1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 11e1051a39Sopenharmony_ci#include "bn_local.h" 12e1051a39Sopenharmony_ci 13e1051a39Sopenharmony_ciBIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) 14e1051a39Sopenharmony_ci/* 15e1051a39Sopenharmony_ci * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks 16e1051a39Sopenharmony_ci * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number 17e1051a39Sopenharmony_ci * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or 18e1051a39Sopenharmony_ci * an incorrect "result" will be returned. 19e1051a39Sopenharmony_ci */ 20e1051a39Sopenharmony_ci{ 21e1051a39Sopenharmony_ci BIGNUM *ret = in; 22e1051a39Sopenharmony_ci int err = 1; 23e1051a39Sopenharmony_ci int r; 24e1051a39Sopenharmony_ci BIGNUM *A, *b, *q, *t, *x, *y; 25e1051a39Sopenharmony_ci int e, i, j; 26e1051a39Sopenharmony_ci int used_ctx = 0; 27e1051a39Sopenharmony_ci 28e1051a39Sopenharmony_ci if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { 29e1051a39Sopenharmony_ci if (BN_abs_is_word(p, 2)) { 30e1051a39Sopenharmony_ci if (ret == NULL) 31e1051a39Sopenharmony_ci ret = BN_new(); 32e1051a39Sopenharmony_ci if (ret == NULL) 33e1051a39Sopenharmony_ci goto end; 34e1051a39Sopenharmony_ci if (!BN_set_word(ret, BN_is_bit_set(a, 0))) { 35e1051a39Sopenharmony_ci if (ret != in) 36e1051a39Sopenharmony_ci BN_free(ret); 37e1051a39Sopenharmony_ci return NULL; 38e1051a39Sopenharmony_ci } 39e1051a39Sopenharmony_ci bn_check_top(ret); 40e1051a39Sopenharmony_ci return ret; 41e1051a39Sopenharmony_ci } 42e1051a39Sopenharmony_ci 43e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_P_IS_NOT_PRIME); 44e1051a39Sopenharmony_ci return NULL; 45e1051a39Sopenharmony_ci } 46e1051a39Sopenharmony_ci 47e1051a39Sopenharmony_ci if (BN_is_zero(a) || BN_is_one(a)) { 48e1051a39Sopenharmony_ci if (ret == NULL) 49e1051a39Sopenharmony_ci ret = BN_new(); 50e1051a39Sopenharmony_ci if (ret == NULL) 51e1051a39Sopenharmony_ci goto end; 52e1051a39Sopenharmony_ci if (!BN_set_word(ret, BN_is_one(a))) { 53e1051a39Sopenharmony_ci if (ret != in) 54e1051a39Sopenharmony_ci BN_free(ret); 55e1051a39Sopenharmony_ci return NULL; 56e1051a39Sopenharmony_ci } 57e1051a39Sopenharmony_ci bn_check_top(ret); 58e1051a39Sopenharmony_ci return ret; 59e1051a39Sopenharmony_ci } 60e1051a39Sopenharmony_ci 61e1051a39Sopenharmony_ci BN_CTX_start(ctx); 62e1051a39Sopenharmony_ci used_ctx = 1; 63e1051a39Sopenharmony_ci A = BN_CTX_get(ctx); 64e1051a39Sopenharmony_ci b = BN_CTX_get(ctx); 65e1051a39Sopenharmony_ci q = BN_CTX_get(ctx); 66e1051a39Sopenharmony_ci t = BN_CTX_get(ctx); 67e1051a39Sopenharmony_ci x = BN_CTX_get(ctx); 68e1051a39Sopenharmony_ci y = BN_CTX_get(ctx); 69e1051a39Sopenharmony_ci if (y == NULL) 70e1051a39Sopenharmony_ci goto end; 71e1051a39Sopenharmony_ci 72e1051a39Sopenharmony_ci if (ret == NULL) 73e1051a39Sopenharmony_ci ret = BN_new(); 74e1051a39Sopenharmony_ci if (ret == NULL) 75e1051a39Sopenharmony_ci goto end; 76e1051a39Sopenharmony_ci 77e1051a39Sopenharmony_ci /* A = a mod p */ 78e1051a39Sopenharmony_ci if (!BN_nnmod(A, a, p, ctx)) 79e1051a39Sopenharmony_ci goto end; 80e1051a39Sopenharmony_ci 81e1051a39Sopenharmony_ci /* now write |p| - 1 as 2^e*q where q is odd */ 82e1051a39Sopenharmony_ci e = 1; 83e1051a39Sopenharmony_ci while (!BN_is_bit_set(p, e)) 84e1051a39Sopenharmony_ci e++; 85e1051a39Sopenharmony_ci /* we'll set q later (if needed) */ 86e1051a39Sopenharmony_ci 87e1051a39Sopenharmony_ci if (e == 1) { 88e1051a39Sopenharmony_ci /*- 89e1051a39Sopenharmony_ci * The easy case: (|p|-1)/2 is odd, so 2 has an inverse 90e1051a39Sopenharmony_ci * modulo (|p|-1)/2, and square roots can be computed 91e1051a39Sopenharmony_ci * directly by modular exponentiation. 92e1051a39Sopenharmony_ci * We have 93e1051a39Sopenharmony_ci * 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2), 94e1051a39Sopenharmony_ci * so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1. 95e1051a39Sopenharmony_ci */ 96e1051a39Sopenharmony_ci if (!BN_rshift(q, p, 2)) 97e1051a39Sopenharmony_ci goto end; 98e1051a39Sopenharmony_ci q->neg = 0; 99e1051a39Sopenharmony_ci if (!BN_add_word(q, 1)) 100e1051a39Sopenharmony_ci goto end; 101e1051a39Sopenharmony_ci if (!BN_mod_exp(ret, A, q, p, ctx)) 102e1051a39Sopenharmony_ci goto end; 103e1051a39Sopenharmony_ci err = 0; 104e1051a39Sopenharmony_ci goto vrfy; 105e1051a39Sopenharmony_ci } 106e1051a39Sopenharmony_ci 107e1051a39Sopenharmony_ci if (e == 2) { 108e1051a39Sopenharmony_ci /*- 109e1051a39Sopenharmony_ci * |p| == 5 (mod 8) 110e1051a39Sopenharmony_ci * 111e1051a39Sopenharmony_ci * In this case 2 is always a non-square since 112e1051a39Sopenharmony_ci * Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime. 113e1051a39Sopenharmony_ci * So if a really is a square, then 2*a is a non-square. 114e1051a39Sopenharmony_ci * Thus for 115e1051a39Sopenharmony_ci * b := (2*a)^((|p|-5)/8), 116e1051a39Sopenharmony_ci * i := (2*a)*b^2 117e1051a39Sopenharmony_ci * we have 118e1051a39Sopenharmony_ci * i^2 = (2*a)^((1 + (|p|-5)/4)*2) 119e1051a39Sopenharmony_ci * = (2*a)^((p-1)/2) 120e1051a39Sopenharmony_ci * = -1; 121e1051a39Sopenharmony_ci * so if we set 122e1051a39Sopenharmony_ci * x := a*b*(i-1), 123e1051a39Sopenharmony_ci * then 124e1051a39Sopenharmony_ci * x^2 = a^2 * b^2 * (i^2 - 2*i + 1) 125e1051a39Sopenharmony_ci * = a^2 * b^2 * (-2*i) 126e1051a39Sopenharmony_ci * = a*(-i)*(2*a*b^2) 127e1051a39Sopenharmony_ci * = a*(-i)*i 128e1051a39Sopenharmony_ci * = a. 129e1051a39Sopenharmony_ci * 130e1051a39Sopenharmony_ci * (This is due to A.O.L. Atkin, 131e1051a39Sopenharmony_ci * Subject: Square Roots and Cognate Matters modulo p=8n+5. 