Merge fixes for bug 1170 and bug 1301.
* Copyright (c) 2003-2009 Nokia Corporation and/or its subsidiary(-ies).
* All rights reserved.
* This component and the accompanying materials are made available
* under the terms of the License "Eclipse Public License v1.0"
* which accompanies this distribution, and is available
* at the URL "".
* Initial Contributors:
* Nokia Corporation - initial contribution.
* Contributors:
* Description:
#include <bigint.h>
#include <e32std.h>
#include <securityerr.h>
#include "words.h"
#include "primes.h"
#include "algorithms.h"
#include "mont.h"
#include "stackinteger.h"
static TBool IsSmallPrime(TUint aK);
static inline void EliminateComposites(TUint* aS, TUint aPrime, TUint aJ,
TUint aMaxIndex)
for(; aJ<aMaxIndex; aJ+=aPrime)
ArraySetBit(aS, aJ);
static inline TInt FindLeastSignificantZero(TUint aX)
aX = ~aX;
int i = 0;
if( aX << 16 == 0 ) aX>>=16, i+=16;
if( aX << 24 == 0 ) aX>>=8, i+=8;
if( aX << 28 == 0 ) aX>>=4, i+=4;
if( aX << 30 == 0 ) aX>>=2, i+=2;
if( aX << 31 == 0 ) ++i;
return i;
static inline TInt FindFirstPrimeCandidate(TUint* aS, TUint aBitLength)
assert(aBitLength % WORD_BITS == 0);
TUint i=0;
//The empty statement at the end of this is stop warnings in all compilers
for(; aS[i] == KMaxTUint && i<BitsToWords(aBitLength); i++) {;}
if(i == BitsToWords(aBitLength))
return -1;
assert( FindLeastSignificantZero((TUint)(aS[i])) >= 0 );
assert( FindLeastSignificantZero((TUint)(aS[i])) <= 31 );
return i*WORD_BITS + FindLeastSignificantZero((TUint32)(aS[i]));
static inline TUint FindSmallestIndex(TUint aPrime, TUint aRemainder)
TUint& j = aRemainder;
j = aPrime - aRemainder;
if( j & 0x1L )
//if j is odd then this + j is even so we actually want
//the next number for which (this + j % p == 0) st this + j is odd
//that is: this + j + p == 0 mod p
j += aPrime;
//Turn j into an index for a bit array representing odd numbers only
return j;
static inline TUint RabinMillerRounds(TUint aBits)
//See HAC Table 4.4
if(aBits > 1300)
return 2;
if (aBits > 850)
return 3;
if (aBits > 650)
return 4;
if (aBits > 550)
return 5;
if (aBits > 450)
return 6;
if (aBits > 400)
return 7;
if (aBits > 350)
return 8;
if (aBits > 300)
return 9;
if (aBits > 250)
return 12;
if (aBits > 200)
return 15;
if (aBits > 150)
return 18;
if (aBits > 100)
return 27;
//All of the above are optimisations on the worst case. The worst case
//chance of odd composite integers being declared prime by Rabin-Miller is
//(1/4)^t where t is the number of rounds. Thus, t = 40 means that the
//chance of declaring a composite integer prime is less than 2^(-80). See
//HAC Fact 4.25 and most of chapter 4 for more details.
