MCL/sf/os/security: comparison crypto/weakcryptospi/source/bigint/primes.cpp

equal deleted inserted replaced

-:da2ae96f639b
+:cd501b96611d
+/*
+* Copyright (c) 2003-2009 Nokia Corporation and/or its subsidiary(-ies).
+* All rights reserved.
+* This component and the accompanying materials are made available
+* under the terms of the License "Eclipse Public License v1.0"
+* which accompanies this distribution, and is available
+* at the URL "http://www.eclipse.org/legal/epl-v10.html".
+*
+* Initial Contributors:
+* Nokia Corporation - initial contribution.
+*
+* Contributors:
+*
+* Description:
+*
+*/
+#include <bigint.h>
+#include <e32std.h>
+#include <securityerr.h>
+#include "words.h"
+#include "primes.h"
+#include "algorithms.h"
+#include "mont.h"
+#include "stackinteger.h"
+static TBool IsSmallPrime(TUint aK);
+static inline void EliminateComposites(TUint* aS, TUint aPrime, TUint aJ,
+	TUint aMaxIndex)
+	{
+	for(; aJ<aMaxIndex; aJ+=aPrime)
+		ArraySetBit(aS, aJ);
+	}
+static inline TInt FindLeastSignificantZero(TUint aX)
+	{
+	aX = ~aX;
+	int i = 0;
+	if( aX << 16 == 0 ) aX>>=16, i+=16;
+	if( aX << 24 == 0 ) aX>>=8, i+=8;
+	if( aX << 28 == 0 ) aX>>=4, i+=4;
+	if( aX << 30 == 0 ) aX>>=2, i+=2;
+	if( aX << 31 == 0 ) ++i;
+	return i;
+	}
+static inline TInt FindFirstPrimeCandidate(TUint* aS, TUint aBitLength)
+	{
+	assert(aBitLength % WORD_BITS == 0);
+	TUint i=0;
+	//The empty statement at the end of this is stop warnings in all compilers
+	for(; aS[i] == KMaxTUint && i<BitsToWords(aBitLength); i++) {;}
+	if(i == BitsToWords(aBitLength))
+		return -1;
+	else
+		{
+		assert( FindLeastSignificantZero((TUint)(aS[i])) >= 0 );
+		assert( FindLeastSignificantZero((TUint)(aS[i])) <= 31 );
+		return i*WORD_BITS + FindLeastSignificantZero((TUint32)(aS[i]));
+		}
+	}
+static inline TUint FindSmallestIndex(TUint aPrime, TUint aRemainder)
+	{
+	TUint& j = aRemainder;
+	if(j)
+		{
+		j = aPrime - aRemainder;
+		if( j & 0x1L )
+			{
+			//if j is odd then this + j is even so we actually want
+			//the next number for which (this + j % p == 0) st this + j is odd
+			//that is: this + j + p == 0 mod p
+			j += aPrime;
+			}
+		//Turn j into an index for a bit array representing odd numbers only
+		j>>=1;
+		}
+	return j;
+	}
+static inline TUint RabinMillerRounds(TUint aBits)
+	{
+	//See HAC Table 4.4
+	if(aBits > 1300)
+		return 2;
+	if (aBits > 850)
+		return 3;
+	if (aBits > 650)
+		return 4;
+	if (aBits > 550)
+		return 5;
+	if (aBits > 450)
+		return 6;
+	if (aBits > 400)
+		return 7;
+	if (aBits > 350)
+		return 8;
+	if (aBits > 300)
+		return 9;
+	if (aBits > 250)
+		return 12;
+	if (aBits > 200)
+		return 15;
+	if (aBits > 150)
+		return 18;
+	if (aBits > 100)
+		return 27;
+	//All of the above are optimisations on the worst case.  The worst case
+	//chance of odd composite integers being declared prime by Rabin-Miller is
+	//(1/4)^t where t is the number of rounds.  Thus, t = 40 means that the
+	//chance of declaring a composite integer prime is less than 2^(-80).  See
+	//HAC Fact 4.25 and most of chapter 4 for more details.
