2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "internal/cryptlib.h"
16 * The quick sieve algorithm approach to weeding out primes is Philip
17 * Zimmermann's, as implemented in PGP. I have had a read of his comments
18 * and implemented my own version.
22 static int probable_prime(BIGNUM
*rnd
, int bits
, int safe
, prime_t
*mods
,
24 static int probable_prime_dh(BIGNUM
*rnd
, int bits
, int safe
, prime_t
*mods
,
25 const BIGNUM
*add
, const BIGNUM
*rem
,
27 static int bn_is_prime_int(const BIGNUM
*w
, int checks
, BN_CTX
*ctx
,
28 int do_trial_division
, BN_GENCB
*cb
);
30 #define square(x) ((BN_ULONG)(x) * (BN_ULONG)(x))
33 # define BN_DEF(lo, hi) (BN_ULONG)hi<<32|lo
35 # define BN_DEF(lo, hi) lo, hi
39 * See SP800 89 5.3.3 (Step f)
40 * The product of the set of primes ranging from 3 to 751
41 * Generated using process in test/bn_internal_test.c test_bn_small_factors().
42 * This includes 751 (which is not currently included in SP 800-89).
44 static const BN_ULONG small_prime_factors
[] = {
45 BN_DEF(0x3ef4e3e1, 0xc4309333), BN_DEF(0xcd2d655f, 0x71161eb6),
46 BN_DEF(0x0bf94862, 0x95e2238c), BN_DEF(0x24f7912b, 0x3eb233d3),
47 BN_DEF(0xbf26c483, 0x6b55514b), BN_DEF(0x5a144871, 0x0a84d817),
48 BN_DEF(0x9b82210a, 0x77d12fee), BN_DEF(0x97f050b3, 0xdb5b93c2),
49 BN_DEF(0x4d6c026b, 0x4acad6b9), BN_DEF(0x54aec893, 0xeb7751f3),
50 BN_DEF(0x36bc85c4, 0xdba53368), BN_DEF(0x7f5ec78e, 0xd85a1b28),
51 BN_DEF(0x6b322244, 0x2eb072d8), BN_DEF(0x5e2b3aea, 0xbba51112),
52 BN_DEF(0x0e2486bf, 0x36ed1a6c), BN_DEF(0xec0c5727, 0x5f270460),
56 #define BN_SMALL_PRIME_FACTORS_TOP OSSL_NELEM(small_prime_factors)
57 static const BIGNUM _bignum_small_prime_factors
= {
58 (BN_ULONG
*)small_prime_factors
,
59 BN_SMALL_PRIME_FACTORS_TOP
,
60 BN_SMALL_PRIME_FACTORS_TOP
,
65 const BIGNUM
*ossl_bn_get0_small_factors(void)
67 return &_bignum_small_prime_factors
;
71 * Calculate the number of trial divisions that gives the best speed in
72 * combination with Miller-Rabin prime test, based on the sized of the prime.
74 static int calc_trial_divisions(int bits
)
78 else if (bits
<= 1024)
80 else if (bits
<= 2048)
82 else if (bits
<= 4096)
88 * Use a minimum of 64 rounds of Miller-Rabin, which should give a false
89 * positive rate of 2^-128. If the size of the prime is larger than 2048
90 * the user probably wants a higher security level than 128, so switch
91 * to 128 rounds giving a false positive rate of 2^-256.
92 * Returns the number of rounds.
94 static int bn_mr_min_checks(int bits
)
101 int BN_GENCB_call(BN_GENCB
*cb
, int a
, int b
)
103 /* No callback means continue */
108 /* Deprecated-style callbacks */
111 cb
->cb
.cb_1(a
, b
, cb
->arg
);
114 /* New-style callbacks */
115 return cb
->cb
.cb_2(a
, b
, cb
);
119 /* Unrecognised callback type */
123 int BN_generate_prime_ex2(BIGNUM
*ret
, int bits
, int safe
,
124 const BIGNUM
*add
, const BIGNUM
*rem
, BN_GENCB
*cb
,
130 prime_t
*mods
= NULL
;
131 int checks
= bn_mr_min_checks(bits
);
134 /* There are no prime numbers this small. */
135 ERR_raise(ERR_LIB_BN
, BN_R_BITS_TOO_SMALL
);
137 } else if (add
== NULL
&& safe
&& bits
< 6 && bits
!= 3) {
139 * The smallest safe prime (7) is three bits.
