// nbtheory.cpp - written and placed in the public domain by Wei Dai
#include "pch.h"
#ifndef CRYPTOPP_IMPORTS
#include "nbtheory.h"
#include "modarith.h"
#include "algparam.h"
#include <math.h>
#include <vector>
#ifdef _OPENMP
// needed in MSVC 2005 to generate correct manifest
#include <omp.h>
#endif
NAMESPACE_BEGIN(CryptoPP)
const word s_lastSmallPrime = 32719;
struct NewPrimeTable
{
std::vector<word16> * operator()() const
{
const unsigned int maxPrimeTableSize = 3511;
std::auto_ptr<std::vector<word16> > pPrimeTable(new std::vector<word16>);
std::vector<word16> &primeTable = *pPrimeTable;
primeTable.reserve(maxPrimeTableSize);
primeTable.push_back(2);
unsigned int testEntriesEnd = 1;
for (unsigned int p=3; p<=s_lastSmallPrime; p+=2)
{
unsigned int j;
for (j=1; j<testEntriesEnd; j++)
if (p%primeTable[j] == 0)
break;
if (j == testEntriesEnd)
{
primeTable.push_back(p);
testEntriesEnd = UnsignedMin(54U, primeTable.size());
}
}
return pPrimeTable.release();
}
};
const word16 * GetPrimeTable(unsigned int &size)
{
const std::vector<word16> &primeTable = Singleton<std::vector<word16>, NewPrimeTable>().Ref();
size = (unsigned int)primeTable.size();
return &primeTable[0];
}
bool IsSmallPrime(const Integer &p)
{
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
if (p.IsPositive() && p <= primeTable[primeTableSize-1])
return std::binary_search(primeTable, primeTable+primeTableSize, (word16)p.ConvertToLong());
else
return false;
}
bool TrialDivision(const Integer &p, unsigned bound)
{
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
assert(primeTable[primeTableSize-1] >= bound);
unsigned int i;
for (i = 0; primeTable[i]<bound; i++)
if ((p % primeTable[i]) == 0)
return true;
if (bound == primeTable[i])
return (p % bound == 0);
else
return false;
}
bool SmallDivisorsTest(const Integer &p)
{
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
return !TrialDivision(p, primeTable[primeTableSize-1]);
}
bool IsFermatProbablePrime(const Integer &n, const Integer &b)
{
if (n <= 3)
return n==2 || n==3;
assert(n>3 && b>1 && b<n-1);
return a_exp_b_mod_c(b, n-1, n)==1;
}
bool IsStrongProbablePrime(const Integer &n, const Integer &b)
{
if (n <= 3)
return n==2 || n==3;
assert(n>3 && b>1 && b<n-1);
if ((n.IsEven() && n!=2) || GCD(b, n) != 1)
return false;
Integer nminus1 = (n-1);
unsigned int a;
// calculate a = largest power of 2 that divides (n-1)
for (a=0; ; a++)
if (nminus1.GetBit(a))
break;
Integer m = nminus1>>a;
Integer z = a_exp_b_mod_c(b, m, n);
if (z==1 || z==nminus1)
return true;
for (unsigned j=1; j<a; j++)
{
z = z.Squared()%n;
if (z==nminus1)
return true;
if (z==1)
return false;
}
return false;
}
bool RabinMillerTest(RandomNumberGenerator &rng, const Integer &n, unsigned int rounds)
{
if (n <= 3)
return n==2 || n==3;
assert(n>3);
Integer b;
for (unsigned int i=0; i<rounds; i++)
{
b.Randomize(rng, 2, n-2);
if (!IsStrongProbablePrime(n, b))
return false;
}
return true;
}
bool IsLucasProbablePrime(const Integer &n)
{
if (n <= 1)
return false;
if (n.IsEven())
return n==2;
assert(n>2);
Integer b=3;
unsigned int i=0;
int j;
while ((j=Jacobi(b.Squared()-4, n)) == 1)
{
if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
return false;
++b; ++b;
}
if (j==0)
return false;
else
return Lucas(n+1, b, n)==2;
}
bool IsStrongLucasProbablePrime(const Integer &n)
{
if (n <= 1)
return false;
if (n.IsEven())
return n==2;
assert(n>2);
Integer b=3;
unsigned int i=0;
int j;
while ((j=Jacobi(b.Squared()-4, n)) == 1)
{
if (++i==64 && n.IsSquare()) // avoid infinite loop if n is a square
