oysteikt/heimdal
0
0
Fork 0
Code Issues5 Pull Requests Releases Activity
Files
.github
.zed
admin
appl
cf
doc
etc
include
kadmin
kcm
kdc
kpasswd
kuser
lib
asn1
base
com_err
gss_preauth
gssapi
hcrypto
libtommath
demo
doc
etc
logs
mtest
pre_gen
LICENSE
NTMakefile
README.md
appveyor.yml
astylerc
bn_cutoffs.c
bn_deprecated.c
bn_mp_2expt.c
bn_mp_abs.c
bn_mp_add.c
bn_mp_add_d.c
bn_mp_addmod.c
bn_mp_and.c
bn_mp_clamp.c
bn_mp_clear.c
bn_mp_clear_multi.c
bn_mp_cmp.c
bn_mp_cmp_d.c
bn_mp_cmp_mag.c
bn_mp_cnt_lsb.c
bn_mp_complement.c
bn_mp_copy.c
bn_mp_count_bits.c
bn_mp_decr.c
bn_mp_div.c
bn_mp_div_2.c
bn_mp_div_2d.c
bn_mp_div_3.c
bn_mp_div_d.c
bn_mp_dr_is_modulus.c
bn_mp_dr_reduce.c
bn_mp_dr_setup.c
bn_mp_error_to_string.c
bn_mp_exch.c
bn_mp_expt_u32.c
bn_mp_exptmod.c
bn_mp_exteuclid.c
bn_mp_fread.c
bn_mp_from_sbin.c
bn_mp_from_ubin.c
bn_mp_fwrite.c
bn_mp_gcd.c
bn_mp_get_double.c
bn_mp_get_i32.c
bn_mp_get_i64.c
bn_mp_get_l.c
bn_mp_get_ll.c
bn_mp_get_mag_u32.c
bn_mp_get_mag_u64.c
bn_mp_get_mag_ul.c
bn_mp_get_mag_ull.c
bn_mp_grow.c
bn_mp_incr.c
bn_mp_init.c
bn_mp_init_copy.c
bn_mp_init_i32.c
bn_mp_init_i64.c
bn_mp_init_l.c
bn_mp_init_ll.c
bn_mp_init_multi.c
bn_mp_init_set.c
bn_mp_init_size.c
bn_mp_init_u32.c
bn_mp_init_u64.c
bn_mp_init_ul.c
bn_mp_init_ull.c
bn_mp_invmod.c
bn_mp_is_square.c
bn_mp_iseven.c
bn_mp_isodd.c
bn_mp_kronecker.c
bn_mp_lcm.c
bn_mp_log_u32.c
bn_mp_lshd.c
bn_mp_mod.c
bn_mp_mod_2d.c
bn_mp_mod_d.c
bn_mp_montgomery_calc_normalization.c
bn_mp_montgomery_reduce.c
bn_mp_montgomery_setup.c
bn_mp_mul.c
bn_mp_mul_2.c
bn_mp_mul_2d.c
bn_mp_mul_d.c
bn_mp_mulmod.c
bn_mp_neg.c
bn_mp_or.c
bn_mp_pack.c
bn_mp_pack_count.c
bn_mp_prime_fermat.c
bn_mp_prime_frobenius_underwood.c
bn_mp_prime_is_prime.c
bn_mp_prime_miller_rabin.c
bn_mp_prime_next_prime.c
bn_mp_prime_rabin_miller_trials.c
bn_mp_prime_rand.c
bn_mp_prime_strong_lucas_selfridge.c
bn_mp_radix_size.c
bn_mp_radix_smap.c
bn_mp_rand.c
bn_mp_read_radix.c
bn_mp_reduce.c
bn_mp_reduce_2k.c
bn_mp_reduce_2k_l.c
bn_mp_reduce_2k_setup.c
bn_mp_reduce_2k_setup_l.c
bn_mp_reduce_is_2k.c
bn_mp_reduce_is_2k_l.c
bn_mp_reduce_setup.c
bn_mp_root_u32.c
bn_mp_rshd.c
bn_mp_sbin_size.c
bn_mp_set.c
bn_mp_set_double.c
bn_mp_set_i32.c
bn_mp_set_i64.c
bn_mp_set_l.c
bn_mp_set_ll.c
bn_mp_set_u32.c
bn_mp_set_u64.c
bn_mp_set_ul.c
bn_mp_set_ull.c
bn_mp_shrink.c
bn_mp_signed_rsh.c
bn_mp_sqr.c
bn_mp_sqrmod.c
bn_mp_sqrt.c
bn_mp_sqrtmod_prime.c
bn_mp_sub.c
bn_mp_sub_d.c
bn_mp_submod.c
bn_mp_to_radix.c
bn_mp_to_sbin.c
bn_mp_to_ubin.c
bn_mp_ubin_size.c
bn_mp_unpack.c
bn_mp_xor.c
bn_mp_zero.c
bn_prime_tab.c
bn_s_mp_add.c
bn_s_mp_balance_mul.c
bn_s_mp_exptmod.c
bn_s_mp_exptmod_fast.c
bn_s_mp_get_bit.c
bn_s_mp_invmod_fast.c
bn_s_mp_invmod_slow.c
bn_s_mp_karatsuba_mul.c
bn_s_mp_karatsuba_sqr.c
bn_s_mp_montgomery_reduce_fast.c
bn_s_mp_mul_digs.c
bn_s_mp_mul_digs_fast.c
bn_s_mp_mul_high_digs.c
bn_s_mp_mul_high_digs_fast.c
bn_s_mp_prime_is_divisible.c
bn_s_mp_rand_jenkins.c
bn_s_mp_rand_platform.c
bn_s_mp_reverse.c
bn_s_mp_sqr.c
bn_s_mp_sqr_fast.c
