From 01898d8eb947e922eb289589cd7b1f016e2ada06 Mon Sep 17 00:00:00 2001 From: mdw Date: Wed, 22 Dec 1999 15:50:45 +0000 Subject: [PATCH] Initial RSA support. --- rsa-decrypt.c | 142 ++++++++++++++++++++++++++++++++++ rsa-gen.c | 140 +++++++++++++++++++++++++++++++++ rsa-recover.c | 243 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rsa.h | 123 +++++++++++++++++++++++++++++ 4 files changed, 648 insertions(+) create mode 100644 rsa-decrypt.c create mode 100644 rsa-gen.c create mode 100644 rsa-recover.c create mode 100644 rsa.h diff --git a/rsa-decrypt.c b/rsa-decrypt.c new file mode 100644 index 0000000..808987c --- /dev/null +++ b/rsa-decrypt.c @@ -0,0 +1,142 @@ +/* -*-c-*- + * + * $Id: rsa-decrypt.c,v 1.1 1999/12/22 15:50:45 mdw Exp $ + * + * RSA decryption + * + * (c) 1999 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rsa-decrypt.c,v $ + * Revision 1.1 1999/12/22 15:50:45 mdw + * Initial RSA support. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include "mp.h" +#include "mpmont.h" +#include "mprand.h" +#include "rsa.h" + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @rsa_decrypt@ --- * + * + * Arguments: @rsa_param *rp@ = pointer to RSA parameters + * @mp *d@ = destination + * @mp *c@ = ciphertext message + * @grand *r@ = pointer to random number source for blinding + * + * Returns: Correctly decrypted message. + * + * Use: Performs RSA decryption, very carefully. + */ + +mp *rsa_decrypt(rsa_param *rp, mp *d, mp *c, grand *r) +{ + mp *ki = MP_NEW; + + /* --- If so desired, set up a blinding constant --- * + * + * Choose a constant %$k$% relatively prime to the modulus %$m$%. Compute + * %$c' = c k^e \bmod n$%, and %$k^{-1} \bmod n$%. + */ + + c = MP_COPY(c); + if (r) { + mp *k = MP_NEW, *g = MP_NEW; + mpmont mm; + + do { + k = mprand_range(k, rp->n, r, 0); + mp_gcd(&g, 0, &ki, rp->n, k); + } while (MP_CMP(g, !=, MP_ONE)); + mpmont_create(&mm, rp->n); + k = mpmont_expr(&mm, k, k, rp->e); + c = mpmont_mul(&mm, c, c, k); + mp_drop(k); + mp_drop(g); + } + + /* --- Do the actual modular exponentiation --- * + * + * Use a slightly hacked version of the Chinese Remainder Theorem stuff. + * + * Let %$q' = q^{-1} \bmod p$%. Then note that + * %$c^d \equiv q (q'(c_p^{d_p} - c_q^{d_q}) \bmod p) + c_q^{d_q} \pmod n$% + */ + + { + mpmont mm; + mp *cp = MP_NEW, *cq = MP_NEW; + + /* --- Work out the two halves of the result --- */ + + mp_div(0, &cp, c, rp->p); + mpmont_create(&mm, rp->p); + cp = mpmont_exp(&mm, cp, cp, rp->dp); + mpmont_destroy(&mm); + + mp_div(0, &cq, c, rp->q); + mpmont_create(&mm, rp->q); + cq = mpmont_exp(&mm, cq, cq, rp->dq); + mpmont_destroy(&mm); + + /* --- Combine the halves using the result above --- */ + + d = mp_sub(d, cp, cq); + if (cp->f & MP_NEG) + d = mp_add(d, d, rp->p); + d = mp_mul(d, d, rp->q_inv); + mp_div(0, &d, d, rp->p); + + d = mp_mul(d, d, rp->q); + d = mp_add(d, d, cq); + if (MP_CMP(d, >=, rp->n)) + d = mp_sub(d, d, rp->n); + + /* --- Tidy away temporary variables --- */ + + mp_drop(cp); + mp_drop(cq); + } + + /* --- Finally, possibly remove the blinding factor --- */ + + if (ki) { + d = mp_mul(d, d, ki); + mp_div(0, &d, d, rp->n); + mp_drop(ki); + } + + /* --- Done --- */ + + mp_drop(c); + return (d); +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/rsa-gen.c b/rsa-gen.c new file mode 100644 index 0000000..056d245 --- /dev/null +++ b/rsa-gen.c @@ -0,0 +1,140 @@ +/* -*-c-*- + * + * $Id: rsa-gen.c,v 1.1 1999/12/22 15:50:45 mdw Exp $ + * + * RSA parameter generation + * + * (c) 1999 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rsa-gen.c,v $ + * Revision 1.1 1999/12/22 15:50:45 mdw + * Initial RSA support. