func RabinMiller(p *big.Int) bool {
pdec := new(big.Int).Sub(p, big.NewInt(1)) // = p - 1
big2 := big.NewInt(2)
for i := 0; i < 20; i++ {
x := RandNumSmaller(p)
stg := new(big.Int).Exp(x, pdec, p) // = x^(p-1) mod p
if stg.Cmp(big1) != 0 {
return false
}
// test na Carmichaelova cisla (kontrola zda x^[(p-1)/2] je +1 nebo -1)
p2 := new(big.Int).Rsh(p, 1) // = (p - 1)/2
for {
stg.Exp(x, p2, p)
if stg.Cmp(pdec) == 0 {
break
}
if stg.Cmp(big1) != 0 {
return false
}
_, res := p2.Div(p2, big2)
if res.Cmp(big1) == 0 {
break
}
}
}
return true
}
// Verify verifies the signature in r, s of hash using the public key, pub. It
// returns true iff the signature is valid.
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
// FIPS 186-3, section 4.7
if r.Sign() < 1 || r.Cmp(pub.Q) >= 0 {
return false
}
if s.Sign() < 1 || s.Cmp(pub.Q) >= 0 {
return false
}
w := new(big.Int).ModInverse(s, pub.Q)
n := pub.Q.BitLen()
if n&7 != 0 {
return false
}
n >>= 3
if n > len(hash) {
n = len(hash)
}
z := new(big.Int).SetBytes(hash[:n])
u1 := new(big.Int).Mul(z, w)
u1.Mod(u1, pub.Q)
u2 := w.Mul(r, w)
u2.Mod(u2, pub.Q)
v := u1.Exp(pub.G, u1, pub.P)
u2.Exp(pub.Y, u2, pub.P)
v.Mul(v, u2)
v.Mod(v, pub.P)
v.Mod(v, pub.Q)
return v.Cmp(r) == 0
}
func info(a *big.Int, n uint) {
dtrunc := int64(float64(a.BitLen())*.30103) - 10
var first, rest big.Int
rest.Exp(first.SetInt64(10), rest.SetInt64(dtrunc), nil)
first.Quo(a, &rest)
fstr := first.String()
fmt.Printf("%d! begins %s... and has %d digits.\n",
n, fstr, int64(len(fstr))+dtrunc)
}
func (curve *Curve) double(p *Point) *Point {
fmt.Printf("d")
lambda_numerator := new(big.Int)
lambda_denominator := new(big.Int)
lambda := new(big.Int)
lambda_numerator.Exp(p.X, BigTwo, curve.P)
lambda_numerator.Mul(lambda_numerator, BigThree)
lambda_numerator.Add(lambda_numerator, curve.A)
lambda_denominator.Mul(BigTwo, p.Y)
lambda_denominator, ok := modInverse(lambda_denominator, curve.P)
if !ok {
fmt.Printf("Its not OKAY\n")
return nil
}
lambda.Mul(lambda_numerator, lambda_denominator)
lambda = lambda.Mod(lambda, curve.P)
p3 := NewPoint()
temp := new(big.Int)
temp2 := new(big.Int)
//temp3 := new(big.Int)
//temp4 := new(big.Int)
//temp5 := new(big.Int)
//temp6 := new(big.Int)
p3.X.Sub(temp.Exp(lambda, BigTwo, curve.P), temp2.Mul(BigTwo, p.X))
p3.X = p3.X.Mod(p3.X, curve.P)
p3.Y.Sub(p.X, p3.X)
p3.Y.Mul(p3.Y, lambda)
p3.Y = p3.Y.Sub(p3.Y, p.Y)
p3.Y = p3.Y.Mod(p3.Y, curve.P)
if p3.X.Cmp(BigZero) == -1 { //if X is negative
p3.X.Neg(p3.X)
p3.X.Sub(curve.P, p3.X)
}
if p3.Y.Cmp(BigZero) == -1 { //if Y is negative
p3.Y.Neg(p3.Y)
p3.Y.Sub(curve.P, p3.Y)
}
return p3
}
func recursive(in int64, value *big.Int, v vector.IntVector, primeIndex int, primes []*big.Int, winner *big.Int, winner2 *vector.IntVector) {
if in > 4000000 {
if value.Cmp(winner) < 0 || winner.Cmp(big.NewInt(-1)) == 0 {
winner.Set(value)
*winner2 = v
fmt.Println(in, winner, *winner2)
//fmt.Print(in, winner, *winner2, " (")
//for k, v := range *winner2 {
// fmt.Print(primes[k], "**", v, " * ")
//}
//fmt.Println(")")
}
return
}
for i := int64(15); i >= 1; i -= 1 {
var factor big.Int
factor.Exp(primes[primeIndex], big.NewInt(i), nil)
//fmt.Println(factor, i, primes[primeIndex])
newV := v.Copy()
newV.Push(int(i))
var newValue big.Int
newValue.Mul(value, &factor)
recursive(in*(2*i+1)-i, &newValue, newV, primeIndex+1, primes, winner, winner2)
}
}
// GenerateParameters puts a random, valid set of DSA parameters into params.
