cherry-picked mozilla NSS upstream changes (to rev 82de44ead36f, which is on par with 3.18):
bug1095307, bug1073330(backout), bug1084986, bug1050069, bug942172, bug1054547, bug532081, bug1096348, bug1058870, bug1093940, bug1102985, bug1112461, bug1094492, bug112029, bug1119983, bug1120685, bug1120691, bug1113632, bug863076, bug1082973, bug1124539, bug1117617, bug1117621, bug1121273, bug753136, bug921684, bug1132818, bug1125375, bug647690, bug1055441, bug1134455, bug975010, bug950369, bug1128367, bug1129573, bug1136095, bug1117897, bug1113453, bug1061725, bug1073330, bug1111901, bug1083900, bug1136095, bug1138820, bug1096741, bug1134548, bug345725, bug950348, bug950344, bug1151037, bug991783, bug1153994
2018-07-11 16:42:30 +02:00
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
2015-10-21 05:03:22 +02:00
|
|
|
|
|
|
|
|
Additional MPI utilities
|
|
|
|
|
------------------------
|
|
|
|
|
|
|
|
|
|
The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
|
|
|
|
|
the MPI library for dealing with prime numbers (in particular, testing
|
|
|
|
|
for divisbility, and the Rabin-Miller probabilistic primality test).
|
|
|
|
|
|
|
|
|
|
The files 'mplogic.h' and 'mplogic.c' define extensions to the MPI
|
|
|
|
|
library for doing bitwise logical operations and shifting.
|
|
|
|
|
|
|
|
|
|
This document assumes you have read the help file for the MPI library
|
|
|
|
|
and understand its conventions.
|
|
|
|
|
|
|
|
|
|
Divisibility (mpprime.h)
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
To test a number for divisibility by another number:
|
|
|
|
|
|
|
|
|
|
mpp_divis(a, b) - test if b|a
|
|
|
|
|
mpp_divis_d(a, d) - test if d|a
|
|
|
|
|
|
|
|
|
|
Each of these functions returns MP_YES if its initial argument is
|
|
|
|
|
divisible by its second, or MP_NO if it is not. Other errors may be
|
|
|
|
|
returned as appropriate (such as MP_RANGE if you try to test for
|
|
|
|
|
divisibility by zero).
|
|
|
|
|
|
|
|
|
|
Randomness (mpprime.h)
|
|
|
|
|
----------
|
|
|
|
|
|
|
|
|
|
To generate random data:
|
|
|
|
|
|
|
|
|
|
mpp_random(a) - fill a with random data
|
|
|
|
|
mpp_random_size(a, p) - fill a with p digits of random data
|
|
|
|
|
|
|
|
|
|
The mpp_random_size() function increases the precision of a to at
|
|
|
|
|
least p, then fills all those digits randomly. The mp_random()
|
|
|
|
|
function fills a to its current precision (as determined by the number
|
|
|
|
|
of significant digits, USED(a))
|
|
|
|
|
|
|
|
|
|
Note that these functions simply use the C library's rand() function
|
|
|
|
|
to fill a with random digits up to its precision. This should be
|
|
|
|
|
adequate for primality testing, but should not be used for
|
|
|
|
|
cryptographic applications where truly random values are required for
|
|
|
|
|
security.
|
|
|
|
|
|
|
|
|
|
You should call srand() in your driver program in order to seed the
|
|
|
|
|
random generator; this function doesn't call it.
|
|
|
|
|
|
|
|
|
|
Primality Testing (mpprime.h)
|
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
|
|
mpp_divis_vector(a, v, s, w) - is a divisible by any of the s values
|
|
|
|
|
in v, and if so, w = which.
|
|
|
|
|
mpp_divis_primes(a, np) - is a divisible by any of the first np primes?
|
|
|
|
|
mpp_fermat(a, w) - is a pseudoprime with respect to witness w?
|
|
|
|
|
mpp_pprime(a, nt) - run nt iterations of Rabin-Miller on a.