+	return 40;
+	}
+static TBool HasSmallDivisorL(const TInteger& aPossiblePrime)
+	{
+	assert(aPossiblePrime.IsOdd());
+	//Start checking at the first odd prime, whether it is even should have
+	//already been checked
+	for( TUint i=1; i < KPrimeTableSize; i++ )
+		{
+		if( aPossiblePrime.ModuloL(KPrimeTable[i]) == 0 )
+			{
+			return ETrue;
+			}
+		}
+	return EFalse;
+	}
+static TBool RabinMillerIterationL(const CMontgomeryStructure& aMont,
+	const TInteger& aProbablePrime, const TInteger& aBase)
+	{
+	//see HAC 4.24
+	const TInteger& n = aProbablePrime;
+	assert(n > KLastSmallPrimeSquared);
+	assert(n.IsOdd());
+	assert(aBase > TInteger::One());
+	RInteger nminus1 = n.MinusL(TInteger::One());
+	CleanupStack::PushL(nminus1);
+	assert(aBase < nminus1);
+	// 1) find (s | 2^s*r == n-1) where r is odd
+	// we want the largest power of 2 that divides n-1
+	TUint s=0;
+	for(;;s++)
+		{
+		if(nminus1.Bit(s))
+			{
+			break;
+			}
+		}
+	// (r = (n-1) / 2^s) which is equiv to (n-1 >>= s)
+	RInteger r = RInteger::NewL(nminus1);
+	CleanupStack::PushL(r);
+	r >>= s;
+	//At no point do we own y, aMont owns it
+	const TInteger* y = &(aMont.ExponentiateL(aBase, r));
+	TBool probablePrime = EFalse;
+	TUint j=1;
+	if( *y == TInteger::One() || *y == nminus1 )
+		{
+		probablePrime = ETrue;
+		}
+	else
+		{
+		for(j=1; j<s; j++)
+			{
+			y = &(aMont.SquareL(*y));
+			if(*y == nminus1)
+				{
+				probablePrime = ETrue;
+				break;
+				}
+			}
+		}
+	CleanupStack::PopAndDestroy(&r);
+	CleanupStack::PopAndDestroy(&nminus1);//y,r,nminus1
+	return probablePrime;
+	}
+static TBool RabinMillerTestL(const CMontgomeryStructure& aMont,
+	const TInteger& aProbablePrime, TUint aRounds)
+	{
+	const TInteger& n = aProbablePrime;
+	assert(n > KLastSmallPrimeSquared);
+	RInteger nminus2 = n.MinusL(TInteger::Two());
+	CleanupStack::PushL(nminus2);
+	for(TUint i=0; i<aRounds; i++)
+		{
+		RInteger base = RInteger::NewRandomL(TInteger::Two(), nminus2);
+		CleanupStack::PushL(base);
+		if(!RabinMillerIterationL(aMont, n, base))
+			{
+			CleanupStack::PopAndDestroy(2, &nminus2);//base, nminus2
+			return EFalse;
+			}
+		CleanupStack::PopAndDestroy(&base);
+		}
+	CleanupStack::PopAndDestroy(&nminus2);
+	return ETrue;
+	}
+static TBool IsStrongProbablePrimeL(const TInteger& aPrime)
+	{
+	CMontgomeryStructure* mont = CMontgomeryStructure::NewLC(aPrime);
+	//This should be using short circuit evaluation
+	TBool probablePrime = RabinMillerIterationL(*mont, aPrime, TInteger::Two())
+		&& RabinMillerTestL(*mont, aPrime,RabinMillerRounds(aPrime.BitCount()));
+	CleanupStack::PopAndDestroy(mont);
+	return probablePrime;
+	}
+/* In the _vast_ majority of cases this simply checks that your chosen random
+* number is >= KLastSmallPrimeSquared and return EFalse and lets the normal
+* prime generation routines handle the situation.  In the case where it is
+* smaller, it generates a provable prime and returns ETrue.  The algorithm for
+* finding a provable prime < KLastPrimeSquared is not the most efficient in the
+* world, but two points come to mind
+* 1) The two if statements hardly _ever_ evaluate to ETrue in real life.
