7 #define RSA_EXPONENT 37 /* we like this prime */
9 #if 0 /* bignum diagnostic function */
10 static void diagbn(char *prefix
, Bignum md
) {
11 int i
, nibbles
, morenibbles
;
12 static const char hex
[] = "0123456789ABCDEF";
14 printf("%s0x", prefix ? prefix
: "");
16 nibbles
= (3 + ssh1_bignum_bitcount(md
))/4; if (nibbles
<1) nibbles
=1;
17 morenibbles
= 4*md
[0] - nibbles
;
18 for (i
=0; i
<morenibbles
; i
++) putchar('-');
19 for (i
=nibbles
; i
-- ;)
20 putchar(hex
[(bignum_byte(md
, i
/2) >> (4*(i
%2))) & 0xF]);
22 if (prefix
) putchar('\n');
26 int rsa_generate(struct RSAKey
*key
, struct RSAAux
*aux
, int bits
,
27 progfn_t pfn
, void *pfnparam
) {
28 Bignum pm1
, qm1
, phi_n
;
31 * Set up the phase limits for the progress report. We do this
32 * by passing minus the phase number.
34 * For prime generation: our initial filter finds things
35 * coprime to everything below 2^16. Computing the product of
36 * (p-1)/p for all prime p below 2^16 gives about 20.33; so
37 * among B-bit integers, one in every 20.33 will get through
38 * the initial filter to be a candidate prime.
40 * Meanwhile, we are searching for primes in the region of 2^B;
41 * since pi(x) ~ x/log(x), when x is in the region of 2^B, the
42 * prime density will be d/dx pi(x) ~ 1/log(B), i.e. about
43 * 1/0.6931B. So the chance of any given candidate being prime
44 * is 20.33/0.6931B, which is roughly 29.34 divided by B.
46 * So now we have this probability P, we're looking at an
47 * exponential distribution with parameter P: we will manage in
48 * one attempt with probability P, in two with probability
49 * P(1-P), in three with probability P(1-P)^2, etc. The
50 * probability that we have still not managed to find a prime
51 * after N attempts is (1-P)^N.
53 * We therefore inform the progress indicator of the number B
54 * (29.34/B), so that it knows how much to increment by each
55 * time. We do this in 16-bit fixed point, so 29.34 becomes
58 pfn(pfnparam
, -1, -0x1D57C4/(bits
/2));
59 pfn(pfnparam
, -2, -0x1D57C4/(bits
-bits
/2));
63 * We don't generate e; we just use a standard one always.
65 key
->exponent
= bignum_from_short(RSA_EXPONENT
);
68 * Generate p and q: primes with combined length `bits', not
69 * congruent to 1 modulo e. (Strictly speaking, we wanted (p-1)
70 * and e to be coprime, and (q-1) and e to be coprime, but in
71 * general that's slightly more fiddly to arrange. By choosing
72 * a prime e, we can simplify the criterion.)
74 aux
->p
= primegen(bits
/2, RSA_EXPONENT
, 1, 1, pfn
, pfnparam
);
75 aux
->q
= primegen(bits
- bits
/2, RSA_EXPONENT
, 1, 2, pfn
, pfnparam
);
78 * Ensure p > q, by swapping them if not.
80 if (bignum_cmp(aux
->p
, aux
->q
) < 0) {
87 * Now we have p, q and e. All we need to do now is work out
88 * the other helpful quantities: n=pq, d=e^-1 mod (p-1)(q-1),
92 key
->modulus
= bigmul(aux
->p
, aux
->q
);
98 phi_n
= bigmul(pm1
, qm1
);
102 key
->private_exponent
= modinv(key
->exponent
, phi_n
);
104 aux
->iqmp
= modinv(aux
->q
, aux
->p
);
108 * Clean up temporary numbers.