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include + +#include "grand.h" +#include "mp.h" +#include "pgen.h" +#include "rsa.h" +#include "strongprime.h" + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @rsa_gen@ --- * + * + * Arguments: @rsa_param *rp@ = pointer to block to be filled in + * @unsigned nbits@ = required modulus size in bits + * @grand *r@ = random number source + * @unsigned n@ = number of attempts to make + * @pgen_proc *event@ = event handler function + * @void *ectx@ = argument for the event handler + * + * Returns: Zero if all went well, nonzero otherwise. + * + * Use: Constructs a pair of strong RSA primes and other useful RSA + * parameters. A small encryption exponent is chosen if + * possible. + */ + +int rsa_gen(rsa_param *rp, unsigned nbits, grand *r, unsigned n, + pgen_proc *event, void *ectx) +{ + mp *phi; + int i; + mp *g; + + /* --- Generate strong primes %$p$% and %$q$% --- */ + + if ((rp->p = strongprime("p", MP_NEW, nbits/2, r, n, event, ectx)) == 0) + goto fail_p; + if ((rp->q = strongprime("q", MP_NEW, nbits/2, r, n, event, ectx)) == 0) + goto fail_q; + + /* --- Work out the modulus and the CRT coefficient --- */ + + rp->n = mp_mul(MP_NEW, rp->p, rp->q); + rp->q_inv = MP_NEW; mp_gcd(0, 0, &rp->q_inv, rp->p, rp->q); + + /* --- Work out %$\varphi(n) = (p - 1)(q - 1)$% --- * + * + * Save on further multiplications by noting that %$n = pq$% is known and + * that %$(p - 1)(q - 1) = pq - p - q + 1$%. + */ + + phi = mp_sub(MP_NEW, rp->n, rp->p); + phi = mp_sub(phi, phi, rp->q); + phi = mp_add(phi, phi, MP_ONE); + + /* --- Decide on a public exponent --- * + * + * Simultaneously compute the private exponent. + */ + + rp->e = mp_create(1); + rp->d = MP_NEW; + g = MP_NEW; + for (i = 1; i < NPRIME; i++) { + rp->e->v[0] = primetab[i]; + mp_gcd(&g, 0, &rp->d, phi, rp->e); + if (MP_CMP(g, ==, MP_ONE)) + goto good_e; + } + goto fail_e; + + /* --- Work out exponent residues --- */ + +good_e: + rp->dp = MP_NEW; phi = mp_sub(phi, rp->p, MP_ONE); + mp_div(0, &rp->dp, rp->d, phi); + + rp->dq = MP_NEW; phi = mp_sub(phi, rp->q, MP_ONE); + mp_div(0, &rp->dq, rp->d, phi); + + /* --- Done --- */ + + mp_drop(phi); + mp_drop(g); + return (0); + + /* --- Tidy up when something goes wrong --- */ + +fail_e: + mp_drop(g); + mp_drop(phi); + mp_drop(rp->n); + mp_drop(rp->q_inv); + mp_drop(rp->q); +fail_q: + mp_drop(rp->p); +fail_p: + return (-1); +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/rsa-recover.c b/rsa-recover.c new file mode 100644 index 0000000..c125aef --- /dev/null +++ b/rsa-recover.c @@ -0,0 +1,243 @@ +/* -*-c-*- + * + * $Id: rsa-recover.c,v 1.1 1999/12/22 15:50:45 mdw Exp $ + * + * Recover RSA parameters + * + * (c) 1999 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rsa-recover.c,v $ + * Revision 1.1 1999/12/22 15:50:45 mdw + * Initial RSA support. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include "mp.h" +#include "mpmont.h" +#include "rsa.h" + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @rsa_recover@ --- * + * + * Arguments: @rsa_param *rp@ = pointer to parameter block + * + * Returns: Zero if all went well, nonzero if the parameters make no + * sense. + * + * Use: Derives the full set of RSA parameters given a minimal set. + */ + +int rsa_recover(rsa_param *rp) +{ + /* --- If there is no modulus, calculate it --- */ + + if (!rp->n) { + if (!rp->p || !rp->q) + return (-1); + rp->n = mp_mul(MP_NEW, rp->p, rp->q); + } + + /* --- If there are no factors, compute them --- */ + + else if (!rp->p || !rp->q) { + + /* --- If one is missing, use simple division to recover the other --- */ + + if (rp->p || rp->q) { + mp *r = MP_NEW; + if (rp->p) + mp_div(&rp->q, &r, rp->n, rp->p); + else + mp_div(&rp->p, &r, rp->n, rp->q); + if (MP_CMP(r, !=, MP_ZERO)) { + mp_drop(r); + return (-1); + } + mp_drop(r); + } + + /* --- Otherwise use the public and private moduli --- */ + + else if (rp->e && rp->d) { + mp *t; + unsigned s; + mpscan ms; + mp a; mpw aw; + mp *m1; + mpmont mm; + int i; + mp *z = MP_NEW; + + /* --- Work out the appropriate exponent --- * + * + * I need to compute %$s$% and %$t$% such that %$2^s t = e d - 1$%, and + * %$t$% is odd. + */ + + t = mp_mul(MP_NEW, rp->e, rp->d); + t = mp_sub(t, t, MP_ONE); + s = 0; + mp_scan(&ms, t); + for (;;) { + MP_STEP(&ms); + if (MP_BIT(&ms)) + break; + s++; + } + t = mp_lsr(t, t, s); + + /* --- Set up for the exponentiation --- */ + + mpmont_create(&mm, rp->n); + m1 = mp_sub(MP_NEW, rp->n, mm.r); + + /* --- Now for the main loop --- * + * + * Choose candidate integers and attempt to factor the modulus. + */ + + mp_build(&a, &aw, &aw + 1); + i = 0; + for (;;) { + again: + + /* --- Choose a random %$a$% and calculate %$z = a^t \bmod n$% --- * + * + * If %$z \equiv 1$% or %$z \equiv -1 \pmod n$% then this iteration + * is a failure. + */ + + aw = primetab[i++]; + z = mpmont_expr(&mm, z, &a, t); + if (MP_CMP(z, ==, mm.r) || MP_CMP(z, ==, m1)) + continue; + + /* --- Now square until something interesting happens --- * + * + * Compute %$z^{2i} \bmod n$%. Eventually, I'll either get %$-1$% or + * %$1$%. If the former, the number is uninteresting, and I need to + * restart. If the latter, the previous number minus 1 has a common + * factor with %$n$%. + */ + + for (;;) { + mp *zz = mp_sqr(MP_NEW, z); + zz = mpmont_reduce(&mm, zz, zz); + if (MP_CMP(zz, ==, mm.r)) { + mp_drop(zz); + goto done; + } else if (MP_CMP(zz, ==, m1)) { + mp_drop(zz); + goto again; + } + mp_drop(z); + z = zz; + } + } + + /* --- Do the factoring --- * + * + * Here's how it actually works. I've found an interesting square + * root of %$1 \pmod n$%. Any square root of 1 must be congruent to + * %$\pm 1$% modulo both %$p$% and %$q$%. Both congruent to %$1$% is + * boring, as is both congruent to %$-1$%. Subtracting one from the + * result makes it congruent to %$0$% modulo %$p$% or %$q$% (and + * nobody cares which), and hence can be extracted by a GCD + * operation. + */ + + done: + z = mpmont_reduce(&mm, z, z); + z = mp_sub(z, z, MP_ONE); + rp->p = MP_NEW; + mp_gcd(&rp->p, 0, 0, rp->n, z); + rp->q = MP_NEW; + mp_div(&rp->q, 0, rp->n, rp->p); + mp_drop(z); + mp_drop(t); + mp_drop(m1); + mpmont_destroy(&mm); + } + } + + /* --- If %$e$% or %$d$% is missing, recalculate it --- */ + + if (!rp->e || !rp->d) { + mp *phi; + mp *g = MP_NEW; + + /* --- Compute %$\varphi(n)$% --- */ + + phi = mp_sub(MP_NEW, rp->n, rp->p); + phi = mp_sub(phi, phi, rp->q); + phi = mp_add(phi, phi, MP_ONE); + + /* --- Recover the other exponent --- */ + + if (rp->e) + mp_gcd(&g, 0, &rp->d, phi, rp->e); + else if (rp->d) + mp_gcd(&g, 0, &rp->e, phi, rp->d); + else { + mp_drop(phi); + return (-1); + } + + mp_drop(phi); + if (MP_CMP(g, !