simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sun Mar 1 20:22:56 GMT 2020
TL;DR:
08a3547b Rework PrimeCandidateSource without the delta system.
ece78824 Introduce a vtable system for prime generation.
6b279995 Add mp_nthroot function.
20a9912c Add mp_copy_integer_into function.
2be70baa New 'Pockle' object, for verifying primality.
18be6aec PrimeCandidateSource: remember prime factors of n-1.
cfa3f8b1 PrimeCandidateSource: two extra query functions.
d711cc84 Add linear mode to the new progress reporting system.
141663ab New system for generating provable prime numbers.
925b98b5 Allow asking for provable primes in PuTTYgen.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2020-03-01 20:22:56
commit 08a3547bc54051e455ac450ee536612befcb9a5a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=08a3547bc54051e455ac450ee536612befcb9a5a;hp=8b672835c1b764c899352d3db96a2667fa855a2a
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Mar 1 17:06:04 2020 +0000
Rework PrimeCandidateSource without the delta system.
Now we don't even bother with picking an mp_int base value and a small
adjustment; we just generate a random mp_int, and if it's congruent to
anything we want to avoid, throw it away and try again.
This should cause us to select completely uniformly from the candidate
values in the available range. Previously, the delta system was
introducing small skews at the start and end of the range (values very
near there were less likely to turn up because they fell within the
delta radius of a smaller set of base values).
I was worried about doing this because I thought it would be slower,
because of having to do a big pile of 'reduce mp_int mod small thing'
every time round the loop: the virtue of the delta system is that you
can set up the residues of your base value once and then try several
deltas using only normal-sized integer operations. But now I look more
closely, we were computing _all_ the residues of the base point every
time round the loop (several thousand of them), whereas now we're very
likely to be able to throw a candidate away after only two or three if
it's divisible by one of the smallest primes, which are also the ones
most likely to get in the way. So probably it's actually _faster_ than
the old system (although, since uniformity was my main aim, I haven't
timed it, only noticed that it seems to be fast _enough_).
primecandidate.c | 198 +++++++++++++++++++++++++++++++++++--------------------
1 file changed, 127 insertions(+), 71 deletions(-)
commit ece788240c3fed2a77d42a7783907fb8a29640e1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ece788240c3fed2a77d42a7783907fb8a29640e1;hp=08a3547bc54051e455ac450ee536612befcb9a5a
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 09:10:47 2020 +0000
Introduce a vtable system for prime generation.
The functions primegen() and primegen_add_progress_phase() are gone.
In their place is a small vtable system with two methods corresponding
to them, plus the usual admin of allocating and freeing contexts.
This API change is the starting point for being able to drop in
different prime generation algorithms at run time in response to user
configuration.
cmdgen.c | 9 +++++--
ssh1login-server.c | 7 +++++-
ssh2kex-server.c | 13 ++++++++--
sshdssg.c | 11 +++++----
sshkeygen.h | 44 ++++++++++++++++++++++++++++------
sshprime.c | 33 ++++++++++++++++++++-----
sshrsag.c | 17 ++++++-------
test/testcrypt.py | 2 +-
testcrypt.c | 70 ++++++++++++++++++++++++++++++++++++------------------
testcrypt.h | 9 +++----
windows/winpgen.c | 9 +++++--
11 files changed, 163 insertions(+), 61 deletions(-)
commit 6b279995003bb9cac2b5e1108850ab48647b81fa
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6b279995003bb9cac2b5e1108850ab48647b81fa;hp=ece788240c3fed2a77d42a7783907fb8a29640e1
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Feb 18 20:07:55 2020 +0000
Add mp_nthroot function.
This takes ordinary integer square and cube roots (i.e. not mod
anything) of mp_ints.
mpint.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
mpint.h | 11 ++++++++
test/cryptsuite.py | 23 +++++++++++++++++
testcrypt.h | 1 +
testsc.c | 18 +++++++++++++
5 files changed, 129 insertions(+)
commit 20a9912c7c646fe12c175050e13f52ef55c487fa
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=20a9912c7c646fe12c175050e13f52ef55c487fa;hp=6b279995003bb9cac2b5e1108850ab48647b81fa
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Feb 19 19:12:32 2020 +0000
Add mp_copy_integer_into function.
Even simpler than the existing mp_add_integer_into.
mpint.c | 8 ++++++++
mpint.h | 3 ++-
test/cryptsuite.py | 6 ++++--
testcrypt.h | 1 +
4 files changed, 15 insertions(+), 3 deletions(-)
commit 2be70baa0d6bf727c815c0a3f98402d8d4d3b95c
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=2be70baa0d6bf727c815c0a3f98402d8d4d3b95c;hp=20a9912c7c646fe12c175050e13f52ef55c487fa
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Feb 23 15:16:30 2020 +0000
New 'Pockle' object, for verifying primality.
This implements an extended form of primality verification using
certificates based on Pocklington's theorem. You make a Pockle object,
and then try to convince it that one number after another is prime, by
means of providing it with a list of prime factors of p-1 and a
primitive root. (Or just by saying 'this prime is small enough for you
to check yourself'.)
Pocklington's theorem requires you to have factors of p-1 whose
product is at least the square root of p. I've extended that to
support factorisations only as big as the cube root, via an extension
of the theorem given in Maurer's paper on generating provable primes.
The Pockle object is more or less write-only: it has no methods for
reading out its contents. Its only output channel is the return value
when you try to insert a prime into it: if it isn't sufficiently
convinced that your prime is prime, it will return an error code. So
anything for which it returns POCKLE_OK you can be confident of.
