|
public modPow ( |
||
| exp | ||
| n | ||
| return | ||
// Perform an RSA public key operation on input
public byte[] DoPublic(byte[] input)
{
if (input.Length != this.keylen)
throw new ArgumentException("input.Length does not match keylen");
if (ReferenceEquals(this.N, null))
throw new ArgumentException("no key set!");
BigInteger T = new BigInteger(input);
if (T >= this.N)
throw new ArgumentException("input exceeds modulus");
T = T.modPow(this.E, this.N);
byte[] b = T.getBytes();
return pad_bytes(b, this.keylen);
}
// Generate an RSA keypair
// Popular exponents are 3, 17 and 65537; the bigger it is, the slower encryption becomes
public void GenerateKeyPair(int exponent)
{
for (; ; ) {
BigInteger E = exponent;
Random rand = new Random();
int nbits = this.keylen * 8 / 2; // so that P * Q < N
// Find primes P and Q with Q < P so that:
// GCD (E, (P - 1) * (Q - 1)) == 1
BigInteger P = null;
BigInteger Q = null;
BigInteger Pmin1 = null;
BigInteger Qmin1 = null;
BigInteger H = null;
BigInteger GCD = null;
do {
P = BigInteger.genPseudoPrime(nbits, 20, rand);
Q = BigInteger.genPseudoPrime(nbits, 20, rand);
if (P == Q)
continue;
if (P < Q) {
BigInteger swap = P;
P = Q;
Q = swap;
}
Pmin1 = P - 1;
Qmin1 = Q - 1;
H = Pmin1 * Qmin1;
GCD = H.gcd(E);
}
while (GCD != 1);
// N = P * Q
// D = E^-1 mod ((P - 1) * (Q - 1))
// DP = D mod (P - 1)
// DQ = D mod (Q - 1)
// QP = Q^-1 mod P
this.N = P * Q;
this.E = E;
this.P = P;
this.Q = Q;
this.D = E.modInverse(H);
this.DP = D.modPow(1, Pmin1);
this.DQ = D.modPow(1, Qmin1);
this.QP = Q.modInverse(P);
// Check that this key actually works!
// BigInteger.genPseudoPrime (rarely) returns a non-prime
byte[] encrypt_me = new byte[this.keylen - 1];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(encrypt_me);
encrypt_me = pad_bytes(encrypt_me, this.keylen); // ensure msg < modulus
byte[] encrypted = DoPublic(encrypt_me);
byte[] decrypted = DoPrivate(encrypted);
if (compare_bytes(encrypt_me, 0, decrypted, 0, this.keylen))
return;
}
}
//***********************************************************************
// Tests the correct implementation of the modulo exponential and
// inverse modulo functions using RSA encryption and decryption. The two
// pseudoprimes p and q are fixed, but the two RSA keys are generated
// for each round of testing.
//***********************************************************************
public static void RSATest2(int rounds)
{
Random rand = new Random();
byte[] val = new byte[64];
byte[] pseudoPrime1 = {
(byte)0x85, (byte)0x84, (byte)0x64, (byte)0xFD, (byte)0x70, (byte)0x6A,
(byte)0x9F, (byte)0xF0, (byte)0x94, (byte)0x0C, (byte)0x3E, (byte)0x2C,
(byte)0x74, (byte)0x34, (byte)0x05, (byte)0xC9, (byte)0x55, (byte)0xB3,
(byte)0x85, (byte)0x32, (byte)0x98, (byte)0x71, (byte)0xF9, (byte)0x41,
(byte)0x21, (byte)0x5F, (byte)0x02, (byte)0x9E, (byte)0xEA, (byte)0x56,
(byte)0x8D, (byte)0x8C, (byte)0x44, (byte)0xCC, (byte)0xEE, (byte)0xEE,
(byte)0x3D, (byte)0x2C, (byte)0x9D, (byte)0x2C, (byte)0x12, (byte)0x41,
(byte)0x1E, (byte)0xF1, (byte)0xC5, (byte)0x32, (byte)0xC3, (byte)0xAA,
(byte)0x31, (byte)0x4A, (byte)0x52, (byte)0xD8, (byte)0xE8, (byte)0xAF,
(byte)0x42, (byte)0xF4, (byte)0x72, (byte)0xA1, (byte)0x2A, (byte)0x0D,
(byte)0x97, (byte)0xB1, (byte)0x31, (byte)0xB3,
};
byte[] pseudoPrime2 = {
(byte)0x99, (byte)0x98, (byte)0xCA, (byte)0xB8, (byte)0x5E, (byte)0xD7,