return false;
++b; ++b;
}
if (j==0)
return false;
Integer n1 = n+1;
unsigned int a;
// calculate a = largest power of 2 that divides n1
for (a=0; ; a++)
if (n1.GetBit(a))
break;
Integer m = n1>>a;
Integer z = Lucas(m, b, n);
if (z==2 || z==n-2)
return true;
for (i=1; i<a; i++)
{
z = (z.Squared()-2)%n;
if (z==n-2)
return true;
if (z==2)
return false;
}
return false;
}
struct NewLastSmallPrimeSquared
{
Integer * operator()() const
{
return new Integer(Integer(s_lastSmallPrime).Squared());
}
};
bool IsPrime(const Integer &p)
{
if (p <= s_lastSmallPrime)
return IsSmallPrime(p);
else if (p <= Singleton<Integer, NewLastSmallPrimeSquared>().Ref())
return SmallDivisorsTest(p);
else
return SmallDivisorsTest(p) && IsStrongProbablePrime(p, 3) && IsStrongLucasProbablePrime(p);
}
bool VerifyPrime(RandomNumberGenerator &rng, const Integer &p, unsigned int level)
{
bool pass = IsPrime(p) && RabinMillerTest(rng, p, 1);
if (level >= 1)
pass = pass && RabinMillerTest(rng, p, 10);
return pass;
}
unsigned int PrimeSearchInterval(const Integer &max)
{
return max.BitCount();
}
static inline bool FastProbablePrimeTest(const Integer &n)
{
return IsStrongProbablePrime(n,2);
}
AlgorithmParameters<AlgorithmParameters<AlgorithmParameters<NullNameValuePairs, Integer::RandomNumberType>, Integer>, Integer>
MakeParametersForTwoPrimesOfEqualSize(unsigned int productBitLength)
{
if (productBitLength < 16)
throw InvalidArgument("invalid bit length");
Integer minP, maxP;
if (productBitLength%2==0)
{
minP = Integer(182) << (productBitLength/2-8);
maxP = Integer::Power2(productBitLength/2)-1;
}
else
{
minP = Integer::Power2((productBitLength-1)/2);
maxP = Integer(181) << ((productBitLength+1)/2-8);
}
return MakeParameters("RandomNumberType", Integer::PRIME)("Min", minP)("Max", maxP);
}
class PrimeSieve
{
public:
// delta == 1 or -1 means double sieve with p = 2*q + delta
PrimeSieve(const Integer &first, const Integer &last, const Integer &step, signed int delta=0);
bool NextCandidate(Integer &c);
void DoSieve();
static void SieveSingle(std::vector<bool> &sieve, word16 p, const Integer &first, const Integer &step, word16 stepInv);
Integer m_first, m_last, m_step;
signed int m_delta;
word m_next;
std::vector<bool> m_sieve;
};
PrimeSieve::PrimeSieve(const Integer &first, const Integer &last, const Integer &step, signed int delta)
: m_first(first), m_last(last), m_step(step), m_delta(delta), m_next(0)
{
DoSieve();
}
bool PrimeSieve::NextCandidate(Integer &c)
{
bool safe = SafeConvert(std::find(m_sieve.begin()+m_next, m_sieve.end(), false) - m_sieve.begin(), m_next);
assert(safe);
if (m_next == m_sieve.size())
{
m_first += long(m_sieve.size())*m_step;
if (m_first > m_last)
return false;
else
{
m_next = 0;
DoSieve();
return NextCandidate(c);
}
}
else
{
c = m_first + long(m_next)*m_step;
++m_next;
return true;
}
}
void PrimeSieve::SieveSingle(std::vector<bool> &sieve, word16 p, const Integer &first, const Integer &step, word16 stepInv)
{
if (stepInv)
{
size_t sieveSize = sieve.size();
size_t j = (word32(p-(first%p))*stepInv) % p;
// if the first multiple of p is p, skip it
if (first.WordCount() <= 1 && first + step*long(j) == p)
j += p;
for (; j < sieveSize; j += p)
sieve[j] = true;
}
}
void PrimeSieve::DoSieve()
{
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
const unsigned int maxSieveSize = 32768;
unsigned int sieveSize = STDMIN(Integer(maxSieveSize), (m_last-m_first)/m_step+1).ConvertToLong();
m_sieve.clear();
m_sieve.resize(sieveSize, false);
if (m_delta == 0)