bn_s_mp_sub.c
bn_s_mp_toom_mul.c
bn_s_mp_toom_sqr.c
changes.txt
gen.pl
helper.pl
libtommath.pc.in
libtommath_VS2008.sln
libtommath_VS2008.vcproj
makefile
makefile.mingw
makefile.msvc
makefile.shared
makefile.unix
makefile_include.mk
testme.sh
tommath.def
tommath.h
tommath_class.h
tommath_cutoffs.h
tommath_private.h
tommath_superclass.h
x25519
ChangeLog
DESperate.txt
Makefile.am
NTMakefile
aes.c
aes.h
bn.c
bn.h
camellia-ntt.c
camellia-ntt.h
camellia.c
camellia.h
common.c
common.h
des-tables.h
des.c
des.h
destest.c
dh-ltm.c
dh-tfm.c
dh.c
dh.h
doxygen.c
dsa.c
dsa.h
ec.c
ec.h
ecdh.h
ecdsa.h
engine.c
engine.h
evp-cc.c
evp-cc.h
evp-crypt.c
evp-hcrypto.c
evp-hcrypto.h
evp-openssl.c
evp-openssl.h
evp-pkcs11.c
evp-pkcs11.h
evp-w32.c
evp-w32.h
evp-wincng.c
evp-wincng.h
evp.c
evp.h
example_evp_cipher.c
gen-des.pl
hash.h
hmac.c
hmac.h
libhcrypto-exports.def
md4.c
md4.h
md5.c
md5.h
md5crypt_test.c
mdtest.c
passwd_dialog.aps
passwd_dialog.clw
passwd_dialog.rc
passwd_dialog.res
passwd_dlg.c
passwd_dlg.h
pkcs12.c
pkcs12.h
pkcs5.c
rand-fortuna.c
rand-timer.c
rand-unix.c
rand-w32.c
rand.c
rand.h
randi.h
rc2.c
rc2.h
rc2test.c
rc4.c
rc4.h
rctest.c
resource.h
rijndael-alg-fst.c
rijndael-alg-fst.h
rnd_keys.c
rsa-gmp.c
rsa-ltm.c
rsa-tfm.c
rsa.c
rsa.h
rsakey.der
rsakey2048.der
rsakey4096.der
sha.c
sha.h
sha256.c
sha512.c
test_bn.c
test_bulk.c
test_cipher.c
test_crypto.in
test_dh.c
test_engine_dso.c
test_hmac.c
test_pkcs12.c
test_pkcs5.c
test_rand.c
test_rsa.c
ui.c
ui.h
undef.h
validate.c
version-script.map
x25519_ref10.h
hdb
heimdal
hx509
ipc
kadm5
kafs
kdfs
krb5
libedit
ntlm
otp
roken
sl
sqlite
vers
wind
Makefile.am
NTMakefile
nix
packages
po
tests
tools
windows
.gitignore
.travis.yml
CODE_OF_CONDUCT.md
ChangeLog
ChangeLog.1998
ChangeLog.1999
ChangeLog.2000
ChangeLog.2001
ChangeLog.2002
ChangeLog.2003
ChangeLog.2004
ChangeLog.2005
ChangeLog.2006
ChangeLog.2007
LICENSE
Makefile.am
Makefile.am.common
NEWS
NTMakefile
README
README.fast
README.md
SECURITY.md
TODO
acinclude.m4
appveyor.yml
autogen.sh
configure.ac
flake.lock
flake.nix
krb5.conf
heimdal/lib/hcrypto/libtommath/bn_mp_sqrtmod_prime.c
Luke Howard c403b66082 hcrypto: import libtommath v1.2.0
2020-04-24 11:59:54 +10:00

119 lines
4.4 KiB
C
Raw Permalink Blame History

#include "tommath_private.h"
#ifdef BN_MP_SQRTMOD_PRIME_C
/* LibTomMath, multiple-precision integer library -- Tom St Denis */
/* SPDX-License-Identifier: Unlicense */
/* Tonelli-Shanks algorithm
* https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm
* https://gmplib.org/list-archives/gmp-discuss/2013-April/005300.html
*
*/
mp_err mp_sqrtmod_prime(const mp_int *n, const mp_int *prime, mp_int *ret)
{
mp_err err;
int legendre;
mp_int t1, C, Q, S, Z, M, T, R, two;
mp_digit i;
/* first handle the simple cases */
if (mp_cmp_d(n, 0uL) == MP_EQ) {
mp_zero(ret);
return MP_OKAY;
}
if (mp_cmp_d(prime, 2uL) == MP_EQ) return MP_VAL; /* prime must be odd */
if ((err = mp_kronecker(n, prime, &legendre)) != MP_OKAY) return err;