132e1051a39Sopenharmony_ci * URL: https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind9211&L=NMBRTHRY&P=4026 133e1051a39Sopenharmony_ci * November 1992.) 134e1051a39Sopenharmony_ci */ 135e1051a39Sopenharmony_ci 136e1051a39Sopenharmony_ci /* t := 2*a */ 137e1051a39Sopenharmony_ci if (!BN_mod_lshift1_quick(t, A, p)) 138e1051a39Sopenharmony_ci goto end; 139e1051a39Sopenharmony_ci 140e1051a39Sopenharmony_ci /* b := (2*a)^((|p|-5)/8) */ 141e1051a39Sopenharmony_ci if (!BN_rshift(q, p, 3)) 142e1051a39Sopenharmony_ci goto end; 143e1051a39Sopenharmony_ci q->neg = 0; 144e1051a39Sopenharmony_ci if (!BN_mod_exp(b, t, q, p, ctx)) 145e1051a39Sopenharmony_ci goto end; 146e1051a39Sopenharmony_ci 147e1051a39Sopenharmony_ci /* y := b^2 */ 148e1051a39Sopenharmony_ci if (!BN_mod_sqr(y, b, p, ctx)) 149e1051a39Sopenharmony_ci goto end; 150e1051a39Sopenharmony_ci 151e1051a39Sopenharmony_ci /* t := (2*a)*b^2 - 1 */ 152e1051a39Sopenharmony_ci if (!BN_mod_mul(t, t, y, p, ctx)) 153e1051a39Sopenharmony_ci goto end; 154e1051a39Sopenharmony_ci if (!BN_sub_word(t, 1)) 155e1051a39Sopenharmony_ci goto end; 156e1051a39Sopenharmony_ci 157e1051a39Sopenharmony_ci /* x = a*b*t */ 158e1051a39Sopenharmony_ci if (!BN_mod_mul(x, A, b, p, ctx)) 159e1051a39Sopenharmony_ci goto end; 160e1051a39Sopenharmony_ci if (!BN_mod_mul(x, x, t, p, ctx)) 161e1051a39Sopenharmony_ci goto end; 162e1051a39Sopenharmony_ci 163e1051a39Sopenharmony_ci if (!BN_copy(ret, x)) 164e1051a39Sopenharmony_ci goto end; 165e1051a39Sopenharmony_ci err = 0; 166e1051a39Sopenharmony_ci goto vrfy; 167e1051a39Sopenharmony_ci } 168e1051a39Sopenharmony_ci 169e1051a39Sopenharmony_ci /* 170e1051a39Sopenharmony_ci * e > 2, so we really have to use the Tonelli/Shanks algorithm. First, 171e1051a39Sopenharmony_ci * find some y that is not a square. 172e1051a39Sopenharmony_ci */ 173e1051a39Sopenharmony_ci if (!BN_copy(q, p)) 174e1051a39Sopenharmony_ci goto end; /* use 'q' as temp */ 175e1051a39Sopenharmony_ci q->neg = 0; 176e1051a39Sopenharmony_ci i = 2; 177e1051a39Sopenharmony_ci do { 178e1051a39Sopenharmony_ci /* 179e1051a39Sopenharmony_ci * For efficiency, try small numbers first; if this fails, try random 180e1051a39Sopenharmony_ci * numbers. 181e1051a39Sopenharmony_ci */ 182e1051a39Sopenharmony_ci if (i < 22) { 183e1051a39Sopenharmony_ci if (!BN_set_word(y, i)) 184e1051a39Sopenharmony_ci goto end; 185e1051a39Sopenharmony_ci } else { 186e1051a39Sopenharmony_ci if (!BN_priv_rand_ex(y, BN_num_bits(p), 0, 0, 0, ctx)) 187e1051a39Sopenharmony_ci goto end; 188e1051a39Sopenharmony_ci if (BN_ucmp(y, p) >= 0) { 189e1051a39Sopenharmony_ci if (!