140 * But the following two safe primes with less than 6 bits (11, 23)
141 * are unreachable for BN_rand with BN_RAND_TOP_TWO.
143 ERR_raise(ERR_LIB_BN
, BN_R_BITS_TOO_SMALL
);
147 mods
= OPENSSL_zalloc(sizeof(*mods
) * NUMPRIMES
);
149 ERR_raise(ERR_LIB_BN
, ERR_R_MALLOC_FAILURE
);
158 /* make a random number and set the top and bottom bits */
160 if (!probable_prime(ret
, bits
, safe
, mods
, ctx
))
163 if (!probable_prime_dh(ret
, bits
, safe
, mods
, add
, rem
, ctx
))
167 if (!BN_GENCB_call(cb
, 0, c1
++))
172 i
= bn_is_prime_int(ret
, checks
, ctx
, 0, cb
);
179 * for "safe prime" generation, check that (p-1)/2 is prime. Since a
180 * prime is odd, We just need to divide by 2
182 if (!BN_rshift1(t
, ret
))
185 for (i
= 0; i
< checks
; i
++) {
186 j
= bn_is_prime_int(ret
, 1, ctx
, 0, cb
);
192 j
= bn_is_prime_int(t
, 1, ctx
, 0, cb
);
198 if (!BN_GENCB_call(cb
, 2, c1
- 1))
200 /* We have a safe prime test pass */
203 /* we have a prime :-) */
213 int BN_generate_prime_ex(BIGNUM
*ret
, int bits
, int safe
,
214 const BIGNUM
*add
, const BIGNUM
*rem
, BN_GENCB
*cb
)
216 BN_CTX
*ctx
= BN_CTX_new();
222 retval
= BN_generate_prime_ex2(ret
, bits
, safe
, add
, rem
, cb
, ctx
);
229 #ifndef OPENSSL_NO_DEPRECATED_3_0
230 int BN_is_prime_ex(const BIGNUM
*a
, int checks
, BN_CTX
*ctx_passed
,
233 return ossl_bn_check_prime(a
, checks
, ctx_passed
, 0, cb
);
236 int BN_is_prime_fasttest_ex(const BIGNUM
*w
, int checks
, BN_CTX
*ctx
,
237 int do_trial_division
, BN_GENCB
*cb
)
239 return ossl_bn_check_prime(w
, checks
, ctx
, do_trial_division
, cb
);
243 /* Wrapper around bn_is_prime_int that sets the minimum number of checks */
244 int ossl_bn_check_prime(const BIGNUM
*w
, int checks
, BN_CTX
*ctx
,
245 int do_trial_division
, BN_GENCB
*cb
)
247 int min_checks
= bn_mr_min_checks(BN_num_bits(w
));
249 if (checks
< min_checks
)
252 return bn_is_prime_int(w
, checks
, ctx
, do_trial_division
, cb
);
255 int BN_check_prime(const BIGNUM
*p
, BN_CTX
*ctx
, BN_GENCB
*cb
)
257 return ossl_bn_check_prime(p
, 0, ctx
, 1, cb
);
261 * Tests that |w| is probably prime
262 * See FIPS 186-4 C.3.1 Miller Rabin Probabilistic Primality Test.
264 * Returns 0 when composite, 1 when probable prime, -1 on error.
266 static int bn_is_prime_int(const BIGNUM
*w
, int checks
, BN_CTX
*ctx
,
267 int do_trial_division
, BN_GENCB
*cb
)
269 int i
, status
, ret
= -1;
271 BN_CTX
*ctxlocal
= NULL
;
278 /* w must be bigger than 1 */
279 if (BN_cmp(w
, BN_value_one()) <= 0)
284 /* Take care of the really small prime 3 */
285 if (BN_is_word(w
, 3))
288 /* 2 is the only even prime */
289 return BN_is_word(w
, 2);
292 /* first look for small factors */
293 if (do_trial_division
) {
294 int trial_divisions
= calc_trial_divisions(BN_num_bits(w
));
296 for (i
= 1; i
< trial_divisions
; i
++) {
297 BN_ULONG mod
= BN_mod_word(w
, primes
[i
]);
298 if (mod
== (BN_ULONG
)-1)
301 return BN_is_word(w
, primes
[i
]);
303 if (!BN_GENCB_call(cb
, 1, -1))
307 if (ctx
== NULL
&& (ctxlocal
= ctx
= BN_CTX_new()) == NULL
)
311 if (!ossl_bn_miller_rabin_is_prime(w
, checks
, ctx
, cb
, 0, &status
)) {
315 ret
= (status
== BN_PRIMETEST_PROBABLY_PRIME
);
318 BN_CTX_free(ctxlocal
);
324 * Refer to FIPS 186-4 C.3.2 Enhanced Miller-Rabin Probabilistic Primality Test.