|
|
|
|
|
|
|
|
|
|
The mpp_divis_vector() function tests a for divisibility by each
|
|
|
|
|
member of an array of digits. The array is v, the size of that array
|
|
|
|
|
is s. Returns MP_YES if a is divisible, and stores the index of the
|
|
|
|
|
offending digit in w. Returns MP_NO if a is not divisible by any of
|
|
|
|
|
the digits in the array.
|
|
|
|
|
|
|
|
|
|
A small table of primes is compiled into the library (typically the
|
|
|
|
|
first 128 primes, although you can change this by editing the file
|
|
|
|
|
'primes.c' before you build). The global variable prime_tab_size
|
|
|
|
|
contains the number of primes in the table, and the values themselves
|
|
|
|
|
are in the array prime_tab[], which is an array of mp_digit.
|
|
|
|
|
|
|
|
|
|
The mpp_divis_primes() function is basically just a wrapper around
|
|
|
|
|
mpp_divis_vector() that uses prime_tab[] as the test vector. The np
|
|
|
|
|
parameter is a pointer to an mp_digit -- on input, it should specify
|
|
|
|
|
the number of primes to be tested against. If a is divisible by any
|
|
|
|
|
of the primes, MP_YES is returned and np is given the prime value that
|
|
|
|
|
divided a (you can use this if you're factoring, for example).
|
|
|
|
|
Otherwise, MP_NO is returned and np is untouched.
|
|
|
|
|
|
|
|
|
|
The function mpp_fermat() performs Fermat's test, using w as a
|
|
|
|
|
witness. This test basically relies on the fact that if a is prime,
|
|
|
|
|
and w is relatively prime to a, then:
|
|
|
|
|
|
|
|
|
|
w^a = w (mod a)
|
|
|
|
|
|
|
|
|
|
That is,
|
|
|
|
|
|
|
|
|
|
w^(a - 1) = 1 (mod a)
|
|
|
|
|
|
|
|
|
|
The function returns MP_YES if the test passes, MP_NO if it fails. If
|
|
|
|
|
w is relatively prime to a, and the test fails, a is definitely
|
|
|
|
|
composite. If w is relatively prime to a and the test passes, then a
|
|
|
|
|
is either prime, or w is a false witness (the probability of this
|
|
|
|
|
happening depends on the choice of w and of a ... consult a number
|
|
|
|
|
theory textbook for more information about this).
|
|
|
|
|
|
|
|
|
|
Note: If (w, a) != 1, the output of this test is meaningless.
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
The function mpp_pprime() performs the Rabin-Miller probabilistic
|
|
|
|
|
primality test for nt rounds. If all the tests pass, MP_YES is
|
|
|
|
|
returned, and a is probably prime. The probability that an answer of
|
|
|
|
|
MP_YES is incorrect is no greater than 1 in 4^nt, and in fact is
|
|
|
|
|
usually much less than that (this is a pessimistic estimate). If any
|
|
|
|
|
test fails, MP_NO is returned, and a is definitely composite.
|
|
|
|
|
|
|
|
|
|
Bruce Schneier recommends at least 5 iterations of this test for most
|
|
|
|
|
cryptographic applications; Knuth suggests that 25 are reasonable.
|
|
|
|
|
Run it as many times as you feel are necessary.
|
|
|
|
|
|
|
|
|
|
See the programs 'makeprime.c' and 'isprime.c' for reasonable examples
|
|
|
|
|
of how to use these functions for primality testing.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bitwise Logic (mplogic.c)
|
|
|
|
|
-------------
|
|
|
|
|
|
|
|
|
|
The four commonest logical operations are implemented as:
|
|
|
|
|
|
|
|
|
|
mpl_not(a, b) - Compute bitwise (one's) complement, b = ~a
|
|
|
|
|
|
|
|
|
|
mpl_and(a, b, c) - Compute bitwise AND, c = a & b
|
|
|
|
|
|
|
|
|
|
mpl_or(a, b, c) - Compute bitwise OR, c = a | b
|
|
|
|
|
|
|
|
|
|
mpl_xor(a, b, c) - Compute bitwise XOR, c = a ^ b
|
|
|
|
|
|
|
|
|
|
Left and right shifts are available as well. These take a number to
|
|
|
|
|
shift, a destination, and a shift amount. The shift amount must be a
|
|
|
|
|
digit value between 0 and DIGIT_BIT inclusive; if it is not, MP_RANGE
|
|
|
|
|
will be returned and the shift will not happen.