(p->neg ? BN_add : BN_sub) (y, y, p)) 190e1051a39Sopenharmony_ci goto end; 191e1051a39Sopenharmony_ci } 192e1051a39Sopenharmony_ci /* now 0 <= y < |p| */ 193e1051a39Sopenharmony_ci if (BN_is_zero(y)) 194e1051a39Sopenharmony_ci if (!BN_set_word(y, i)) 195e1051a39Sopenharmony_ci goto end; 196e1051a39Sopenharmony_ci } 197e1051a39Sopenharmony_ci 198e1051a39Sopenharmony_ci r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */ 199e1051a39Sopenharmony_ci if (r < -1) 200e1051a39Sopenharmony_ci goto end; 201e1051a39Sopenharmony_ci if (r == 0) { 202e1051a39Sopenharmony_ci /* m divides p */ 203e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_P_IS_NOT_PRIME); 204e1051a39Sopenharmony_ci goto end; 205e1051a39Sopenharmony_ci } 206e1051a39Sopenharmony_ci } 207e1051a39Sopenharmony_ci while (r == 1 && ++i < 82); 208e1051a39Sopenharmony_ci 209e1051a39Sopenharmony_ci if (r != -1) { 210e1051a39Sopenharmony_ci /* 211e1051a39Sopenharmony_ci * Many rounds and still no non-square -- this is more likely a bug 212e1051a39Sopenharmony_ci * than just bad luck. Even if p is not prime, we should have found 213e1051a39Sopenharmony_ci * some y such that r == -1. 214e1051a39Sopenharmony_ci */ 215e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS); 216e1051a39Sopenharmony_ci goto end; 217e1051a39Sopenharmony_ci } 218e1051a39Sopenharmony_ci 219e1051a39Sopenharmony_ci /* Here's our actual 'q': */ 220e1051a39Sopenharmony_ci if (!BN_rshift(q, q, e)) 221e1051a39Sopenharmony_ci goto end; 222e1051a39Sopenharmony_ci 223e1051a39Sopenharmony_ci /* 224e1051a39Sopenharmony_ci * Now that we have some non-square, we can find an element of order 2^e 225e1051a39Sopenharmony_ci * by computing its q'th power. 226e1051a39Sopenharmony_ci */ 227e1051a39Sopenharmony_ci if (!BN_mod_exp(y, y, q, p, ctx)) 228e1051a39Sopenharmony_ci goto end; 229e1051a39Sopenharmony_ci if (BN_is_one(y)) { 230e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_P_IS_NOT_PRIME); 231e1051a39Sopenharmony_ci goto end; 232e1051a39Sopenharmony_ci } 233e1051a39Sopenharmony_ci 234e1051a39Sopenharmony_ci /*- 235e1051a39Sopenharmony_ci * Now we know that (if p is indeed prime) there is an integer 236e1051a39Sopenharmony_ci * k, 0 <= k < 2^e, such that 237e1051a39Sopenharmony_ci * 238e1051a39Sopenharmony_ci * a^q * y^k == 1 (mod p). 