{
for (unsigned int i = 0; i < primeTableSize; ++i)
SieveSingle(m_sieve, primeTable[i], m_first, m_step, (word16)m_step.InverseMod(primeTable[i]));
}
else
{
assert(m_step%2==0);
Integer qFirst = (m_first-m_delta) >> 1;
Integer halfStep = m_step >> 1;
for (unsigned int i = 0; i < primeTableSize; ++i)
{
word16 p = primeTable[i];
word16 stepInv = (word16)m_step.InverseMod(p);
SieveSingle(m_sieve, p, m_first, m_step, stepInv);
word16 halfStepInv = 2*stepInv < p ? 2*stepInv : 2*stepInv-p;
SieveSingle(m_sieve, p, qFirst, halfStep, halfStepInv);
}
}
}
bool FirstPrime(Integer &p, const Integer &max, const Integer &equiv, const Integer &mod, const PrimeSelector *pSelector)
{
assert(!equiv.IsNegative() && equiv < mod);
Integer gcd = GCD(equiv, mod);
if (gcd != Integer::One())
{
// the only possible prime p such that p%mod==equiv where GCD(mod,equiv)!=1 is GCD(mod,equiv)
if (p <= gcd && gcd <= max && IsPrime(gcd) && (!pSelector || pSelector->IsAcceptable(gcd)))
{
p = gcd;
return true;
}
else
return false;
}
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
if (p <= primeTable[primeTableSize-1])
{
const word16 *pItr;
--p;
if (p.IsPositive())
pItr = std::upper_bound(primeTable, primeTable+primeTableSize, (word)p.ConvertToLong());
else
pItr = primeTable;
while (pItr < primeTable+primeTableSize && !(*pItr%mod == equiv && (!pSelector || pSelector->IsAcceptable(*pItr))))
++pItr;
if (pItr < primeTable+primeTableSize)
{
p = *pItr;
return p <= max;
}
p = primeTable[primeTableSize-1]+1;
}
assert(p > primeTable[primeTableSize-1]);
if (mod.IsOdd())
return FirstPrime(p, max, CRT(equiv, mod, 1, 2, 1), mod<<1, pSelector);
p += (equiv-p)%mod;
if (p>max)
return false;
PrimeSieve sieve(p, max, mod);
while (sieve.NextCandidate(p))
{
if ((!pSelector || pSelector->IsAcceptable(p)) && FastProbablePrimeTest(p) && IsPrime(p))
return true;
}
return false;
}
// the following two functions are based on code and comments provided by Preda Mihailescu
static bool ProvePrime(const Integer &p, const Integer &q)
{
assert(p < q*q*q);
assert(p % q == 1);
// this is the Quisquater test. Numbers p having passed the Lucas - Lehmer test
// for q and verifying p < q^3 can only be built up of two factors, both = 1 mod q,
// or be prime. The next two lines build the discriminant of a quadratic equation
// which holds iff p is built up of two factors (excercise ... )
Integer r = (p-1)/q;
if (((r%q).Squared()-4*(r/q)).IsSquare())
return false;
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
assert(primeTableSize >= 50);
for (int i=0; i<50; i++)
{
Integer b = a_exp_b_mod_c(primeTable[i], r, p);
if (b != 1)
return a_exp_b_mod_c(b, q, p) == 1;
}
return false;
}
Integer MihailescuProvablePrime(RandomNumberGenerator &rng, unsigned int pbits)
{
Integer p;
Integer minP = Integer::Power2(pbits-1);
Integer maxP = Integer::Power2(pbits) - 1;
if (maxP <= Integer(s_lastSmallPrime).Squared())
{
// Randomize() will generate a prime provable by trial division
p.Randomize(rng, minP, maxP, Integer::PRIME);
return p;
}
unsigned int qbits = (pbits+2)/3 + 1 + rng.GenerateWord32(0, pbits/36);
Integer q = MihailescuProvablePrime(rng, qbits);
Integer q2 = q<<1;
while (true)
{
// this initializes the sieve to search in the arithmetic
// progression p = p_0 + \lambda * q2 = p_0 + 2 * \lambda * q,
// with q the recursively generated prime above. We will be able
// to use Lucas tets for proving primality. A trick of Quisquater
// allows taking q > cubic_root(p) rather then square_root: this
// decreases the recursion.