if (legendre == -1) return MP_VAL; /* quadratic non-residue mod prime */
if ((err = mp_init_multi(&t1, &C, &Q, &S, &Z, &M, &T, &R, &two, NULL)) != MP_OKAY) {
return err;
}
/* SPECIAL CASE: if prime mod 4 == 3
* compute directly: err = n^(prime+1)/4 mod prime
* Handbook of Applied Cryptography algorithm 3.36
*/
if ((err = mp_mod_d(prime, 4uL, &i)) != MP_OKAY) goto cleanup;
if (i == 3u) {
if ((err = mp_add_d(prime, 1uL, &t1)) != MP_OKAY) goto cleanup;
if ((err = mp_div_2(&t1, &t1)) != MP_OKAY) goto cleanup;
if ((err = mp_div_2(&t1, &t1)) != MP_OKAY) goto cleanup;
if ((err = mp_exptmod(n, &t1, prime, ret)) != MP_OKAY) goto cleanup;
err = MP_OKAY;
goto cleanup;
}
/* NOW: Tonelli-Shanks algorithm */
/* factor out powers of 2 from prime-1, defining Q and S as: prime-1 = Q*2^S */
if ((err = mp_copy(prime, &Q)) != MP_OKAY) goto cleanup;
if ((err = mp_sub_d(&Q, 1uL, &Q)) != MP_OKAY) goto cleanup;
/* Q = prime - 1 */
mp_zero(&S);
/* S = 0 */
while (MP_IS_EVEN(&Q)) {
if ((err = mp_div_2(&Q, &Q)) != MP_OKAY) goto cleanup;
/* Q = Q / 2 */
if ((err = mp_add_d(&S, 1uL, &S)) != MP_OKAY) goto cleanup;
/* S = S + 1 */
}
/* find a Z such that the Legendre symbol (Z|prime) == -1 */
mp_set_u32(&Z, 2u);
/* Z = 2 */
for (;;) {
if ((err = mp_kronecker(&Z, prime, &legendre)) != MP_OKAY) goto cleanup;
if (legendre == -1) break;
if ((err = mp_add_d(&Z, 1uL, &Z)) != MP_OKAY) goto cleanup;
/* Z = Z + 1 */
}
if ((err = mp_exptmod(&Z, &Q, prime, &C)) != MP_OKAY) goto cleanup;
/* C = Z ^ Q mod prime */
if ((err = mp_add_d(&Q, 1uL, &t1)) != MP_OKAY) goto cleanup;
if ((err = mp_div_2(&t1, &t1)) != MP_OKAY) goto cleanup;
/* t1 = (Q + 1) / 2 */
if ((err = mp_exptmod(n, &t1, prime, &R)) != MP_OKAY) goto cleanup;
/* R = n ^ ((Q + 1) / 2) mod prime */
if ((err = mp_exptmod(n, &Q, prime, &T)) != MP_OKAY) goto cleanup;
/* T = n ^ Q mod prime */
if ((err = mp_copy(&S, &M)) != MP_OKAY) goto cleanup;
/* M = S */
mp_set_u32(&two, 2u);
for (;;) {
if ((err = mp_copy(&T, &t1)) != MP_OKAY) goto cleanup;
i = 0;
for (;;) {
if (mp_cmp_d(&t1, 1uL) == MP_EQ) break;
if ((err = mp_exptmod(&t1, &two, prime, &t1)) != MP_OKAY) goto cleanup;
i++;
}
if (i == 0u) {
if ((err = mp_copy(&R, ret)) != MP_OKAY) goto cleanup;
err = MP_OKAY;
goto cleanup;
}
if ((err = mp_sub_d(&M, i, &t1)) != MP_OKAY) goto cleanup;
if ((err = mp_sub_d(&t1, 1uL, &t1)) != MP_OKAY) goto cleanup;
if ((err = mp_exptmod(&two, &t1, prime, &t1)) != MP_OKAY) goto cleanup;
/* t1 = 2 ^ (M - i - 1) */
if ((err = mp_exptmod(&C, &t1, prime, &t1)) != MP_OKAY) goto cleanup;
/* t1 = C ^ (2 ^ (M - i - 1)) mod prime */
if ((err = mp_sqrmod(&t1, prime, &C)) != MP_OKAY) goto cleanup;
/* C = (t1 * t1) mod prime */
if ((err = mp_mulmod(&R, &t1, prime, &R)) != MP_OKAY) goto cleanup;
/* R = (R * t1) mod prime */
if ((err = mp_mulmod(&T, &C, prime, &T)) != MP_OKAY) goto cleanup;
/* T = (T * C) mod prime */
mp_set(&M, i);
/* M = i */
}
cleanup:
mp_clear_multi(&t1, &C, &Q, &S, &Z, &M, &T, &R, &two, NULL);
return err;
}
#endif
Reference in New Issue View Git Blame Copy Permalink