...

Source file src/crypto/rand/util.go

     1	// Copyright 2011 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package rand
     6	
     7	import (
     8		"errors"
     9		"io"
    10		"math/big"
    11	)
    12	
    13	// smallPrimes is a list of small, prime numbers that allows us to rapidly
    14	// exclude some fraction of composite candidates when searching for a random
    15	// prime. This list is truncated at the point where smallPrimesProduct exceeds
    16	// a uint64. It does not include two because we ensure that the candidates are
    17	// odd by construction.
    18	var smallPrimes = []uint8{
    19		3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53,
    20	}
    21	
    22	// smallPrimesProduct is the product of the values in smallPrimes and allows us
    23	// to reduce a candidate prime by this number and then determine whether it's
    24	// coprime to all the elements of smallPrimes without further big.Int
    25	// operations.
    26	var smallPrimesProduct = new(big.Int).SetUint64(16294579238595022365)
    27	
    28	// Prime returns a number, p, of the given size, such that p is prime
    29	// with high probability.
    30	// Prime will return error for any error returned by rand.Read or if bits < 2.
    31	func Prime(rand io.Reader, bits int) (p *big.Int, err error) {
    32		if bits < 2 {
    33			err = errors.New("crypto/rand: prime size must be at least 2-bit")
    34			return
    35		}
    36	
    37		b := uint(bits % 8)
    38		if b == 0 {
    39			b = 8
    40		}
    41	
    42		bytes := make([]byte, (bits+7)/8)
    43		p = new(big.Int)
    44	
    45		bigMod := new(big.Int)
    46	
    47		for {
    48			_, err = io.ReadFull(rand, bytes)
    49			if err != nil {
    50				return nil, err
    51			}
    52	
    53			// Clear bits in the first byte to make sure the candidate has a size <= bits.
    54			bytes[0] &= uint8(int(1<<b) - 1)
    55			// Don't let the value be too small, i.e, set the most significant two bits.
    56			// Setting the top two bits, rather than just the top bit,
    57			// means that when two of these values are multiplied together,
    58			// the result isn't ever one bit short.
    59			if b >= 2 {
    60				bytes[0] |= 3 << (b - 2)
    61			} else {
    62				// Here b==1, because b cannot be zero.
    63				bytes[0] |= 1
    64				if len(bytes) > 1 {
    65					bytes[1] |= 0x80
    66				}
    67			}
    68			// Make the value odd since an even number this large certainly isn't prime.
    69			bytes[len(bytes)-1] |= 1
    70	
    71			p.SetBytes(bytes)
    72	
    73			// Calculate the value mod the product of smallPrimes. If it's
    74			// a multiple of any of these primes we add two until it isn't.
    75			// The probability of overflowing is minimal and can be ignored
    76			// because we still perform Miller-Rabin tests on the result.
    77			bigMod.Mod(p, smallPrimesProduct)
    78			mod := bigMod.Uint64()
    79	
    80		NextDelta:
    81			for delta := uint64(0); delta < 1<<20; delta += 2 {
    82				m := mod + delta
    83				for _, prime := range smallPrimes {
    84					if m%uint64(prime) == 0 && (bits > 6 || m != uint64(prime)) {
    85						continue NextDelta
    86					}
    87				}
    88	
    89				if delta > 0 {
    90					bigMod.SetUint64(delta)
    91					p.Add(p, bigMod)
    92				}
    93				break
    94			}
    95	
    96			// There is a tiny possibility that, by adding delta, we caused
    97			// the number to be one bit too long. Thus we check BitLen
    98			// here.
    99			if p.ProbablyPrime(20) && p.BitLen() == bits {
   100				return
   101			}
   102		}
   103	}
   104	
   105	// Int returns a uniform random value in [0, max). It panics if max <= 0.
   106	func Int(rand io.Reader, max *big.Int) (n *big.Int, err error) {
   107		if max.Sign() <= 0 {
   108			panic("crypto/rand: argument to Int is <= 0")
   109		}
   110		n = new(big.Int)
   111		n.Sub(max, n.SetUint64(1))
   112		// bitLen is the maximum bit length needed to encode a value < max.
   113		bitLen := n.BitLen()
   114		if bitLen == 0 {
   115			// the only valid result is 0
   116			return
   117		}
   118		// k is the maximum byte length needed to encode a value < max.
   119		k := (bitLen + 7) / 8
   120		// b is the number of bits in the most significant byte of max-1.
   121		b := uint(bitLen % 8)
   122		if b == 0 {
   123			b = 8
   124		}
   125	
   126		bytes := make([]byte, k)
   127	
   128		for {
   129			_, err = io.ReadFull(rand, bytes)
   130			if err != nil {
   131				return nil, err
   132			}
   133	
   134			// Clear bits in the first byte to increase the probability
   135			// that the candidate is < max.
   136			bytes[0] &= uint8(int(1<<b) - 1)
   137	
   138			n.SetBytes(bytes)
   139			if n.Cmp(max) < 0 {
   140				return
   141			}
   142		}
   143	}
   144

View as plain text