p.Randomize(rng, minP, maxP, Integer::ANY, 1, q2);
PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*q2, maxP), q2);
while (sieve.NextCandidate(p))
{
if (FastProbablePrimeTest(p) && ProvePrime(p, q))
return p;
}
}
// not reached
return p;
}
Integer MaurerProvablePrime(RandomNumberGenerator &rng, unsigned int bits)
{
const unsigned smallPrimeBound = 29, c_opt=10;
Integer p;
unsigned int primeTableSize;
const word16 * primeTable = GetPrimeTable(primeTableSize);
if (bits < smallPrimeBound)
{
do
p.Randomize(rng, Integer::Power2(bits-1), Integer::Power2(bits)-1, Integer::ANY, 1, 2);
while (TrialDivision(p, 1 << ((bits+1)/2)));
}
else
{
const unsigned margin = bits > 50 ? 20 : (bits-10)/2;
double relativeSize;
do
relativeSize = pow(2.0, double(rng.GenerateWord32())/0xffffffff - 1);
while (bits * relativeSize >= bits - margin);
Integer a,b;
Integer q = MaurerProvablePrime(rng, unsigned(bits*relativeSize));
Integer I = Integer::Power2(bits-2)/q;
Integer I2 = I << 1;
unsigned int trialDivisorBound = (unsigned int)STDMIN((unsigned long)primeTable[primeTableSize-1], (unsigned long)bits*bits/c_opt);
bool success = false;
while (!success)
{
p.Randomize(rng, I, I2, Integer::ANY);
p *= q; p <<= 1; ++p;
if (!TrialDivision(p, trialDivisorBound))
{
a.Randomize(rng, 2, p-1, Integer::ANY);
b = a_exp_b_mod_c(a, (p-1)/q, p);
success = (GCD(b-1, p) == 1) && (a_exp_b_mod_c(b, q, p) == 1);
}
}
}
return p;
}
Integer CRT(const Integer &xp, const Integer &p, const Integer &xq, const Integer &q, const Integer &u)
{
// isn't operator overloading great?
return p * (u * (xq-xp) % q) + xp;
/*
Integer t1 = xq-xp;
cout << hex << t1 << endl;
Integer t2 = u * t1;
cout << hex << t2 << endl;
Integer t3 = t2 % q;
cout << hex << t3 << endl;
Integer t4 = p * t3;
cout << hex << t4 << endl;
Integer t5 = t4 + xp;
cout << hex << t5 << endl;
return t5;
*/
}
Integer CRT(const Integer &xp, const Integer &p, const Integer &xq, const Integer &q)
{
return CRT(xp, p, xq, q, EuclideanMultiplicativeInverse(p, q));
}
Integer ModularSquareRoot(const Integer &a, const Integer &p)
{
if (p%4 == 3)
return a_exp_b_mod_c(a, (p+1)/4, p);
Integer q=p-1;
unsigned int r=0;
while (q.IsEven())
{
r++;
q >>= 1;
}
Integer n=2;
while (Jacobi(n, p) != -1)
++n;
Integer y = a_exp_b_mod_c(n, q, p);
Integer x = a_exp_b_mod_c(a, (q-1)/2, p);
Integer b = (x.Squared()%p)*a%p;
x = a*x%p;
Integer tempb, t;
while (b != 1)
{
unsigned m=0;
tempb = b;
do
{
m++;
b = b.Squared()%p;
if (m==r)
return Integer::Zero();
}
while (b != 1);
t = y;
for (unsigned i=0; i<r-m-1; i++)
t = t.Squared()%p;
y = t.Squared()%p;
r = m;
x = x*t%p;
b = tempb*y%p;
}
assert(x.Squared()%p == a);
return x;
}
bool SolveModularQuadraticEquation(Integer &r1, Integer &r2, const Integer &a, const Integer &b, const Integer &c, const Integer &p)
{
Integer D = (b.Squared() - 4*a*c) % p;
switch (Jacobi(D, p))
{
default:
assert(false); // not reached
return false;
case -1:
return false;
case 0:
r1 = r2 = (-b*(a+a).InverseMod(p)) % p;
assert(((r1.Squared()*a + r1*b + c) % p).IsZero());
return true;
case 1:
Integer s = ModularSquareRoot(D, p);