325 * OR C.3.1 Miller-Rabin Probabilistic Primality Test (if enhanced is zero).
326 * The Step numbers listed in the code refer to the enhanced case.
328 * if enhanced is set, then status returns one of the following:
329 * BN_PRIMETEST_PROBABLY_PRIME
330 * BN_PRIMETEST_COMPOSITE_WITH_FACTOR
331 * BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME
332 * if enhanced is zero, then status returns either
333 * BN_PRIMETEST_PROBABLY_PRIME or
334 * BN_PRIMETEST_COMPOSITE
336 * returns 0 if there was an error, otherwise it returns 1.
338 int ossl_bn_miller_rabin_is_prime(const BIGNUM
*w
, int iterations
, BN_CTX
*ctx
,
339 BN_GENCB
*cb
, int enhanced
, int *status
)
341 int i
, j
, a
, ret
= 0;
342 BIGNUM
*g
, *w1
, *w3
, *x
, *m
, *z
, *b
;
343 BN_MONT_CTX
*mont
= NULL
;
351 w1
= BN_CTX_get(ctx
);
352 w3
= BN_CTX_get(ctx
);
361 && BN_sub_word(w1
, 1)
364 && BN_sub_word(w3
, 3)))
367 /* check w is larger than 3, otherwise the random b will be too small */
368 if (BN_is_zero(w3
) || BN_is_negative(w3
))
371 /* (Step 1) Calculate largest integer 'a' such that 2^a divides w-1 */
373 while (!BN_is_bit_set(w1
, a
))
375 /* (Step 2) m = (w-1) / 2^a */
376 if (!BN_rshift(m
, w1
, a
))
379 /* Montgomery setup for computations mod a */
380 mont
= BN_MONT_CTX_new();
381 if (mont
== NULL
|| !BN_MONT_CTX_set(mont
, w
, ctx
))
385 iterations
= bn_mr_min_checks(BN_num_bits(w
));
388 for (i
= 0; i
< iterations
; ++i
) {
389 /* (Step 4.1) obtain a Random string of bits b where 1 < b < w-1 */
390 if (!BN_priv_rand_range_ex(b
, w3
, 0, ctx
)
391 || !BN_add_word(b
, 2)) /* 1 < b < w-1 */
396 if (!BN_gcd(g
, b
, w
, ctx
))
400 *status
= BN_PRIMETEST_COMPOSITE_WITH_FACTOR
;
405 /* (Step 4.5) z = b^m mod w */
406 if (!BN_mod_exp_mont(z
, b
, m
, w
, ctx
, mont
))
408 /* (Step 4.6) if (z = 1 or z = w-1) */
409 if (BN_is_one(z
) || BN_cmp(z
, w1
) == 0)
411 /* (Step 4.7) for j = 1 to a-1 */
412 for (j
= 1; j
< a
; ++j
) {
413 /* (Step 4.7.1 - 4.7.2) x = z. z = x^2 mod w */
414 if (!BN_copy(x
, z
) || !BN_mod_mul(z
, x
, x
, w
, ctx
))
417 if (BN_cmp(z
, w1
) == 0)
423 /* At this point z = b^((w-1)/2) mod w */
424 /* (Steps 4.8 - 4.9) x = z, z = x^2 mod w */
425 if (!BN_copy(x
, z
) || !BN_mod_mul(z
, x
, x
, w
, ctx
))
430 /* (Step 4.11) x = b^(w-1) mod w */
435 /* (Step 4.1.2) g = GCD(x-1, w) */
436 if (!BN_sub_word(x
, 1) || !BN_gcd(g
, x
, w
, ctx
))
438 /* (Steps 4.1.3 - 4.1.4) */
440 *status
= BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME
;
442 *status
= BN_PRIMETEST_COMPOSITE_WITH_FACTOR
;
444 *status
= BN_PRIMETEST_COMPOSITE
;
450 if (!BN_GENCB_call(cb
, 1, i
))
454 *status
= BN_PRIMETEST_PROBABLY_PRIME
;
465 BN_MONT_CTX_free(mont
);
470 * Generate a random number of |bits| bits that is probably prime by sieving.