239e1051a39Sopenharmony_ci * 240e1051a39Sopenharmony_ci * As a^q is a square and y is not, k must be even. 241e1051a39Sopenharmony_ci * q+1 is even, too, so there is an element 242e1051a39Sopenharmony_ci * 243e1051a39Sopenharmony_ci * X := a^((q+1)/2) * y^(k/2), 244e1051a39Sopenharmony_ci * 245e1051a39Sopenharmony_ci * and it satisfies 246e1051a39Sopenharmony_ci * 247e1051a39Sopenharmony_ci * X^2 = a^q * a * y^k 248e1051a39Sopenharmony_ci * = a, 249e1051a39Sopenharmony_ci * 250e1051a39Sopenharmony_ci * so it is the square root that we are looking for. 251e1051a39Sopenharmony_ci */ 252e1051a39Sopenharmony_ci 253e1051a39Sopenharmony_ci /* t := (q-1)/2 (note that q is odd) */ 254e1051a39Sopenharmony_ci if (!BN_rshift1(t, q)) 255e1051a39Sopenharmony_ci goto end; 256e1051a39Sopenharmony_ci 257e1051a39Sopenharmony_ci /* x := a^((q-1)/2) */ 258e1051a39Sopenharmony_ci if (BN_is_zero(t)) { /* special case: p = 2^e + 1 */ 259e1051a39Sopenharmony_ci if (!BN_nnmod(t, A, p, ctx)) 260e1051a39Sopenharmony_ci goto end; 261e1051a39Sopenharmony_ci if (BN_is_zero(t)) { 262e1051a39Sopenharmony_ci /* special case: a == 0 (mod p) */ 263e1051a39Sopenharmony_ci BN_zero(ret); 264e1051a39Sopenharmony_ci err = 0; 265e1051a39Sopenharmony_ci goto end; 266e1051a39Sopenharmony_ci } else if (!BN_one(x)) 267e1051a39Sopenharmony_ci goto end; 268e1051a39Sopenharmony_ci } else { 269e1051a39Sopenharmony_ci if (!BN_mod_exp(x, A, t, p, ctx)) 270e1051a39Sopenharmony_ci goto end; 271e1051a39Sopenharmony_ci if (BN_is_zero(x)) { 272e1051a39Sopenharmony_ci /* special case: a == 0 (mod p) */ 273e1051a39Sopenharmony_ci BN_zero(ret); 274e1051a39Sopenharmony_ci err = 0; 275e1051a39Sopenharmony_ci goto end; 276e1051a39Sopenharmony_ci } 277e1051a39Sopenharmony_ci } 278e1051a39Sopenharmony_ci 279e1051a39Sopenharmony_ci /* b := a*x^2 (= a^q) */ 280e1051a39Sopenharmony_ci if (!BN_mod_sqr(b, x, p, ctx)) 281e1051a39Sopenharmony_ci goto end; 282e1051a39Sopenharmony_ci if (!BN_mod_mul(b, b, A, p, ctx)) 283e1051a39Sopenharmony_ci goto end; 284e1051a39Sopenharmony_ci 285e1051a39Sopenharmony_ci /* x := a*x (= a^((q+1)/2)) */ 286e1051a39Sopenharmony_ci if (!BN_mod_mul(x, x, A, p, ctx)) 287e1051a39Sopenharmony_ci goto end; 288e1051a39Sopenharmony_ci 289e1051a39Sopenharmony_ci while (1) { 290e1051a39Sopenharmony_ci /*- 291e1051a39Sopenharmony_ci * Now b is a^q * y^k for some even k (0 <= k < 2^E 292e1051a39Sopenharmony_ci * where E refers to the original value of e, which we 293e1051a39Sopenharmony_ci * don't keep in a variable), and x is a^((q+1)/2) * y^(k/2). 294e1051a39Sopenharmony_ci * 295e1051a39Sopenharmony_ci * We have a*b = x^2, 296e1051a39Sopenharmony_ci * y^2^(e-1) = -1, 297e1051a39Sopenharmony_ci * b^2^(e-1) = 1. 