private void generateKeys(int k, int t, int l, BigInteger ownu)
{
if (l < 8 || l > 16)
{
throw new Exception("Choose parameter l from the interval 8<=l<=16 !");
}
if (t <= l)
{
throw new Exception("Parameter t must be greater than l.");
}
if (k <= t)
{
throw new Exception("Parameter k must be greater than t.");
}
if (k % 2 != 0)
{
throw new Exception("Parameter k has to be an even number!");
}
//if ((k / 2 < (l + 5)) || (k / 2 < t + 2))
// throw new Exception("Parameter k has to be specified by the rules k/2 > l+4 and k/2 > t+1!");
if (k / 2 < l + t + 10)
{
throw new Exception("Choose parameters k,l,t so that k/2 >= l+t+10 !");
}
// generate u the minimal prime number greater than l+2
//Workaround, TODO:
//u = (l == 0) ? ownu : BigIntegerHelper.NextProbablePrime(l + l + 2);
u = BigIntegerHelper.NextProbablePrime((1 << l) + 2);
// generate vp, vq as a random t bit prime number
vp = BigIntegerHelper.RandomPrimeBits(t);
vq = BigIntegerHelper.RandomPrimeBits(t);
// store the product vp*vq
vpvq = vp * vq;
// DGK style to generate p and q from u and v:
// p is chosen as rp * u * vp + 1 where r_p is randomly chosen such that p has roughly k/2 bits
BigInteger rp, rq, tmp;
int needed_bits;
tmp = u * vp;
needed_bits = k / 2 - (int)Math.Ceiling(BigInteger.Log(tmp, 2));
//int needed_bits = k / 2 - mpz_sizeinbase(tmp1, 2);
do
{
rp = BigIntegerHelper.RandomIntMSBSet(needed_bits - 1) * 2;
p = rp * tmp + 1;
} while (!BigIntegerHelper.IsProbablePrime(p));
// q is chosen as rq * u*vq + 1 where rq is randomly chosen such that q has roughly k/2 bits
tmp = u * vq;
needed_bits = k / 2 - (int)Math.Ceiling(BigInteger.Log(tmp, 2));
do
{
rq = BigIntegerHelper.RandomIntMSBSet(needed_bits - 1) * 2;
q = rq * tmp + 1;
} while (!BigIntegerHelper.IsProbablePrime(q));
// RSA modulus n
N = p * q;
/*
* h must be random in Zn* and have order vp*vq. We
* choose it by setting
*
* h = h' ^{rp * rq * u}.
*
* Seeing h as (hp, hq) and h' as (h'p, h'q) in Zp* x Zq*, we
* then have
*
* (hp^vpvq, hq^vpvq) = (h'p^{rp*u*vp}^(rq*vq), h'q^{rq*u*vq}^(rp*vp))
* = (1^(rq*vq), 1^(rp*vp)) = (1, 1)
*
* which means that h^(vpvq) = 1 in Zn*.
*
* So we only need to check that h is not 1 and that it really
* is in Zn*.
*/
BigInteger r;
tmp = rp * rq * u;
while (true)
{
r = BigIntegerHelper.RandomIntLimit(n);
h = BigInteger.ModPow(r, tmp, n);
if (h == 1)
{
continue;
}
if (BigInteger.GreatestCommonDivisor(h, n) == 1)
{
break;
}
}
/*
* g is chosen at random in Zn* such that it has order uv. This
* is done in much the same way as for h, but the order of
* power of the random number might be u, v or uv. We therefore
* also check that g^u and g^v are different from 1.
*/
BigInteger rprq = rp * rq;
while (true)
{
r = BigIntegerHelper.RandomIntLimit(n);
g = BigInteger.ModPow(r, rprq, n);
// test if g is "good":
if (g == 1)
{
continue;
}
if (BigInteger.GreatestCommonDivisor(g, n) != 1)
{
continue;
}
if (BigInteger.ModPow(g, u, n) == 1)
{
continue; // test if ord(g) == u
}
if (BigInteger.ModPow(g, vp, n) == 1)
{
continue; // test if ord(g) == vp
}
if (BigInteger.ModPow(g, vq, n) == 1)
{
continue; // test if ord(g) == vq
}
if (BigInteger.ModPow(g, u * vp, n) == 1)
{
continue; // test if ord(g) == u*vp
}
if (BigInteger.ModPow(g, u * vq, n) == 1)
{
continue; // test if ord(g) == u*vq
}
if (BigInteger.ModPow(g, vpvq, n) == 1)
{
continue; // test if ord(g) == vp*vq
}
break; // g has passed all tests
}
}