471 * If |safe| != 0, it generates a safe prime.
472 * |mods| is a preallocated array that gets reused when called again.
474 * The probably prime is saved in |rnd|.
476 * Returns 1 on success and 0 on error.
478 static int probable_prime(BIGNUM
*rnd
, int bits
, int safe
, prime_t
*mods
,
483 int trial_divisions
= calc_trial_divisions(bits
);
484 BN_ULONG maxdelta
= BN_MASK2
- primes
[trial_divisions
- 1];
487 if (!BN_priv_rand_ex(rnd
, bits
, BN_RAND_TOP_TWO
, BN_RAND_BOTTOM_ODD
, 0,
490 if (safe
&& !BN_set_bit(rnd
, 1))
492 /* we now have a random number 'rnd' to test. */
493 for (i
= 1; i
< trial_divisions
; i
++) {
494 BN_ULONG mod
= BN_mod_word(rnd
, (BN_ULONG
)primes
[i
]);
495 if (mod
== (BN_ULONG
)-1)
497 mods
[i
] = (prime_t
) mod
;
501 for (i
= 1; i
< trial_divisions
; i
++) {
503 * check that rnd is a prime and also that
504 * gcd(rnd-1,primes) == 1 (except for 2)
505 * do the second check only if we are interested in safe primes
506 * in the case that the candidate prime is a single word then
507 * we check only the primes up to sqrt(rnd)
509 if (bits
<= 31 && delta
<= 0x7fffffff
510 && square(primes
[i
]) > BN_get_word(rnd
) + delta
)
512 if (safe
? (mods
[i
] + delta
) % primes
[i
] <= 1
513 : (mods
[i
] + delta
) % primes
[i
] == 0) {
514 delta
+= safe
? 4 : 2;
515 if (delta
> maxdelta
)
520 if (!BN_add_word(rnd
, delta
))
522 if (BN_num_bits(rnd
) != bits
)
529 * Generate a random number |rnd| of |bits| bits that is probably prime
530 * and satisfies |rnd| % |add| == |rem| by sieving.
531 * If |safe| != 0, it generates a safe prime.
532 * |mods| is a preallocated array that gets reused when called again.
534 * Returns 1 on success and 0 on error.
536 static int probable_prime_dh(BIGNUM
*rnd
, int bits
, int safe
, prime_t
*mods
,
537 const BIGNUM
*add
, const BIGNUM
*rem
,
543 int trial_divisions
= calc_trial_divisions(bits
);
544 BN_ULONG maxdelta
= BN_MASK2
- primes
[trial_divisions
- 1];
547 if ((t1
= BN_CTX_get(ctx
)) == NULL
)
550 if (maxdelta
> BN_MASK2
- BN_get_word(add
))
551 maxdelta
= BN_MASK2
- BN_get_word(add
);
554 if (!BN_rand_ex(rnd
, bits
, BN_RAND_TOP_ONE
, BN_RAND_BOTTOM_ODD
, 0, ctx
))
557 /* we need ((rnd-rem) % add) == 0 */
559 if (!BN_mod(t1
, rnd
, add
, ctx
))
561 if (!BN_sub(rnd
, rnd
, t1
))
564 if (!BN_add_word(rnd
, safe
? 3u : 1u))
567 if (!BN_add(rnd
, rnd
, rem
))
571 if (BN_num_bits(rnd
) < bits
572 || BN_get_word(rnd
) < (safe
? 5u : 3u)) {
573 if (!BN_add(rnd
, rnd
, add
))
577 /* we now have a random number 'rnd' to test. */
578 for (i
= 1; i
< trial_divisions
; i
++) {
579 BN_ULONG mod
= BN_mod_word(rnd
, (BN_ULONG
)primes
[i
]);
580 if (mod
== (BN_ULONG
)-1)
582 mods
[i
] = (prime_t
) mod
;
586 for (i
= 1; i
< trial_divisions
; i
++) {
587 /* check that rnd is a prime */
588 if (bits
<= 31 && delta
<= 0x7fffffff
589 && square(primes
[i
]) > BN_get_word(rnd
) + delta
)
591 /* rnd mod p == 1 implies q = (rnd-1)/2 is divisible by p */
592 if (safe
? (mods
[i
] + delta
) % primes
[i
] <= 1
593 : (mods
[i
] + delta
) % primes
[i
] == 0) {
594 delta
+= BN_get_word(add
);
595 if (delta
> maxdelta
)
600 if (!BN_add_word(rnd
, delta
))