return 40;
static TBool HasSmallDivisorL(const TInteger& aPossiblePrime)
//Start checking at the first odd prime, whether it is even should have
//already been checked
for( TUint i=1; i < KPrimeTableSize; i++ )
if( aPossiblePrime.ModuloL(KPrimeTable[i]) == 0 )
return ETrue;
return EFalse;
static TBool RabinMillerIterationL(const CMontgomeryStructure& aMont,
const TInteger& aProbablePrime, const TInteger& aBase)
//see HAC 4.24
const TInteger& n = aProbablePrime;
assert(n > KLastSmallPrimeSquared);
assert(aBase > TInteger::One());
RInteger nminus1 = n.MinusL(TInteger::One());
assert(aBase < nminus1);
// 1) find (s | 2^s*r == n-1) where r is odd
// we want the largest power of 2 that divides n-1
TUint s=0;
// (r = (n-1) / 2^s) which is equiv to (n-1 >>= s)
RInteger r = RInteger::NewL(nminus1);
r >>= s;
//At no point do we own y, aMont owns it
const TInteger* y = &(aMont.ExponentiateL(aBase, r));
TBool probablePrime = EFalse;
TUint j=1;
if( *y == TInteger::One() || *y == nminus1 )
probablePrime = ETrue;
for(j=1; j<s; j++)
y = &(aMont.SquareL(*y));
if(*y == nminus1)
probablePrime = ETrue;
return probablePrime;
static TBool RabinMillerTestL(const CMontgomeryStructure& aMont,
const TInteger& aProbablePrime, TUint aRounds)
const TInteger& n = aProbablePrime;
assert(n > KLastSmallPrimeSquared);
RInteger nminus2 = n.MinusL(TInteger::Two());
for(TUint i=0; i<aRounds; i++)
RInteger base = RInteger::NewRandomL(TInteger::Two(), nminus2);
if(!RabinMillerIterationL(aMont, n, base))
CleanupStack::PopAndDestroy(2, &nminus2);//base, nminus2
return EFalse;
return ETrue;
static TBool IsStrongProbablePrimeL(const TInteger& aPrime)
CMontgomeryStructure* mont = CMontgomeryStructure::NewLC(aPrime);
//This should be using short circuit evaluation
TBool probablePrime = RabinMillerIterationL(*mont, aPrime, TInteger::Two())
&& RabinMillerTestL(*mont, aPrime,RabinMillerRounds(aPrime.BitCount()));
return probablePrime;
/* In the _vast_ majority of cases this simply checks that your chosen random
* number is >= KLastSmallPrimeSquared and return EFalse and lets the normal
* prime generation routines handle the situation. In the case where it is
* smaller, it generates a provable prime and returns ETrue. The algorithm for
* finding a provable prime < KLastPrimeSquared is not the most efficient in the
* world, but two points come to mind
* 1) The two if statements hardly _ever_ evaluate to ETrue in real life.
* 2) Even when it is, the distribution of primes < KLastPrimeSquared is pretty
* dense, so you aren't going to have check many.
* This function is essentially here for two reasons:
* 1) Ensures that it is possible to generate primes < KLastPrimeSquared (the
* test code does this)
* 2) Ensures that if you request a prime of a large bit size that there is an
* even probability distribution across all integers < 2^aBits
TBool TInteger::SmallPrimeRandomizeL(void)
TBool foundPrime = EFalse;
//If the random number we've chosen is less than KLastSmallPrime,
//testing for primality is easy.
if(*this <= KLastSmallPrime)
//If Zero or One, or two, next prime number is two
if(IsZero() || *this == One() || *this == Two())
foundPrime = ETrue;
//Make sure any number we bother testing is at least odd
//Binary search the small primes.
//If not prime, add two and try the next odd number.
//will never carry as the minimum size of an RInteger is 2
//words. Much bigger than KLastSmallPrime on 32bit
IncrementNoCarry(Ptr(), Size(), 2);
foundPrime = ETrue;
else if(*this <= KLastSmallPrimeSquared)
//Make sure any number we bother testing is at least odd
while(HasSmallDivisorL(*this) && *this <= KLastSmallPrimeSquared)
//If not prime, add two and try the next odd number.
//will never carry as the minimum size of an RInteger is 2
//words. Much bigger than KLastSmallPrime on 32bit
IncrementNoCarry(Ptr(), Size(), 2);
//If we exited while loop because it had no small divisor then it is
//prime. Otherwise, we've exceeded the limit of what we can provably
//generate. Therefore the normal prime gen routines will be run on it
if(*this < KLastSmallPrimeSquared)
foundPrime = ETrue;
//This doesn't mean there is no such prime, simply means that the number
//wasn't less than KSmallPrimeSquared and needs to be handled by the normal
//prime generation routines.
return foundPrime;
void TInteger::PrimeRandomizeL(TUint aBits, TRandomAttribute aAttr)
assert(aBits > 1);
//"this" is "empty" currently. Consists of Size() words of 0's. This is just
//checking that sign flag is positive as we don't set it later.