Integer t = (a+a).InverseMod(p);
r1 = (s-b)*t % p;
r2 = (-s-b)*t % p;
assert(((r1.Squared()*a + r1*b + c) % p).IsZero());
assert(((r2.Squared()*a + r2*b + c) % p).IsZero());
return true;
}
}
Integer ModularRoot(const Integer &a, const Integer &dp, const Integer &dq,
const Integer &p, const Integer &q, const Integer &u)
{
Integer p2, q2;
#pragma omp parallel
#pragma omp sections
{
#pragma omp section
p2 = ModularExponentiation((a % p), dp, p);
#pragma omp section
q2 = ModularExponentiation((a % q), dq, q);
}
return CRT(p2, p, q2, q, u);
}
Integer ModularRoot(const Integer &a, const Integer &e,
const Integer &p, const Integer &q)
{
Integer dp = EuclideanMultiplicativeInverse(e, p-1);
Integer dq = EuclideanMultiplicativeInverse(e, q-1);
Integer u = EuclideanMultiplicativeInverse(p, q);
assert(!!dp && !!dq && !!u);
return ModularRoot(a, dp, dq, p, q, u);
}
/*
Integer GCDI(const Integer &x, const Integer &y)
{
Integer a=x, b=y;
unsigned k=0;
assert(!!a && !!b);
while (a[0]==0 && b[0]==0)
{
a >>= 1;
b >>= 1;
k++;
}
while (a[0]==0)
a >>= 1;
while (b[0]==0)
b >>= 1;
while (1)
{
switch (a.Compare(b))
{
case -1:
b -= a;
while (b[0]==0)
b >>= 1;
break;
case 0:
return (a <<= k);
case 1:
a -= b;
while (a[0]==0)
a >>= 1;
break;
default:
assert(false);
}
}
}
Integer EuclideanMultiplicativeInverse(const Integer &a, const Integer &b)
{
assert(b.Positive());
if (a.Negative())
return EuclideanMultiplicativeInverse(a%b, b);
if (b[0]==0)
{
if (!b || a[0]==0)
return Integer::Zero(); // no inverse
if (a==1)
return 1;
Integer u = EuclideanMultiplicativeInverse(b, a);
if (!u)
return Integer::Zero(); // no inverse
else
return (b*(a-u)+1)/a;
}
Integer u=1, d=a, v1=b, v3=b, t1, t3, b2=(b+1)>>1;
if (a[0])
{
t1 = Integer::Zero();
t3 = -b;
}
else
{
t1 = b2;
t3 = a>>1;
}
while (!!t3)
{
while (t3[0]==0)
{
t3 >>= 1;
if (t1[0]==0)
t1 >>= 1;
else
{
t1 >>= 1;
t1 += b2;
}
}
if (t3.Positive())
{
u = t1;
d = t3;
}
else
{
v1 = b-t1;
v3 = -t3;
}
t1 = u-v1;
t3 = d-v3;
if (t1.Negative())
t1 += b;
}
if (d==1)
return u;
else
return Integer::Zero(); // no inverse
}
*/
int Jacobi(const Integer &aIn, const Integer &bIn)
{
assert(bIn.IsOdd());
Integer b = bIn, a = aIn%bIn;
int result = 1;
while (!!a)
{
unsigned i=0;
while (a.GetBit(i)==0)
i++;
a>>=i;
if (i%2==1 && (b%8==3 || b%8==5))
result = -result;
if (a%4==3 && b%4==3)
result = -result;
std::swap(a, b);
a %= b;
}
return (b==1) ? result : 0;
}
Integer Lucas(const Integer &e, const Integer &pIn, const Integer &n)
{
unsigned i = e.BitCount();
if (i==0)
return Integer::Two();
MontgomeryRepresentation m(n);
Integer p=m.ConvertIn(pIn%n), two=m.ConvertIn(Integer::Two());
Integer v=p, v1=m.Subtract(m.Square(p), two);
i--;
while (i--)
{
if (e.GetBit(i))
{
// v = (v*v1 - p) % m;
v = m.Subtract(m.Multiply(v,v1), p);
// v1 = (v1*v1 - 2) % m;
v1 = m.Subtract(m.Square(v1), two);
}
else
{
// v1 = (v*v1 - p) % m;
v1 = m.Subtract(m.Multiply(v,v1), p);
// v = (v*v - 2) % m;
v = m.Subtract(m.Square(v), two);
}
}
return m.ConvertOut(v);
}
// This is Peter Montgomery's unpublished Lucas sequence evalutation algorithm.