// This function takes many seconds, even on fast machines.
func GenerateParameters(params *Parameters, rand io.Reader, sizes ParameterSizes) (err os.Error) {
// This function doesn't follow FIPS 186-3 exactly in that it doesn't
// use a verification seed to generate the primes. The verification
// seed doesn't appear to be exported or used by other code and
// omitting it makes the code cleaner.
var L, N int
switch sizes {
case L1024N160:
L = 1024
N = 160
case L2048N224:
L = 2048
N = 224
case L2048N256:
L = 2048
N = 256
case L3072N256:
L = 3072
N = 256
default:
return os.ErrorString("crypto/dsa: invalid ParameterSizes")
}
qBytes := make([]byte, N/8)
pBytes := make([]byte, L/8)
q := new(big.Int)
p := new(big.Int)
rem := new(big.Int)
one := new(big.Int)
one.SetInt64(1)
GeneratePrimes:
for {
_, err = io.ReadFull(rand, qBytes)
if err != nil {
return
}
qBytes[len(qBytes)-1] |= 1
qBytes[0] |= 0x80
q.SetBytes(qBytes)
if !big.ProbablyPrime(q, numMRTests) {
continue
}
for i := 0; i < 4*L; i++ {
_, err = io.ReadFull(rand, pBytes)
if err != nil {
return
}
pBytes[len(pBytes)-1] |= 1
pBytes[0] |= 0x80
p.SetBytes(pBytes)
rem.Mod(p, q)
rem.Sub(rem, one)
p.Sub(p, rem)
if p.BitLen() < L {
continue
}
if !big.ProbablyPrime(p, numMRTests) {
continue
}
params.P = p
params.Q = q
break GeneratePrimes
}
}
h := new(big.Int)
h.SetInt64(2)
g := new(big.Int)
pm1 := new(big.Int).Sub(p, one)
e := new(big.Int).Div(pm1, q)
for {
g.Exp(h, e, p)
if g.Cmp(one) == 0 {
h.Add(h, one)
continue
}
params.G = g
return
}
panic("unreachable")
}
func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
e := big.NewInt(int64(pub.E))
c.Exp(m, e, pub.N)
return c
}
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
// random source is given, RSA blinding is used.
func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
// TODO(agl): can we get away with reusing blinds?
if c.Cmp(priv.N) > 0 {
err = DecryptionError{}
return
}
var ir *big.Int
if random != nil {
// Blinding enabled. Blinding involves multiplying c by r^e.