=, MP_ONE)) { + mp_drop(g); + return (-1); + } + mp_drop(g); + } + + /* --- Compute %$q^{-1} \bmod p$% --- */ + + if (!rp->q_inv) + mp_gcd(0, 0, &rp->q_inv, rp->p, rp->q); + + /* --- Compute %$d \bmod (p - 1)$% and %$d \bmod (q - 1)$% --- */ + + if (!rp->dp) { + mp *p1 = mp_sub(MP_NEW, rp->p, MP_ONE); + mp_div(0, &rp->dp, rp->d, p1); + mp_drop(p1); + } + if (!rp->dq) { + mp *q1 = mp_sub(MP_NEW, rp->q, MP_ONE); + mp_div(0, &rp->dq, rp->d, q1); + mp_drop(q1); + } + + /* --- Done --- */ + + return (0); +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/rsa.h b/rsa.h new file mode 100644 index 0000000..aa6e44b --- /dev/null +++ b/rsa.h @@ -0,0 +1,123 @@ +/* -*-c-*- + * + * $Id: rsa.h,v 1.1 1999/12/22 15:50:45 mdw Exp $ + * + * The RSA public-key cryptosystem + * + * (c) 1999 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rsa.h,v $ + * Revision 1.1 1999/12/22 15:50:45 mdw + * Initial RSA support. + * + */ + +#ifndef CATACOMB_RSA_H +#define CATACOMB_RSA_H + +#ifdef __cplusplus + extern "C" { +#endif + +/*----- Header files ------------------------------------------------------*/ + +#ifndef CATACOMB_GRAND_H +# include "grand.h" +#endif + +#ifndef CATACOMB_MP_H +# include "mp.h" +#endif + +#ifndef CATACOMB_PGEN_H +# include "pgen.h" +#endif + +/*----- Data structures ---------------------------------------------------*/ + +typedef struct rsa_param { + mp *p, *q; + mp *n; + mp *q_inv; + mp *e, *d, *dp, *dq; +} rsa_param; + +/*----- Functions provided ------------------------------------------------*/ + +/* --- @rsa_gen@ --- * + * + * Arguments: @rsa_param *rp@ = pointer to block to be filled in + * @unsigned nbits@ = required modulus size in bits + * @grand *r@ = random number source + * @unsigned n@ = number of attempts to make + * @pgen_proc *event@ = event handler function + * @void *ectx@ = argument for the event handler + * + * Returns: Zero if all went well, nonzero otherwise. + * + * Use: Constructs a pair of strong RSA primes and other useful RSA + * parameters. A small encryption exponent is chosen if + * possible. + */ + +extern int rsa_gen(rsa_param */*rp*/, unsigned /*nbits*/, + grand */*r*/, unsigned /*n*/, + pgen_proc */*event*/, void */*ectx*/); + +/* --- @rsa_decrypt@ --- * + * + * Arguments: @rsa_param *rp@ = pointer to RSA parameters + * @mp *d@ = destination + * @mp *c@ = ciphertext message + * @grand *r@ = pointer to random number source for blinding + * + * Returns: Correctly decrypted message. + * + * Use: Performs RSA decryption, very carefully. + */ + +extern mp *rsa_decrypt(rsa_param */*rp*/, mp */*d*/, mp */*c*/, + grand */*r*/); + +/* --- @rsa_recover@ --- * + * + * Arguments: @rsa_param *rp@ = pointer to parameter block + * + * Returns: Zero if all went well, nonzero if the parameters make no + * sense. + * + * Use: Derives the full set of RSA parameters given a minimal set. + */ + +extern int rsa_recover(rsa_param */*rp*/); + +/*----- That's all, folks -------------------------------------------------*/ + +#ifdef __cplusplus + } +#endif + +#endif -- 2.11.0