298e1051a39Sopenharmony_ci */ 299e1051a39Sopenharmony_ci 300e1051a39Sopenharmony_ci if (BN_is_one(b)) { 301e1051a39Sopenharmony_ci if (!BN_copy(ret, x)) 302e1051a39Sopenharmony_ci goto end; 303e1051a39Sopenharmony_ci err = 0; 304e1051a39Sopenharmony_ci goto vrfy; 305e1051a39Sopenharmony_ci } 306e1051a39Sopenharmony_ci 307e1051a39Sopenharmony_ci /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ 308e1051a39Sopenharmony_ci for (i = 1; i < e; i++) { 309e1051a39Sopenharmony_ci if (i == 1) { 310e1051a39Sopenharmony_ci if (!BN_mod_sqr(t, b, p, ctx)) 311e1051a39Sopenharmony_ci goto end; 312e1051a39Sopenharmony_ci 313e1051a39Sopenharmony_ci } else { 314e1051a39Sopenharmony_ci if (!BN_mod_mul(t, t, t, p, ctx)) 315e1051a39Sopenharmony_ci goto end; 316e1051a39Sopenharmony_ci } 317e1051a39Sopenharmony_ci if (BN_is_one(t)) 318e1051a39Sopenharmony_ci break; 319e1051a39Sopenharmony_ci } 320e1051a39Sopenharmony_ci /* If not found, a is not a square or p is not prime. */ 321e1051a39Sopenharmony_ci if (i >= e) { 322e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE); 323e1051a39Sopenharmony_ci goto end; 324e1051a39Sopenharmony_ci } 325e1051a39Sopenharmony_ci 326e1051a39Sopenharmony_ci /* t := y^2^(e - i - 1) */ 327e1051a39Sopenharmony_ci if (!BN_copy(t, y)) 328e1051a39Sopenharmony_ci goto end; 329e1051a39Sopenharmony_ci for (j = e - i - 1; j > 0; j--) { 330e1051a39Sopenharmony_ci if (!BN_mod_sqr(t, t, p, ctx)) 331e1051a39Sopenharmony_ci goto end; 332e1051a39Sopenharmony_ci } 333e1051a39Sopenharmony_ci if (!BN_mod_mul(y, t, t, p, ctx)) 334e1051a39Sopenharmony_ci goto end; 335e1051a39Sopenharmony_ci if (!BN_mod_mul(x, x, t, p, ctx)) 336e1051a39Sopenharmony_ci goto end; 337e1051a39Sopenharmony_ci if (!BN_mod_mul(b, b, y, p, ctx)) 338e1051a39Sopenharmony_ci goto end; 339e1051a39Sopenharmony_ci e = i; 340e1051a39Sopenharmony_ci } 341e1051a39Sopenharmony_ci 342e1051a39Sopenharmony_ci vrfy: 343e1051a39Sopenharmony_ci if (!err) { 344e1051a39Sopenharmony_ci /* 345e1051a39Sopenharmony_ci * verify the result -- the input might have been not a square (test 346e1051a39Sopenharmony_ci * added in 0.9.8) 347e1051a39Sopenharmony_ci */ 348e1051a39Sopenharmony_ci 349e1051a39Sopenharmony_ci if (!BN_mod_sqr(x, ret, p, ctx)) 350e1051a39Sopenharmony_ci err = 1; 351e1051a39Sopenharmony_ci 352e1051a39Sopenharmony_ci if (!err && 0 != BN_cmp(x, A)) { 353e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE); 354e1051a39Sopenharmony_ci err = 1; 355e1051a39Sopenharmony_ci } 356e1051a39Sopenharmony_ci } 357e1051a39Sopenharmony_ci 358e1051a39Sopenharmony_ci end: 359e1051a39Sopenharmony_ci if (err) { 360e1051a39Sopenharmony_ci if (ret != in) 361e1051a39Sopenharmony_ci BN_clear_free(ret); 362e1051a39Sopenharmony_ci ret = NULL; 363e1051a39Sopenharmony_ci } 364e1051a39Sopenharmony_ci if (used_ctx) 365e1051a39Sopenharmony_ci BN_CTX_end(ctx); 366e1051a39Sopenharmony_ci bn_check_top(ret); 367e1051a39Sopenharmony_ci return ret; 368e1051a39Sopenharmony_ci} 369