//Flag for the whole function saying if we've found a prime
TBool foundProbablePrime = EFalse;
//Find 2^aBits + 1 -- any prime we find must be less than this.
RInteger max = RInteger::NewEmptyL(BitsToWords(aBits)+1);
assert(max.BitCount()-1 == aBits);
// aBits | approx number of odd numbers you must try to have a 50%
// chance of finding a prime
// 512 | 122
// 1024 | 245
// 2048 | 1023
//Therefore if we are generating larger than 1024 bit numbers we'll use a
//bigger bit array to have a better chance of avoiding re-generating it.
TUint sLength = aBits > 1024 ? 1024 : 512;
RInteger S = RInteger::NewEmptyL(BitsToWords(sLength));
//Randomly choose aBits
RandomizeL(aBits, aAttr);
//If the random number chosen is less than KSmallPrimeSquared, we have a
//special set of routines.
foundProbablePrime = ETrue;
//if it was <= KLastSmallPrimeSquared then it would have been
//handled by SmallPrimeRandomizeL()
assert(*this > KLastSmallPrimeSquared);
//Make sure any number we bother testing is at least odd
//Ensure that this + 2*sLength < max
RInteger temp = max.MinusL(*this);
temp >>=1;
if(temp < sLength)
//if this + 2*sLength >= max then we use a smaller sLength to
//ensure we don't find a number that is outside of our bounds
//(and bigger than our allocated memory for this)
//temp must be less than KMaxTUint as sLength is a TUint
sLength = temp.ConvertToUnsignedLong();
//Start at 1 as no point in checking against 2 (all odd numbers)
for(TUint i=1; i<KPrimeTableSize; i++)
//no need to call ModuloL as we know KPrimeTable[i] is not 0
TUint remainder = Modulo(*this, KPrimeTable[i]);
TUint index = FindSmallestIndex(KPrimeTable[i], remainder);
EliminateComposites(S.Ptr(), KPrimeTable[i], index, sLength);
TInt j = FindFirstPrimeCandidate(S.Ptr(), sLength);
TInt prev = 0;
for(; j>=0; j=FindFirstPrimeCandidate(S.Ptr(), sLength))
ArraySetBit(S.Ptr(), j);
//should never carry as we earlier made sure that 2*j + this < max
//where max is 1 bit more than we asked for.
IncrementNoCarry(Ptr(), Size(), 2*(j-prev));
assert(*this < max);
prev = j;
if( IsStrongProbablePrimeL(*this) )
foundProbablePrime = ETrue;
//This clears the memory
S.CopyL(0, EFalse);
CleanupStack::PopAndDestroy(2, &max);
EXPORT_C TBool TInteger::IsPrimeL(void) const
if( NotPositive() )
return EFalse;
else if( IsEven() )
return *this == Two();
else if( *this <= KLastSmallPrime )
assert(KLastSmallPrime < KMaxTUint);
return IsSmallPrime(this->ConvertToUnsignedLong());
else if( *this <= KLastSmallPrimeSquared )
return !HasSmallDivisorL(*this);
return !HasSmallDivisorL(*this) && IsStrongProbablePrimeL(*this);
// Method is excluded from coverage due to the problem with BullsEye on ONB.
// Manually verified that this method is functionally covered.
#ifdef _BullseyeCoverage
#pragma suppress_warnings on
#pragma BullseyeCoverage off
#pragma suppress_warnings off
static TBool IsSmallPrime(TUint aK)
//This is just a binary search of our small prime table.
TUint l = 0;
TUint u = KPrimeTableSize;
while( u > l )
TUint m = (l+u)>>1;
TUint p = KPrimeTable[m];
if(aK < p)
u = m;
else if (aK > p)
l = m + 1;
return ETrue;
return EFalse;