(byte)0xE5, (byte)0xDC, (byte)0x28, (byte)0x5C, (byte)0x6F, (byte)0x0E,
(byte)0x15, (byte)0x09, (byte)0x59, (byte)0x6E, (byte)0x84, (byte)0xF3,
(byte)0x81, (byte)0xCD, (byte)0xDE, (byte)0x42, (byte)0xDC, (byte)0x93,
(byte)0xC2, (byte)0x7A, (byte)0x62, (byte)0xAC, (byte)0x6C, (byte)0xAF,
(byte)0xDE, (byte)0x74, (byte)0xE3, (byte)0xCB, (byte)0x60, (byte)0x20,
(byte)0x38, (byte)0x9C, (byte)0x21, (byte)0xC3, (byte)0xDC, (byte)0xC8,
(byte)0xA2, (byte)0x4D, (byte)0xC6, (byte)0x2A, (byte)0x35, (byte)0x7F,
(byte)0xF3, (byte)0xA9, (byte)0xE8, (byte)0x1D, (byte)0x7B, (byte)0x2C,
(byte)0x78, (byte)0xFA, (byte)0xB8, (byte)0x02, (byte)0x55, (byte)0x80,
(byte)0x9B, (byte)0xC2, (byte)0xA5, (byte)0xCB,
};
BigInteger bi_p = new BigInteger(pseudoPrime1);
BigInteger bi_q = new BigInteger(pseudoPrime2);
BigInteger bi_pq = (bi_p - 1) * (bi_q - 1);
BigInteger bi_n = bi_p * bi_q;
for (int count = 0; count < rounds; count++) {
// generate private and public key
BigInteger bi_e = bi_pq.genCoPrime(512, rand);
BigInteger bi_d = bi_e.modInverse(bi_pq);
Console.WriteLine("\ne =\n" + bi_e.ToString(10));
Console.WriteLine("\nd =\n" + bi_d.ToString(10));
Console.WriteLine("\nn =\n" + bi_n.ToString(10) + "\n");
// generate data of random length
int t1 = 0;
while (t1 == 0)
t1 = (int)(rand.NextDouble() * 65);
bool done = false;
while (!done) {
for (int i = 0; i < 64; i++) {
if (i < t1)
val[i] = (byte)(rand.NextDouble() * 256);
else
val[i] = 0;
if (val[i] != 0)
done = true;
}
}
while (val[0] == 0)
val[0] = (byte)(rand.NextDouble() * 256);
Console.Write("Round = " + count);
// encrypt and decrypt data
BigInteger bi_data = new BigInteger(val, t1);
BigInteger bi_encrypted = bi_data.modPow(bi_e, bi_n);
BigInteger bi_decrypted = bi_encrypted.modPow(bi_d, bi_n);
// compare
if (bi_decrypted != bi_data) {
Console.WriteLine("\nError at round " + count);
Console.WriteLine(bi_data + "\n");
return;
}
Console.WriteLine(" <PASSED>.");
}
}
//***********************************************************************
// Tests the correct implementation of the modulo exponential function
// using RSA encryption and decryption (using pre-computed encryption and
// decryption keys).
//***********************************************************************
public static void RSATest(int rounds)
{
Random rand = new Random(1);
byte[] val = new byte[64];
// private and public key
BigInteger bi_e = new BigInteger("a932b948feed4fb2b692609bd22164fc9edb59fae7880cc1eaff7b3c9626b7e5b241c27a974833b2622ebe09beb451917663d47232488f23a117fc97720f1e7", 16);
BigInteger bi_d = new BigInteger("4adf2f7a89da93248509347d2ae506d683dd3a16357e859a980c4f77a4e2f7a01fae289f13a851df6e9db5adaa60bfd2b162bbbe31f7c8f828261a6839311929d2cef4f864dde65e556ce43c89bbbf9f1ac5511315847ce9cc8dc92470a747b8792d6a83b0092d2e5ebaf852c85cacf34278efa99160f2f8aa7ee7214de07b7", 16);
BigInteger bi_n = new BigInteger("e8e77781f36a7b3188d711c2190b560f205a52391b3479cdb99fa010745cbeba5f2adc08e1de6bf38398a0487c4a73610d94ec36f17f3f46ad75e17bc1adfec99839589f45f95ccc94cb2a5c500b477eb3323d8cfab0c8458c96f0147a45d27e45a4d11d54d77684f65d48f15fafcc1ba208e71e921b9bd9017c16a5231af7f", 16);
Console.WriteLine("e =\n" + bi_e.ToString(10));
Console.WriteLine("\nd =\n" + bi_d.ToString(10));
Console.WriteLine("\nn =\n" + bi_n.ToString(10) + "\n");
for (int count = 0; count < rounds; count++) {
// generate data of random length
int t1 = 0;
while (t1 == 0)
t1 = (int)(rand.NextDouble() * 65);
