From: mdw Date: Sat, 1 Jul 2000 11:21:56 +0000 (+0000) Subject: Moved to `rsa-priv.c'. X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/commitdiff_plain/4a50554fd9f830c02911b261a4d74ce10be59819 Moved to `rsa-priv.c'. --- diff --git a/rsa-decrypt.c b/rsa-decrypt.c deleted file mode 100644 index cbeed03..0000000 --- a/rsa-decrypt.c +++ /dev/null @@ -1,209 +0,0 @@ -/* -*-c-*- - * - * $Id: rsa-decrypt.c,v 1.2 2000/06/17 11:57:56 mdw Exp $ - * - * RSA decryption - * - * (c) 1999 Straylight/Edgeware - */ - -/*----- Licensing notice --------------------------------------------------* - * - * This file is part of Catacomb. - * - * Catacomb is free software; you can redistribute it and/or modify - * it under the terms of the GNU Library General Public License as - * published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * Catacomb is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Library General Public License for more details. - * - * You should have received a copy of the GNU Library General Public - * License along with Catacomb; if not, write to the Free - * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, - * MA 02111-1307, USA. - */ - -/*----- Revision history --------------------------------------------------* - * - * $Log: rsa-decrypt.c,v $ - * Revision 1.2 2000/06/17 11:57:56 mdw - * Improve bulk performance by making better use of Montgomery - * multiplication and separating out initialization and finalization from - * the main code. - * - * Revision 1.1 1999/12/22 15:50:45 mdw - * Initial RSA support. - * - */ - -/*----- Header files ------------------------------------------------------*/ - -#include "mp.h" -#include "mpmont.h" -#include "mprand.h" -#include "rsa.h" - -/*----- Main code ---------------------------------------------------------*/ - -/* --- @rsa_deccreate@ --- * - * - * Arguments: @rsa_decctx *rd@ = pointer to an RSA decryption context - * @rsa_priv *rp@ = pointer to RSA private key - * @grand *r@ = pointer to random number source for blinding - * - * Returns: --- - * - * Use: Initializes an RSA decryption context. Keeping a context - * for several decryption or signing operations provides a minor - * performance benefit. - * - * The random number source may be null if blinding is not - * desired. This improves decryption speed, at the risk of - * permitting timing attacks. - */ - -void rsa_deccreate(rsa_decctx *rd, rsa_param *rp, grand *r) -{ - rd->rp = rp; - rd->r = r; - if (r) - mpmont_create(&rd->nm, rp->n); - mpmont_create(&rd->pm, rp->p); - mpmont_create(&rd->qm, rp->q); -} - -/* --- @rsa_decdestroy@ --- * - * - * Arguments: @rsa_decctx *rd@ = pointer to an RSA decryption context - * - * Returns: --- - * - * Use: Destroys an RSA decryption context. - */ - -void rsa_decdestroy(rsa_decctx *rd) -{ - if (rd->r) - mpmont_destroy(&rd->nm); - mpmont_destroy(&rd->pm); - mpmont_destroy(&rd->qm); -} - -/* --- @rsa_dec@ --- * - * - * Arguments: @rsa_decctx *rd@ = pointer to RSA decryption context - * @mp *d@ = destination - * @mp *c@ = ciphertext message - * - * Returns: The recovered plaintext message. - * - * Use: Performs RSA decryption. This function takes advantage of - * knowledge of the key factors in order to speed up - * decryption. It also blinds the ciphertext prior to - * decryption and unblinds it afterwards to thwart timing - * attacks. - */ - -mp *rsa_dec(rsa_decctx *rd, mp *d, mp *c) -{ - mp *ki = MP_NEW; - rsa_param *rp = rd->rp; - - /* --- If so desired, set up a blinding constant --- * - * - * Choose a constant %$k$% relatively prime to the modulus %$m$%. Compute - * %$c' = c k^e \bmod n$%, and %$k^{-1} \bmod n$%. Don't bother with the - * CRT stuff here because %$e$% is chosen to be small. - */ - - c = MP_COPY(c); - if (rd->r) { - mp *k = MP_NEWSEC, *g = MP_NEW; - - do { - k = mprand_range(k, rp->n, rd->r, 0); - mp_gcd(&g, 0, &ki, rp->n, k); - } while (MP_CMP(g, !=, MP_ONE)); - k = mpmont_expr(&rd->nm, k, k, rp->e); - c = mpmont_mul(&rd->nm, c, c, k); - mp_drop(k); - mp_drop(g); - } - - /* --- Do the actual modular exponentiation --- * - * - * Use a slightly hacked version of the Chinese Remainder Theorem stuff. - * - * Let %$q' = q^{-1} \bmod p$%. Then note that - * %$c^d \equiv q (q'(c_p^{d_p} - c_q^{d_q}) \bmod p) + c_q^{d_q} \pmod n$% - */ - - { - mp *cp = MP_NEW, *cq = MP_NEW; - - /* --- Work out the two halves of the result --- */ - - mp_div(0, &cp, c, rp->p); - cp = mpmont_exp(&rd->pm, cp, cp, rp->dp); - - mp_div(0, &cq, c, rp->q); - cq = mpmont_exp(&rd->qm, cq, cq, rp->dq); - - /* --- Combine the halves using the result above --- */ - - d = mp_sub(d, cp, cq); - mp_div(0, &d, d, rp->p); - d = mpmont_mul(&rd->pm, d, d, rp->q_inv); - d = mpmont_mul(&rd->pm, d, d, rd->pm.r2); - - d = mp_mul(d, d, rp->q); - d = mp_add(d, d, cq); - if (MP_CMP(d, >=, rp->n)) - d = mp_sub(d, d, rp->n); - - /* --- Tidy away temporary variables --- */ - - mp_drop(cp); - mp_drop(cq); - } - - /* --- Finally, possibly remove the blinding factor --- */ - - if (ki) { - d = mpmont_mul(&rd->nm, d, d, ki); - d = mpmont_mul(&rd->nm, d, d, rd->nm.r2); - mp_drop(ki); - } - - /* --- Done --- */ - - mp_drop(c); - return (d); -} - -/* --- @rsa_decrypt@ --- * - * - * Arguments: @rsa_param *rp@ = pointer to RSA parameters - * @mp *d@ = destination - * @mp *c@ = ciphertext message - * @grand *r@ = pointer to random number source for blinding - * - * Returns: Correctly decrypted message. - * - * Use: Performs RSA decryption, very carefully. - */ - -mp *rsa_decrypt(rsa_param *rp, mp *d, mp *c, grand *r) -{ - rsa_decctx rd; - rsa_deccreate(&rd, rp, r); - d = rsa_dec(&rd, d, c); - rsa_decdestroy(&rd); - return (d); -} - -/*----- That's all, folks -------------------------------------------------*/