+* 2) Even when it is, the distribution of primes < KLastPrimeSquared is pretty
+* dense, so you aren't going to have check many.
+* This function is essentially here for two reasons:
+* 1) Ensures that it is possible to generate primes < KLastPrimeSquared (the
+* test code does this)
+* 2) Ensures that if you request a prime of a large bit size that there is an
+* even probability distribution across all integers < 2^aBits
+*/
+TBool TInteger::SmallPrimeRandomizeL(void)
+	{
+	TBool foundPrime = EFalse;
+	//If the random number we've chosen is less than KLastSmallPrime,
+	//testing for primality is easy.
+	if(*this <= KLastSmallPrime)
+		{
+		//If Zero or One, or two, next prime number is two
+		if(IsZero() || *this == One() || *this == Two())
+			{
+			CopyL(TInteger::Two());
+			foundPrime = ETrue;
+			}
+		else
+			{
+			//Make sure any number we bother testing is at least odd
+			SetBit(0);
+			//Binary search the small primes.
+			while(!IsSmallPrime(ConvertToUnsignedLong()))
+				{
+				//If not prime, add two and try the next odd number.
+				//will never carry as the minimum size of an RInteger is 2
+				//words.  Much bigger than KLastSmallPrime on 32bit
+				//architectures.
+				IncrementNoCarry(Ptr(), Size(), 2);
+				}
+			assert(IsSmallPrime(ConvertToUnsignedLong()));
+			foundPrime = ETrue;
+			}
+		}
+	else if(*this <= KLastSmallPrimeSquared)
+		{
+		//Make sure any number we bother testing is at least odd
+		SetBit(0);
+		while(HasSmallDivisorL(*this) && *this <= KLastSmallPrimeSquared)
+			{
+			//If not prime, add two and try the next odd number.
+			//will never carry as the minimum size of an RInteger is 2
+			//words.  Much bigger than KLastSmallPrime on 32bit
+			//architectures.
+			IncrementNoCarry(Ptr(), Size(), 2);
+			}
+		//If we exited while loop because it had no small divisor then it is
+		//prime.  Otherwise, we've exceeded the limit of what we can provably
+		//generate.  Therefore the normal prime gen routines will be run on it
+		//now.
+		if(*this < KLastSmallPrimeSquared)
+			{
+			foundPrime = ETrue;
+			}
+		}
+	//This doesn't mean there is no such prime, simply means that the number
+	//wasn't less than KSmallPrimeSquared and needs to be handled by the normal
+	//prime generation routines.
+	return foundPrime;
+	}
+void TInteger::PrimeRandomizeL(TUint aBits, TRandomAttribute aAttr)
+	{
+	assert(aBits > 1);
+	//"this" is "empty" currently.  Consists of Size() words of 0's.  This is just
+	//checking that sign flag is positive as we don't set it later.
+	assert(NotNegative());
+	//Flag for the whole function saying if we've found a prime
+	TBool foundProbablePrime = EFalse;
+	//Find 2^aBits + 1 -- any prime we find must be less than this.
+	RInteger max = RInteger::NewEmptyL(BitsToWords(aBits)+1);
+	CleanupStack::PushL(max);
+	max.SetBit(aBits);
+	assert(max.BitCount()-1 == aBits);
+	// aBits 	| approx number of odd numbers you must try to have a 50%
+	//			chance of finding a prime
+	//---------------------------------------------------------
+	// 512		| 122
+	// 1024		| 245
+	// 2048		| 1023
+	//Therefore if we are generating larger than 1024 bit numbers we'll use a
+	//bigger bit array to have a better chance of avoiding re-generating it.