bool done = false;
while (!done) {
for (int i = 0; i < 64; i++) {
if (i < t1)
val[i] = (byte)(rand.NextDouble() * 256);
else
val[i] = 0;
if (val[i] != 0)
done = true;
}
}
while (val[0] == 0)
val[0] = (byte)(rand.NextDouble() * 256);
Console.Write("Round = " + count);
// encrypt and decrypt data
BigInteger bi_data = new BigInteger(val, t1);
BigInteger bi_encrypted = bi_data.modPow(bi_e, bi_n);
BigInteger bi_decrypted = bi_encrypted.modPow(bi_d, bi_n);
// compare
if (bi_decrypted != bi_data) {
Console.WriteLine("\nError at round " + count);
Console.WriteLine(bi_data + "\n");
return;
}
Console.WriteLine(" <PASSED>.");
}
}
//***********************************************************************
// Probabilistic prime test based on Solovay-Strassen (Euler Criterion)
//
// p is probably prime if for any a < p (a is not multiple of p),
// a^((p-1)/2) mod p = J(a, p)
//
// where J is the Jacobi symbol.
//
// Otherwise, p is composite.
//
// Returns
// -------
// True if "this" is a Euler pseudoprime to randomly chosen
// bases. The number of chosen bases is given by the "confidence"
// parameter.
//
// False if "this" is definitely NOT prime.
//
//***********************************************************************
public bool SolovayStrassenTest(int confidence)
{
BigInteger thisVal;
if ((this.data[maxLength - 1] & 0x80000000) != 0) // negative
thisVal = -this;
else
thisVal = this;
if (thisVal.dataLength == 1) {
// test small numbers
if (thisVal.data[0] == 0 || thisVal.data[0] == 1)
return false;
else if (thisVal.data[0] == 2 || thisVal.data[0] == 3)
return true;
}
if ((thisVal.data[0] & 0x1) == 0) // even numbers
return false;
int bits = thisVal.bitCount();
BigInteger a = new BigInteger();
BigInteger p_sub1 = thisVal - 1;
BigInteger p_sub1_shift = p_sub1 >> 1;
Random rand = new Random();
for (int round = 0; round < confidence; round++) {
bool done = false;
while (!done) // generate a < n
{
int testBits = 0;
// make sure "a" has at least 2 bits
while (testBits < 2)
testBits = (int)(rand.NextDouble() * bits);
a.genRandomBits(testBits, rand);
int byteLen = a.dataLength;
// make sure "a" is not 0
if (byteLen > 1 || (byteLen == 1 && a.data[0] != 1))
done = true;
}
// check whether a factor exists (fix for version 1.03)
BigInteger gcdTest = a.gcd(thisVal);
if (gcdTest.dataLength == 1 && gcdTest.data[0] != 1)
return false;
// calculate a^((p-1)/2) mod p
BigInteger expResult = a.modPow(p_sub1_shift, thisVal);
if (expResult == p_sub1)
expResult = -1;
// calculate Jacobi symbol
BigInteger jacob = Jacobi(a, thisVal);
//Console.WriteLine("a = " + a.ToString(10) + " b = " + thisVal.ToString(10));
//Console.WriteLine("expResult = " + expResult.ToString(10) + " Jacob = " + jacob.ToString(10));
// if they are different then it is not prime
if (expResult != jacob)
return false;
}
return true;
}
//***********************************************************************
// Probabilistic prime test based on Rabin-Miller's
//
// for any p > 0 with p - 1 = 2^s * t
//
// p is probably prime (strong pseudoprime) if for any a < p,
// 1) a^t mod p = 1 or
// 2) a^((2^j)*t) mod p = p-1 for some 0 <= j <= s-1
//
// Otherwise, p is composite.
//
// Returns
// -------
// True if "this" is a strong pseudoprime to randomly chosen
// bases. The number of chosen bases is given by the "confidence"
// parameter.
//
// False if "this" is definitely NOT prime.
