rd->nm, c, c, k);
- mp_drop(k);
- mp_drop(g);
- }
-
- /* --- Do the actual modular exponentiation --- *
- *
- * Use a slightly hacked version of the Chinese Remainder Theorem stuff.
- *
- * Let %$q' = q^{-1} \bmod p$%. Then note that
- * %$c^d \equiv q (q'(c_p^{d_p} - c_q^{d_q}) \bmod p) + c_q^{d_q} \pmod n$%
- */
-
- {
- mp *cp = MP_NEW, *cq = MP_NEW;
-
- /* --- Work out the two halves of the result --- */
-
- mp_div(0, &cp, c, rp->p);
- cp = mpmont_exp(&rd->pm, cp, cp, rp->dp);
-
- mp_div(0, &cq, c, rp->q);
- cq = mpmont_exp(&rd->qm, cq, cq, rp->dq);
-
- /* --- Combine the halves using the result above --- */
-
- d = mp_sub(d, cp, cq);
- mp_div(0, &d, d, rp->p);
- d = mpmont_mul(&rd->pm, d, d, rp->q_inv);
- d = mpmont_mul(&rd->pm, d, d, rd->pm.r2);
-
- d = mp_mul(d, d, rp->q);
- d = mp_add(d, d, cq);
- if (MP_CMP(d, >=, rp->n))
- d = mp_sub(d, d, rp->n);
-
- /* --- Tidy away temporary variables --- */
-
- mp_drop(cp);
- mp_drop(cq);
- }
-
- /* --- Finally, possibly remove the blinding factor --- */
-
- if (ki) {
- d = mpmont_mul(&rd->nm, d, d, ki);
- d = mpmont_mul(&rd->nm, d, d, rd->nm.r2);
- mp_drop(ki);
- }
-
- /* --- Done --- */
-
- mp_drop(c);
- return (d);
-}
-
-/* --- @rsa_decrypt@ --- *
- *
- * Arguments: @rsa_param *rp@ = pointer to RSA parameters
- * @mp *d@ = destination
- * @mp *c@ = ciphertext message
- * @grand *r@ = pointer to random number source for blinding
- *
- * Returns: Correctly decrypted message.
- *
- * Use: Performs RSA decryption, very carefully.
- */
-
-mp *rsa_decrypt(rsa_param *rp, mp *d, mp *c, grand *r)
-{
- rsa_decctx rd;
- rsa_deccreate(&rd, rp, r);
- d = rsa_dec(&rd, d, c);
- rsa_decdestroy(&rd);
- return (d);
-}
-
-/*----- That's all, folks -------------------------------------------------*/