// The total number of multiplies and squares used is less than the binary
// algorithm (see above). Unfortunately I can't get it to run as fast as
// the binary algorithm because of the extra overhead.
/*
Integer Lucas(const Integer &n, const Integer &P, const Integer &modulus)
{
if (!n)
return 2;
#define f(A, B, C) m.Subtract(m.Multiply(A, B), C)
#define X2(A) m.Subtract(m.Square(A), two)
#define X3(A) m.Multiply(A, m.Subtract(m.Square(A), three))
MontgomeryRepresentation m(modulus);
Integer two=m.ConvertIn(2), three=m.ConvertIn(3);
Integer A=m.ConvertIn(P), B, C, p, d=n, e, r, t, T, U;
while (d!=1)
{
p = d;
unsigned int b = WORD_BITS * p.WordCount();
Integer alpha = (Integer(5)<<(2*b-2)).SquareRoot() - Integer::Power2(b-1);
r = (p*alpha)>>b;
e = d-r;
B = A;
C = two;
d = r;
while (d!=e)
{
if (d<e)
{
swap(d, e);
swap(A, B);
}
unsigned int dm2 = d[0], em2 = e[0];
unsigned int dm3 = d%3, em3 = e%3;
// if ((dm6+em6)%3 == 0 && d <= e + (e>>2))
if ((dm3+em3==0 || dm3+em3==3) && (t = e, t >>= 2, t += e, d <= t))
{
// #1
// t = (d+d-e)/3;
// t = d; t += d; t -= e; t /= 3;
// e = (e+e-d)/3;
// e += e; e -= d; e /= 3;
// d = t;
// t = (d+e)/3
t = d; t += e; t /= 3;
e -= t;
d -= t;
T = f(A, B, C);
U = f(T, A, B);
B = f(T, B, A);
A = U;
continue;
}
// if (dm6 == em6 && d <= e + (e>>2))
if (dm3 == em3 && dm2 == em2 && (t = e, t >>= 2, t += e, d <= t))
{
// #2
// d = (d-e)>>1;
d -= e; d >>= 1;
B = f(A, B, C);
A = X2(A);
continue;
}
// if (d <= (e<<2))
if (d <= (t = e, t <<= 2))
{
// #3
d -= e;
C = f(A, B, C);
swap(B, C);
continue;
}
if (dm2 == em2)
{
// #4
// d = (d-e)>>1;
d -= e; d >>= 1;
B = f(A, B, C);
A = X2(A);
continue;
}
if (dm2 == 0)
{
// #5
d >>= 1;
C = f(A, C, B);
A = X2(A);
continue;
}
if (dm3 == 0)
{
// #6
// d = d/3 - e;
d /= 3; d -= e;
T = X2(A);
C = f(T, f(A, B, C), C);
swap(B, C);
A = f(T, A, A);
continue;
}
if (dm3+em3==0 || dm3+em3==3)
{
// #7
// d = (d-e-e)/3;
d -= e; d -= e; d /= 3;
T = f(A, B, C);
B = f(T, A, B);
A = X3(A);
continue;
}
if (dm3 == em3)
{
// #8
// d = (d-e)/3;
d -= e; d /= 3;
T = f(A, B, C);
C = f(A, C, B);
B = T;
A = X3(A);
continue;
}
assert(em2 == 0);
// #9
e >>= 1;
C = f(C, B, A);
B = X2(B);
}
A = f(A, B, C);
}
#undef f
#undef X2
#undef X3
return m.ConvertOut(A);
}
*/
Integer InverseLucas(const Integer &e, const Integer &m, const Integer &p, const Integer &q, const Integer &u)
{
Integer d = (m*m-4);
Integer p2, q2;
#pragma omp parallel
#pragma omp sections
{
#pragma omp section
{
p2 = p-Jacobi(d,p);
p2 = Lucas(EuclideanMultiplicativeInverse(e,p2), m, p);
}
#pragma omp section
{
q2 = q-Jacobi(d,q);
q2 = Lucas(EuclideanMultiplicativeInverse(e,q2), m, q);
}
}
return CRT(p2, p, q2, q, u);
}
Integer InverseLucas(const Integer &e, const Integer &m, const Integer &p, const Integer &q)