// Then the decryption operation performs (m^e * r^e)^d mod n
// which equals mr mod n. The factor of r can then be removed
// by multiplying by the multiplicative inverse of r.
var r *big.Int
for {
r, err = rand.Int(random, priv.N)
if err != nil {
return
}
if r.Cmp(bigZero) == 0 {
r = bigOne
}
var ok bool
ir, ok = modInverse(r, priv.N)
if ok {
break
}
}
bigE := big.NewInt(int64(priv.E))
rpowe := new(big.Int).Exp(r, bigE, priv.N)
cCopy := new(big.Int).Set(c)
cCopy.Mul(cCopy, rpowe)
cCopy.Mod(cCopy, priv.N)
c = cCopy
}
if priv.Precomputed.Dp == nil {
m = new(big.Int).Exp(c, priv.D, priv.N)
} else {
// We have the precalculated values needed for the CRT.
m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0])
m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1])
m.Sub(m, m2)
if m.Sign() < 0 {
m.Add(m, priv.Primes[0])
}
m.Mul(m, priv.Precomputed.Qinv)
m.Mod(m, priv.Primes[0])
m.Mul(m, priv.Primes[1])
m.Add(m, m2)
for i, values := range priv.Precomputed.CRTValues {
prime := priv.Primes[2+i]
m2.Exp(c, values.Exp, prime)
m2.Sub(m2, m)
m2.Mul(m2, values.Coeff)
m2.Mod(m2, prime)
if m2.Sign() < 0 {
m2.Add(m2, prime)
}
m2.Mul(m2, values.R)
m.Add(m, m2)
}
}
if ir != nil {
// Unblind.
m.Mul(m, ir)
m.Mod(m, priv.N)
}
return
}
// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
// random source is given, RSA blinding is used.
func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
// TODO(agl): can we get away with reusing blinds?
if c.Cmp(priv.N) > 0 {
err = DecryptionError{}
return
}
var ir *big.Int
if rand != nil {
// Blinding enabled. Blinding involves multiplying c by r^e.
// Then the decryption operation performs (m^e * r^e)^d mod n
// which equals mr mod n. The factor of r can then be removed
// by multipling by the multiplicative inverse of r.
var r *big.Int
for {
r, err = randomNumber(rand, priv.N)
if err != nil {
return
}
if r.Cmp(bigZero) == 0 {
r = bigOne
}
var ok bool
ir, ok = modInverse(r, priv.N)
if ok {
break
}
}
bigE := big.NewInt(int64(priv.E))
rpowe := new(big.Int).Exp(r, bigE, priv.N)
c.Mul(c, rpowe)
c.Mod(c, priv.N)
}
priv.rwMutex.RLock()
if priv.dP == nil && priv.P != nil {
priv.rwMutex.RUnlock()
priv.rwMutex.Lock()
if priv.dP == nil && priv.P != nil {
priv.precompute()
}
priv.rwMutex.Unlock()
priv.rwMutex.RLock()
}
if priv.dP == nil {
m = new(big.Int).Exp(c, priv.D, priv.N)
} else {
// We have the precalculated values needed for the CRT.
m = new(big.Int).Exp(c, priv.dP, priv.P)
m2 := new(big.Int).Exp(c, priv.dQ, priv.Q)
m.Sub(m, m2)
if m.Sign() < 0 {
m.Add(m, priv.P)
}
m.Mul(m, priv.qInv)
m.Mod(m, priv.P)
m.Mul(m, priv.Q)
m.Add(m, m2)
if priv.dR != nil {
// 3-prime CRT.
m2.Exp(c, priv.dR, priv.R)
m2.Sub(m2, m)
m2.Mul(m2, priv.tr)
m2.Mod(m2, priv.R)
if m2.Sign() < 0 {
m2.Add(m2, priv.R)
}
m2.Mul(m2, priv.pq)
m.Add(m, m2)
}
}
priv.rwMutex.RUnlock()
if ir != nil {
// Unblind.
m.Mul(m, ir)
m.Mod(m, priv.N)
}
return
}
// Spocita msg^key % mod
func crypt(key, mod *big.Int, msg []byte) []byte {
a := new(big.Int).SetBytes(msg)
a.Exp(a, key, mod)
return a.Bytes()
}