|
|
|
|
|
|
|
|
|
|
mpl_rsh(a, b, d) - Compute logical right shift, b = a >> d
|
|
|
|
|
|
|
|
|
|
mpl_lsh(a, b, d) - Compute logical left shift, b = a << d
|
|
|
|
|
|
|
|
|
|
Since these are logical shifts, they fill with zeroes (the library
|
|
|
|
|
uses a signed magnitude representation, so there are no sign bits to
|
|
|
|
|
extend anyway).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Command-line Utilities
|
|
|
|
|
----------------------
|
|
|
|
|
|
|
|
|
|
A handful of interesting command-line utilities are provided. These
|
|
|
|
|
are:
|
|
|
|
|
|
|
|
|
|
lap.c - Find the order of a mod m. Usage is 'lap <a> <m>'.
|
|
|
|
|
This uses a dumb algorithm, so don't use it for
|
|
|
|
|
a really big modulus.
|
|
|
|
|
|
|
|
|
|
invmod.c - Find the inverse of a mod m, if it exists. Usage
|
|
|
|
|
is 'invmod <a> <m>'
|
|
|
|
|
|
|
|
|
|
sieve.c - A simple bitmap-based implementation of the Sieve
|
|
|
|
|
of Eratosthenes. Used to generate the table of
|
|
|
|
|
primes in primes.c. Usage is 'sieve <nbits>'
|
|
|
|
|
|
|
|
|
|
prng.c - Uses the routines in bbs_rand.{h,c} to generate
|
|
|
|
|
one or more 32-bit pseudo-random integers. This
|
|
|
|
|
is mainly an example, not intended for use in a
|
|
|
|
|
cryptographic application (the system time is
|
|
|
|
|
the only source of entropy used)
|
|
|
|
|
|
|
|
|
|
dec2hex.c - Convert decimal to hexadecimal
|
|
|
|
|
|
|
|
|
|
hex2dec.c - Convert hexadecimal to decimal
|
|
|
|
|
|
|
|
|
|
basecvt.c - General radix conversion tool (supports 2-64)
|
|
|
|
|
|
|
|
|
|
isprime.c - Probabilistically test an integer for primality
|
|
|
|
|
using the Rabin-Miller pseudoprime test combined
|
|
|
|
|
with division by small primes.
|
|
|
|
|
|
|
|
|
|
primegen.c - Generate primes at random.
|
|
|
|
|
|
|
|
|
|
exptmod.c - Perform modular exponentiation
|
|
|
|
|
|
|
|
|
|
ptab.pl - A Perl script to munge the output of the sieve
|
|
|
|
|
program into a compilable C structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Other Files
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
PRIMES - Some randomly generated numbers which are prime with
|
|
|
|
|
extremely high probability.
|
|
|
|
|
|
|
|
|
|
README - You're reading me already.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
About the Author
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
This software was written by Michael J. Fromberger. You can contact
|
|
|
|
|
the author as follows:
|
|
|
|
|
|
|
|
|
|
E-mail: <sting@linguist.dartmouth.edu>
|
|
|
|
|
|
|
|
|
|
Postal: 8000 Cummings Hall, Thayer School of Engineering
|
|
|
|
|
Dartmouth College, Hanover, New Hampshire, USA
|
|
|
|
|
|
|
|
|
|
PGP key: http://linguist.dartmouth.edu/~sting/keys/mjf.html
|
|
|
|
|
9736 188B 5AFA 23D6 D6AA BE0D 5856 4525 289D 9907
|