//
//***********************************************************************
public bool RabinMillerTest(int confidence)
{
BigInteger thisVal;
if ((this.data[maxLength - 1] & 0x80000000) != 0) // negative
thisVal = -this;
else
thisVal = this;
if (thisVal.dataLength == 1) {
// test small numbers
if (thisVal.data[0] == 0 || thisVal.data[0] == 1)
return false;
else if (thisVal.data[0] == 2 || thisVal.data[0] == 3)
return true;
}
if ((thisVal.data[0] & 0x1) == 0) // even numbers
return false;
// calculate values of s and t
BigInteger p_sub1 = thisVal - (new BigInteger(1));
int s = 0;
for (int index = 0; index < p_sub1.dataLength; index++) {
uint mask = 0x01;
for (int i = 0; i < 32; i++) {
if ((p_sub1.data[index] & mask) != 0) {
index = p_sub1.dataLength; // to break the outer loop
break;
}
mask <<= 1;
s++;
}
}
BigInteger t = p_sub1 >> s;
int bits = thisVal.bitCount();
BigInteger a = new BigInteger();
Random rand = new Random();
for (int round = 0; round < confidence; round++) {
bool done = false;
while (!done) // generate a < n
{
int testBits = 0;
// make sure "a" has at least 2 bits
while (testBits < 2)
testBits = (int)(rand.NextDouble() * bits);
a.genRandomBits(testBits, rand);
int byteLen = a.dataLength;
// make sure "a" is not 0
if (byteLen > 1 || (byteLen == 1 && a.data[0] != 1))
done = true;
}
// check whether a factor exists (fix for version 1.03)
BigInteger gcdTest = a.gcd(thisVal);
if (gcdTest.dataLength == 1 && gcdTest.data[0] != 1)
return false;
BigInteger b = a.modPow(t, thisVal);
/*
Console.WriteLine("a = " + a.ToString(10));
Console.WriteLine("b = " + b.ToString(10));
Console.WriteLine("t = " + t.ToString(10));
Console.WriteLine("s = " + s);
*/
bool result = false;
if (b.dataLength == 1 && b.data[0] == 1) // a^t mod p = 1
result = true;
for (int j = 0; result == false && j < s; j++) {
if (b == p_sub1) // a^((2^j)*t) mod p = p-1 for some 0 <= j <= s-1
{
result = true;
break;
}
b = (b * b) % thisVal;
}
if (result == false)
return false;
}
return true;
}
//***********************************************************************
// Probabilistic prime test based on Fermat's little theorem
//
// for any a < p (p does not divide a) if
// a^(p-1) mod p != 1 then p is not prime.
//
// Otherwise, p is probably prime (pseudoprime to the chosen base).
//
// Returns
// -------
// True if "this" is a pseudoprime to randomly chosen
// bases. The number of chosen bases is given by the "confidence"
// parameter.
//
// False if "this" is definitely NOT prime.
//
// Note - this method is fast but fails for Carmichael numbers except
// when the randomly chosen base is a factor of the number.
//
//***********************************************************************
public bool FermatLittleTest(int confidence)
{
BigInteger thisVal;
if ((this.data[maxLength - 1] & 0x80000000) != 0) // negative
thisVal = -this;
else
thisVal = this;
if (thisVal.dataLength == 1) {
// test small numbers
if (thisVal.data[0] == 0 || thisVal.data[0] == 1)
return false;
else if (thisVal.data[0] == 2 || thisVal.data[0] == 3)
return true;
}
if ((thisVal.data[0] & 0x1) == 0) // even numbers
return false;
int bits = thisVal.bitCount();
BigInteger a = new BigInteger();
BigInteger p_sub1 = thisVal - (new BigInteger(1));
Random rand = new Random();
for (int round = 0; round < confidence; round++) {
bool done = false;
while (!done) // generate a < n
{
int testBits = 0;
// make sure "a" has at least 2 bits
while (testBits < 2)
testBits = (int)(rand.NextDouble() * bits);
a.genRandomBits(testBits, rand);
int byteLen = a.dataLength;
// make sure "a" is not 0
if (byteLen > 1 || (byteLen == 1 && a.data[0] != 1))
done = true;
}
// check whether a factor exists (fix for version 1.03)
BigInteger gcdTest = a.gcd(thisVal);
if (gcdTest.dataLength == 1 && gcdTest.data[0] != 1)
return false;
// calculate a^(p-1) mod p
BigInteger expResult = a.modPow(p_sub1, thisVal);
int resultLen = expResult.dataLength;
// is NOT prime is a^(p-1) mod p != 1
if (resultLen > 1 || (resultLen == 1 && expResult.data[0] != 1)) {
//Console.WriteLine("a = " + a.ToString());
return false;
}
}
return true;
}