[catacomb] / pub / dh-kcdsa.c

/* -*-c-*-
 *
 * Generate KCDSA prime groups
 *
 * (c) 2006 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/macros.h>

#include "dh.h"
#include "mprand.h"
#include "pgen.h"
#include "prim.h"

/*----- Main code ---------------------------------------------------------*/

/* --- @dh_kcdsagen@ --- *
 *
 * Arguments:	@dh_param *dp@ = pointer to output parameter block
 *		@unsigned ql@ = size of small factor of %$(p - 1)/2$%
 *		@unsigned pl@ = size of %$p$% in bits
 *		@unsigned flags@ = other generation flags
 *		@unsigned steps@ = number of steps to go
 *		@grand *r@ = random number source
 *		@pgen_proc *ev@ = event handler function
 *		@void *ec@ = context for the event handler
 *
 * Returns:	@PGEN_DONE@ if it worked, @PGEN_ABORT@ if it failed.
 *
 * Use:		Generates a KCDSA prime group.  That is, it chooses a prime
 *		%$p$%, such that $%p = 2 q v + 1$%, for primes %$q$% and
 *		%$v$%.  The actual group of interest is the subgroup of order
 *		%$q$%.
 */

int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
		unsigned flags, unsigned steps, grand *r,
		pgen_proc *ev, void *ec)
{
  pgen_filterctx pf;
  pgen_simulprime sp[2];
  pgen_simulctx ss;
  prim_ctx pc;
  rabin rb;
  int rc = PGEN_ABORT;
  int i;
  mp *x = MP_NEW, *t = MP_NEW;

  /* --- First trick: find %$v$% --- */

retry:
  pf.step = 2;
  x = mprand(x, pl - ql - 1, r, 1);
  x = pgen("v", x, x, ev, ec,
	   steps, pgen_filter, &pf,
	   rabin_iters(pl - ql), pgen_test, &rb);
  if (!x)
    goto fail_0;

  /* --- Second trick: find %$p$% and %$q$% --- */

  x = mp_lsl(x, x, 1);
  sp[0].add = MP_ZERO; sp[0].mul = MP_ONE; sp[0].f = 0;
  sp[1].add = MP_ONE; sp[1].mul = x; sp[1].f = PGENF_KEEP; x = MP_NEW;
  ss.step = MP_TWO; ss.v = sp; ss.n = N(sp);
  do {
    x = mprand(x, ql, r, 1);
    t = mp_mul(t, x, sp[1].mul);
  } while (mp_bits(t) != pl);
  dp->q = pgen("p", MP_NEW, x, ev, ec,
	       steps, pgen_simulstep, &ss,
	       rabin_iters(ql), pgen_simultest, &ss);
  mp_drop(sp[1].mul);
  dp->p = sp[1].u.x;
  if (!dp->q)
    goto fail_1;
  if (mp_bits(dp->q) != ql || mp_bits(dp->p) != pl) {
    if (steps) goto fail_1;
    MP_DROP(dp->p);
    MP_DROP(dp->q);
    goto retry;
  }

  /* --- Third trick: find a generator --- */

  mpmont_create(&pc.mm, dp->p);
  mp_div(&x, 0, dp->p, dp->q);
  i = 0;
  pc.exp = x;
  pc.n = 0;
  dp->g = pgen("g", MP_NEW, MP_NEW, ev, ec,
	       0, prim_step, &i, 1, prim_test, &pc);
  mpmont_destroy(&pc.mm);
  if (!dp->g)
    goto fail_1;

  rc = PGEN_DONE;
  goto done;