I'm going to use this for provable prime generation. But exposing this
part of the system as an object in its own right means I can write a
set of unit tests for this specifically. My negative tests exercise
all the different ways a certification can be erroneous or inadequate;
the positive tests include proofs of primality of various primes used
in elliptic-curve crypto. The Poly1305 proof in particular is taken
from a proof in DJB's paper, which has exactly the form of a
Pocklington certificate only written in English.
Recipe | 2 +-
pockle.c | 343 +++++++++++++++++++++++++++++++++++++++++++++++++++++
sshkeygen.h | 62 ++++++++++
test/cryptsuite.py | 146 +++++++++++++++++++++++
test/testcrypt.py | 10 ++
testcrypt.c | 59 ++++++++-
testcrypt.h | 5 +
7 files changed, 621 insertions(+), 6 deletions(-)
commit 18be6aec587c83bf2ddc94536d33bec8ffbfe256
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=18be6aec587c83bf2ddc94536d33bec8ffbfe256;hp=2be70baa0d6bf727c815c0a3f98402d8d4d3b95c
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 06:33:26 2020 +0000
PrimeCandidateSource: remember prime factors of n-1.
We already had a function pcs_require_residue_1() which lets you ask
PrimeCandidateSource to ensure it only returns numbers congruent to 1
mod a given value. pcs_require_residue_1_mod_prime() is the same, but
it also records the number in a list of prime factors of n-1, which
can be queried later.
The idea is that if you're generating a DSA key, in which the small
prime q must divide p-1, the upcoming provable generation algorithm
will be able to recover q from the PrimeCandidateSource and use it as
part of the primality certificate, which reduces the number of bits of
extra prime factors it also has to make up.
primecandidate.c | 24 ++++++++++++++++++++++++
sshdssg.c | 2 +-
sshkeygen.h | 5 +++++
testcrypt.h | 1 +
4 files changed, 31 insertions(+), 1 deletion(-)
commit cfa3f8b1929b6f954582d3820b246587878e728d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=cfa3f8b1929b6f954582d3820b246587878e728d;hp=18be6aec587c83bf2ddc94536d33bec8ffbfe256
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 06:47:56 2020 +0000
PrimeCandidateSource: two extra query functions.
pcs_get_upper_bound lets the holder of a PrimeCandidateSource ask what
is the largest value it might ever generate. pcs_get_bits_remaining
lets it ask how much extra entropy it's going to generate on top of
the requirements that have already been input into it.
Both of these will be needed by the upcoming provable-prime work to
decide what sizes of subsidiary prime to generate.
primecandidate.c | 15 +++++++++++++++
sshkeygen.h | 2 ++
2 files changed, 17 insertions(+)
commit d711cc849c38b6dd9d74a212efb0c8b765cebe59
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d711cc849c38b6dd9d74a212efb0c8b765cebe59;hp=cfa3f8b1929b6f954582d3820b246587878e728d
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 17:11:01 2020 +0000
Add linear mode to the new progress reporting system.
The old system I removed in commit 79d3c1783b had both linear and
exponential phase types, but the new one only had exponential, because
at that point I'd just thrown away all the clients of the linear phase
type. But I'm going to add another one shortly, so I have to put it
back in.
cmdgen.c | 38 +++++++++++++++++++++++++++++++++++---
sshkeygen.h | 10 ++++++++++
sshprime.c | 10 ++++++++--
windows/winpgen.c | 23 +++++++++++++++++++++++
4 files changed, 76 insertions(+), 5 deletions(-)
commit 141663abba04891a7a18e99e084e336854d67566
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=141663abba04891a7a18e99e084e336854d67566;hp=d711cc849c38b6dd9d74a212efb0c8b765cebe59
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Feb 23 15:37:42 2020 +0000
New system for generating provable prime numbers.
This uses all the facilities I've been adding in previous commits. It
implements Maurer's algorithm for generating a prime together with a
Pocklington certificate of its primality, by means of recursing to
generate smaller primes to be factors of p-1 for the Pocklington
check, then doing a test Miller-Rabin iteration to quickly exclude
obvious composites, and then doing the full Pocklington check.
In my case, this means I add each prime I generate to a Pockle. So the
algorithm says: recursively generate some primes and add them to the
PrimeCandidateSource, then repeatedly get a candidate value back from
the pcs, check it with M-R, and feed it to the Pockle. If the Pockle
accepts it, then we're done (and the Pockle will then know that value
is prime when our recursive caller uses it in turn, if we have one).
A small refinement to that algorithm is that I iterate M-R until the
witness value I tried is such that it at least _might_ be a primitive
root - which is to say that M-R didn't get 1 by evaluating any power
of it smaller than n-1. That way, there's less chance of the Pockle
rejecting the witness value. And sooner or later M-R must _either_
tell me I've got a potential primitive-root witness _or_ tell me it's
shown the number to be composite.
sshkeygen.h | 3 +
sshprime.c | 582 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
testcrypt.c | 3 +
3 files changed, 588 insertions(+)
commit 925b98b57492b13dd53d7ed0d64bea3353917787
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=925b98b57492b13dd53d7ed0d64bea3353917787;hp=141663abba04891a7a18e99e084e336854d67566
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 06:43:28 2020 +0000
Allow asking for provable primes in PuTTYgen.
In Windows PuTTYgen, this is selected by an extra set of radio-button
style menu options in the Key menu. In the command-line version,
there's a new --primes=provable option.
This whole system is new, so I'm not enabling it by default just yet.
I may in future, though: it's running faster than I expected (in
particular, a lot faster than any previous prototype of the same
algorithm I attempted in standalone Python).
cmdgen.c | 28 ++++++++++++++++++++++++++--
windows/winpgen.c | 39 +++++++++++++++++++++++++++++++++++++--
2 files changed, 63 insertions(+), 4 deletions(-)
More information about the tartarus-commits
mailing list