+	TUint sLength = aBits > 1024 ? 1024 : 512;
+	RInteger S = RInteger::NewEmptyL(BitsToWords(sLength));
+	CleanupStack::PushL(S);
+	while(!foundProbablePrime)
+		{
+		//Randomly choose aBits
+		RandomizeL(aBits, aAttr);
+		//If the random number chosen is less than KSmallPrimeSquared, we have a
+		//special set of routines.
+		if(SmallPrimeRandomizeL())
+			{
+			foundProbablePrime = ETrue;
+			}
+		else
+			{
+			//if it was <= KLastSmallPrimeSquared then it would have been
+			//handled by SmallPrimeRandomizeL()
+			assert(*this > KLastSmallPrimeSquared);
+			//Make sure any number we bother testing is at least odd
+			SetBit(0);
+			//Ensure that this + 2*sLength < max
+			RInteger temp = max.MinusL(*this);
+			CleanupStack::PushL(temp);
+			++temp;
+			temp >>=1;
+			if(temp < sLength)
+				{
+				//if this + 2*sLength >= max then we use a smaller sLength to
+				//ensure we don't find a number that is outside of our bounds
+				//(and bigger than our allocated memory for this)
+				//temp must be less than KMaxTUint as sLength is a TUint
+				sLength = temp.ConvertToUnsignedLong();
+				}
+			CleanupStack::PopAndDestroy(&temp);
+			//Start at 1 as no point in checking against 2 (all odd numbers)
+			for(TUint i=1; i<KPrimeTableSize; i++)
+				{
+				//no need to call ModuloL as we know KPrimeTable[i] is not 0
+				TUint remainder = Modulo(*this, KPrimeTable[i]);
+				TUint index = FindSmallestIndex(KPrimeTable[i], remainder);
+				EliminateComposites(S.Ptr(), KPrimeTable[i], index, sLength);
+				}
+			TInt j = FindFirstPrimeCandidate(S.Ptr(), sLength);
+			TInt prev = 0;
+			for(; j>=0; j=FindFirstPrimeCandidate(S.Ptr(), sLength))
+				{
+				ArraySetBit(S.Ptr(), j);
+				//should never carry as we earlier made sure that 2*j + this < max
+				//where max is 1 bit more than we asked for.
+				IncrementNoCarry(Ptr(), Size(), 2*(j-prev));
+				assert(*this < max);
+				assert(!HasSmallDivisorL(*this));
+				prev = j;
+				if( IsStrongProbablePrimeL(*this) )
+					{
+					foundProbablePrime = ETrue;
+					break;
+					}
+				}
+			//This clears the memory
+			S.CopyL(0, EFalse);
+			}
+		}
+	CleanupStack::PopAndDestroy(2, &max);
+	}
+EXPORT_C TBool TInteger::IsPrimeL(void) const
+	{
+	if( NotPositive() )
+		{
+		return EFalse;
+		}
+	else if( IsEven() )
+		{
+		return *this == Two();
+		}
+	else if( *this <= KLastSmallPrime )
+		{
+		assert(KLastSmallPrime < KMaxTUint);
+		return IsSmallPrime(this->ConvertToUnsignedLong());
+		}
+	else if( *this <= KLastSmallPrimeSquared )
+		{
+		return !HasSmallDivisorL(*this);
+		}
+	else
+		{
+		return !HasSmallDivisorL(*this) && IsStrongProbablePrimeL(*this);
+		}
+	}
+// Method is excluded from coverage due to the problem with BullsEye on ONB.
+// Manually verified that this method is functionally covered.
+#ifdef _BullseyeCoverage
+#pragma suppress_warnings on
+#pragma BullseyeCoverage off
+#pragma suppress_warnings off
+#endif
+static TBool IsSmallPrime(TUint aK)
+	{
+	//This is just a binary search of our small prime table.
+	TUint l = 0;
+	TUint u = KPrimeTableSize;
+	while( u > l )
+		{
+		TUint m = (l+u)>>1;
+		TUint p = KPrimeTable[m];
+		if(aK < p)
+			u = m;
+		else if (aK > p)
+			l = m + 1;
+		else
+			return ETrue;
+		}
+	return EFalse;
+	}