LibCrypto: Fix random generation and primality tests

It was quite silly that LibCrypto thought that 30! is a prime number! :P
2025-07-26 09:27:34 +00:00 · 2020-08-15 22:57:01 +02:00 · 2020-08-15 22:57:01 +02:00 · bbed5b99fd
commit bbed5b99fd
parent 67b24cb3a6
1 changed files with 60 additions and 28 deletions
--- a/Libraries/LibCrypto/NumberTheory/ModularFunctions.h
+++ b/Libraries/LibCrypto/NumberTheory/ModularFunctions.h
@ -272,38 +272,47 @@ inline UnsignedBigInteger LCM(const UnsignedBigInteger& a, const UnsignedBigInte
 template<size_t test_count>
 static bool MR_primality_test(UnsignedBigInteger n, const Vector<UnsignedBigInteger, test_count>& tests)
 {
-    auto prev = n.minus({ 1 });
+    // Written using Wikipedia:
-    auto b = prev;
+    // https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test#Miller%E2%80%93Rabin_test
-    auto r = 0;
+    ASSERT(!(n < 4));
    auto predecessor = n.minus({ 1 });
    auto d = predecessor;
    size_t r = 0;
-    auto div_result = b.divided_by(2);
+    {
-    while (div_result.quotient == 0) {
+        auto div_result = d.divided_by(2);
-        div_result = b.divided_by(2);
+        while (div_result.remainder == 0) {
-        b = div_result.quotient;
+            d = div_result.quotient;
-        ++r;
+            div_result = d.divided_by(2);
            ++r;
        }
    }
    if (r == 0) {
        // n - 1 is odd, so n was even. But there is only one even prime:
        return n == 2;
    }
-    for (size_t i = 0; i < tests.size(); ++i) {
+    for (auto a : tests) {
-        auto return_ = true;
+        // Technically: ASSERT(2 <= a && a <= n - 2)
-        if (n < tests[i])
+        ASSERT(a < n);
        auto x = ModularPower(a, d, n);
        if (x == 1 || x == predecessor)
            continue;
-        auto x = ModularPower(tests[i], b, n);
+        bool skip_this_witness = false;
-        if (x == 1 || x == prev)
+        // r − 1 iterations.
-            continue;
+        for (size_t i = 0; i < r - 1; ++i) {
        for (auto d = r - 1; d != 0; --d) {
            x = ModularPower(x, 2, n);
-            if (x == 1)
+            if (x == predecessor) {
-                return false;
+                skip_this_witness = true;
            if (x == prev) {
                return_ = false;
                break;
            }
        }
-        if (return_)
+        if (skip_this_witness)
-            return false;
+            continue;
        return false; // "composite"
    }
-    return true;
+    return true; // "probably prime"
 }
 static UnsignedBigInteger random_number(const UnsignedBigInteger& min, const UnsignedBigInteger& max_excluded)
@ -329,15 +338,34 @@ static UnsignedBigInteger random_number(const UnsignedBigInteger& min, const Uns
 static bool is_probably_prime(const UnsignedBigInteger& p)
 {
-    if (p == 2 || p == 3 || p == 5)
+    // Is it a small number?
-        return true;
+    if (p < 49) {
-    if (p < 49)
+        u32 p_value = p.words()[0];
        // Is it a very small prime?
        if (p_value == 2 || p_value == 3 || p_value == 5 || p_value == 7)
            return true;
        // Is it the multiple of a very small prime?
        if (p_value % 2 == 0 || p_value % 3 == 0 || p_value % 5 == 0 || p_value % 7 == 0)
            return false;
        // Then it must be a prime, but not a very small prime, like 37.
        return true;
    }
    Vector<UnsignedBigInteger, 256> tests;
-    UnsignedBigInteger seven { 7 };
+    // Make some good initial guesses that are guaranteed to find all primes < 2^64.
-    for (size_t i = 0; i < tests.size(); ++i)
+    tests.append(UnsignedBigInteger(2));
-        tests.append(random_number(seven, p.minus(2)));
+    tests.append(UnsignedBigInteger(3));
    tests.append(UnsignedBigInteger(5));
    tests.append(UnsignedBigInteger(7));
    tests.append(UnsignedBigInteger(11));
    tests.append(UnsignedBigInteger(13));
    UnsignedBigInteger seventeen { 17 };
    for (size_t i = tests.size(); i < 256; ++i) {
        tests.append(random_number(seventeen, p.minus(2)));
    }
    // Miller-Rabin's "error" is 8^-k. In adversarial cases, it's 4^-k.
    // With 200 random numbers, this would mean an error of about 2^-400.
    // So we don't need to worry too much about the quality of the random numbers.
    return MR_primality_test(p, tests);
 }
@ -349,6 +377,10 @@ inline static UnsignedBigInteger random_big_prime(size_t bits)
    UnsignedBigInteger max = UnsignedBigInteger { 1 }.shift_left(bits).minus(1);
    for (;;) {
        auto p = random_number(min, max);
        if ((p.words()[0] & 1) == 0) {
            // An even number is definitely not a large prime.
            continue;
        }
        if (is_probably_prime(p))
            return p;
    }