  /* --- Tidying up and going home --- */

fail_1:
  mp_drop(dp->p);
  mp_drop(dp->q);
fail_0:
done:
  mp_drop(x);
  mp_drop(t);
  return (rc);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
4e67e30b MW	1	/* --c--
4e67e30b MW	2	*
4e67e30b MW	3	* Generate KCDSA prime groups
	4	*
	5	* (c) 2006 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
4e67e30b MW	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
4e67e30b MW	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
4e67e30b MW	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
	28	/----- Header files ------------------------------------------------------/
	29
	30	#include <mLib/macros.h>
	31
	32	#include "dh.h"
	33	#include "mprand.h"
	34	#include "pgen.h"
	35	#include "prim.h"
	36
	37	/----- Main code ---------------------------------------------------------/
	38
	39	/* --- @dh_kcdsagen@ --- *
	40	*
	41	* Arguments: @dh_param *dp@ = pointer to output parameter block
	42	* @unsigned ql@ = size of small factor of %$(p - 1)/2$%
	43	* @unsigned pl@ = size of %$p$% in bits
	44	* @unsigned flags@ = other generation flags
	45	* @unsigned steps@ = number of steps to go
	46	* @grand *r@ = random number source
	47	* @pgen_proc *ev@ = event handler function
	48	* @void *ec@ = context for the event handler
	49	*
	50	* Returns: @PGEN_DONE@ if it worked, @PGEN_ABORT@ if it failed.
	51	*
	52	* Use: Generates a KCDSA prime group. That is, it chooses a prime
	53	* %$p$%, such that $%p = 2 q v + 1$%, for primes %$q$% and
	54	* %$v$%. The actual group of interest is the subgroup of order
	55	* %$q$%.
	56	*/
	57
	58	int dh_kcdsagen(dh_param *dp, unsigned ql, unsigned pl,
	59	unsigned flags, unsigned steps, grand *r,
	60	pgen_proc ev, void ec)
	61	{
	62	pgen_filterctx pf;
	63	pgen_simulprime sp[2];
	64	pgen_simulctx ss;
	65	prim_ctx pc;
	66	rabin rb;
	67	int rc = PGEN_ABORT;
	68	int i;
a901fe7a	69	mp x = MP_NEW, t = MP_NEW;
4e67e30b	70
23a83acc	71	/* --- First trick: find %$v$% --- */
4e67e30b	72
591d081b	73	retry:
4e67e30b	74	pf.step = 2;
00e83192	75	x = mprand(x, pl - ql - 1, r, 1);
23aec1b4 MW	76	x = pgen("v", x, x, ev, ec,
	77	steps, pgen_filter, &pf,
	78	rabin_iters(pl - ql), pgen_test, &rb);
	79	if (!x)
4e67e30b MW	80	goto fail_0;
4e67e30b MW	81
23a83acc	82	/* --- Second trick: find %$p$% and %$q$% --- */
4e67e30b	83
23aec1b4	84	x = mp_lsl(x, x, 1);
4e67e30b	85	sp[0].add = MP_ZERO; sp[0].mul = MP_ONE; sp[0].f = 0;
9cbd8bb7	86	sp[1].add = MP_ONE; sp[1].mul = x; sp[1].f = PGENF_KEEP; x = MP_NEW;
4e67e30b	87	ss.step = MP_TWO; ss.v = sp; ss.n = N(sp);
a901fe7a MW	88	do {
	89	x = mprand(x, ql, r, 1);
	90	t = mp_mul(t, x, sp[1].mul);
	91	} while (mp_bits(t) != pl);
23aec1b4 MW	92	dp->q = pgen("p", MP_NEW, x, ev, ec,
	93	steps, pgen_simulstep, &ss,
	94	rabin_iters(ql), pgen_simultest, &ss);
2c70dfbf	95	mp_drop(sp[1].mul);
9cbd8bb7	96	dp->p = sp[1].u.x;
23aec1b4	97	if (!dp->q)
4e67e30b	98	goto fail_1;
591d081b MW	99	if (mp_bits(dp->q) != ql \|\| mp_bits(dp->p) != pl) {
	100	if (steps) goto fail_1;
	101	MP_DROP(dp->p);
	102	MP_DROP(dp->q);
	103	goto retry;
	104	}
4e67e30b MW	105
	106	/* --- Third trick: find a generator --- */
	107
	108	mpmont_create(&pc.mm, dp->p);
	109	mp_div(&x, 0, dp->p, dp->q);
	110	i = 0;
	111	pc.exp = x;
	112	pc.n = 0;
	113	dp->g = pgen("g", MP_NEW, MP_NEW, ev, ec,
	114	0, prim_step, &i, 1, prim_test, &pc);
	115	mpmont_destroy(&pc.mm);
	116	if (!dp->g)
9cbd8bb7	117	goto fail_1;
4e67e30b MW	118
	119	rc = PGEN_DONE;
	120	goto done;
	121
	122	/* --- Tidying up and going home --- */
	123
4e67e30b	124	fail_1:
9cbd8bb7 MW	125	mp_drop(dp->p);
9cbd8bb7 MW	126	mp_drop(dp->q);
4e67e30b MW	127	fail_0:
	128	done:
	129	mp_drop(x);
a901fe7a	130	mp_drop(t);
4e67e30b MW	131	return (rc);
	132	}
	133
	134	/----- That's all, folks -------------------------------------------------/