{
return InverseLucas(e, m, p, q, EuclideanMultiplicativeInverse(p, q));
}
unsigned int FactoringWorkFactor(unsigned int n)
{
// extrapolated from the table in Odlyzko's "The Future of Integer Factorization"
// updated to reflect the factoring of RSA-130
if (n<5) return 0;
else return (unsigned int)(2.4 * pow((double)n, 1.0/3.0) * pow(log(double(n)), 2.0/3.0) - 5);
}
unsigned int DiscreteLogWorkFactor(unsigned int n)
{
// assuming discrete log takes about the same time as factoring
if (n<5) return 0;
else return (unsigned int)(2.4 * pow((double)n, 1.0/3.0) * pow(log(double(n)), 2.0/3.0) - 5);
}
// ********************************************************
void PrimeAndGenerator::Generate(signed int delta, RandomNumberGenerator &rng, unsigned int pbits, unsigned int qbits)
{
// no prime exists for delta = -1, qbits = 4, and pbits = 5
assert(qbits > 4);
assert(pbits > qbits);
if (qbits+1 == pbits)
{
Integer minP = Integer::Power2(pbits-1);
Integer maxP = Integer::Power2(pbits) - 1;
bool success = false;
while (!success)
{
p.Randomize(rng, minP, maxP, Integer::ANY, 6+5*delta, 12);
PrimeSieve sieve(p, STDMIN(p+PrimeSearchInterval(maxP)*12, maxP), 12, delta);
while (sieve.NextCandidate(p))
{
assert(IsSmallPrime(p) || SmallDivisorsTest(p));
q = (p-delta) >> 1;
assert(IsSmallPrime(q) || SmallDivisorsTest(q));
if (FastProbablePrimeTest(q) && FastProbablePrimeTest(p) && IsPrime(q) && IsPrime(p))
{
success = true;
break;
}
}
}
if (delta == 1)
{
// find g such that g is a quadratic residue mod p, then g has order q
// g=4 always works, but this way we get the smallest quadratic residue (other than 1)
for (g=2; Jacobi(g, p) != 1; ++g) {}
// contributed by Walt Tuvell: g should be the following according to the Law of Quadratic Reciprocity
assert((p%8==1 || p%8==7) ? g==2 : (p%12==1 || p%12==11) ? g==3 : g==4);
}
else
{
assert(delta == -1);
// find g such that g*g-4 is a quadratic non-residue,
// and such that g has order q
for (g=3; ; ++g)
if (Jacobi(g*g-4, p)==-1 && Lucas(q, g, p)==2)
break;
}
}
else
{
Integer minQ = Integer::Power2(qbits-1);
Integer maxQ = Integer::Power2(qbits) - 1;
Integer minP = Integer::Power2(pbits-1);
Integer maxP = Integer::Power2(pbits) - 1;
do
{
q.Randomize(rng, minQ, maxQ, Integer::PRIME);
} while (!p.Randomize(rng, minP, maxP, Integer::PRIME, delta%q, q));
// find a random g of order q
if (delta==1)
{
do
{
Integer h(rng, 2, p-2, Integer::ANY);
g = a_exp_b_mod_c(h, (p-1)/q, p);
} while (g <= 1);
assert(a_exp_b_mod_c(g, q, p)==1);
}
else
{
assert(delta==-1);
do
{
Integer h(rng, 3, p-1, Integer::ANY);
if (Jacobi(h*h-4, p)==1)
continue;
g = Lucas((p+1)/q, h, p);
} while (g <= 2);
assert(Lucas(q, g, p) == 2);
}
}
}
NAMESPACE_END
#endif
Submit an article or tip