kc3-lang/libtommath

Browse

Commit b19f529c771738f7603be7da9d167c503de06b2f

czurnieden 2018-05-27T22:05:52

Corrected 128 bit entry in bn_mp_prime_miller_rabin_rials.c and extended it slightly 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

diff --git a/bn_mp_prime_is_prime.c b/bn_mp_prime_is_prime.c
index d05cd87..d8755a0 100644
--- a/bn_mp_prime_is_prime.c
+++ b/bn_mp_prime_is_prime.c
@@ -192,7 +192,7 @@ int mp_prime_is_prime(const mp_int *a, int t, int *result)
           Sorenson, Jonathan; Webster, Jonathan (2015).
            "Strong Pseudoprimes to Twelve Prime Bases".
        */
-      /* 318665857834031151167461 */
+                                   /* 318665857834031151167461 */
       if ((err =   mp_read_radix(&b, "437ae92817f9fc85b7e5", 16)) != MP_OKAY) {
          goto LBL_B;
       }
@@ -200,14 +200,20 @@ int mp_prime_is_prime(const mp_int *a, int t, int *result)
       if (mp_cmp(a,&b) == MP_LT) {
          p_max = 12;
       }
-      /* 3317044064679887385961981 */
-      if ((err = mp_read_radix(&b, "2be6951adc5b22410a5fd", 16)) != MP_OKAY) {
-         goto LBL_B;
-      }
+      else {                       /* 3317044064679887385961981 */
+         if ((err = mp_read_radix(&b, "2be6951adc5b22410a5fd", 16)) != MP_OKAY) {
+            goto LBL_B;
+         }
 
-      if (mp_cmp(a,&b) == MP_LT) {
-         p_max = 13;
+         if (mp_cmp(a,&b) == MP_LT) {
+            p_max = 13;
+         }
+         else {
+            err = MP_VAL;
+            goto LBL_B;
+         }
       }
+
       // for compatibility with the current API (well, compatible within a sign's width)
       if (p_max < t) {
          p_max = t;
diff --git a/bn_mp_prime_rabin_miller_trials.c b/bn_mp_prime_rabin_miller_trials.c
index d400902..785a60b 100644
--- a/bn_mp_prime_rabin_miller_trials.c
+++ b/bn_mp_prime_rabin_miller_trials.c
@@ -17,17 +17,24 @@
 static const struct {
    int k, t;
 } sizes[] = {
-   {   128,    28 },
+   {    80,    -1 }, /* Use deterministic algorithm for size <= 80 bits */
+   {    81,    39 },
+   {    96,    37 },
+   {   128,    32 },
+   {   160,    27 },
+   {   192,    21 },
    {   256,    16 },
    {   384,    10 },
    {   512,     7 },
    {   640,     6 },
    {   768,     5 },
    {   896,     4 },
-   {  1024,     4 }
+   {  1024,     4 },
+   {  2048,     2 },
+   {  4096,     1 },
 };
 
-/* returns # of RM trials required for a given bit size */
+/* returns # of RM trials required for a given bit size and max. error of 2^(-96)*/
 int mp_prime_rabin_miller_trials(int size)
 {
    int x;
diff --git a/doc/bn.tex b/doc/bn.tex
index 2c4d36a..e81d039 100644
--- a/doc/bn.tex
+++ b/doc/bn.tex
@@ -1824,6 +1824,73 @@ require ten tests whereas a 1024-bit number would only require four tests.
 
 You should always still perform a trial division before a Miller-Rabin test though.
 
+A small table, broke in two for typographical reasons, with the number of rounds of Miller-Rabin tests is shown below.
+The first column is the number of bits $b$ in the prime $p = 2^b$, the numbers in the first row represent the 
+probability that the number that all of the Miller-Rabin tests deemed a pseudoprime is actually a composite. There is a deterministic test for numbers smaller than $2^{80}$.
+
+\begin{table}[h]
+\begin{center}
+\begin{tabular}{c c c c c c c}
+\textbf{bits} & $\mathbf{2^{-80}}$ & $\mathbf{2^{-96}}$ & $\mathbf{2^{-112}}$ & $\mathbf{2^{-128}}$ & $\mathbf{2^{-160}}$ & $\mathbf{2^{-192}}$ \\
+80    & 31 & 39 & 47 & 55 & 71 & 87  \\
+96    & 29 & 37 & 45 & 53 & 69 & 85  \\
+128   & 24 & 32 & 40 & 48 & 64 & 80  \\
+160   & 19 & 27 & 35 & 43 & 59 & 75  \\
+192   & 15 & 21 & 29 & 37 & 53 & 69  \\
+256   & 10 & 15 & 20 & 27 & 43 & 59  \\
+384   & 7  & 9  & 12 & 16 & 25 & 38  \\
+512   & 5  & 7  & 9  & 12 & 18 & 26  \\
+768   & 4  & 5  & 6  & 8  & 11 & 16  \\
+1024  & 3  & 4  & 5  & 6  & 9  & 12  \\
+1536  & 2  & 3  & 3  & 4  & 6  & 8   \\
+2048  & 2  & 2  & 3  & 3  & 4  & 6   \\
+3072  & 1  & 2  & 2  & 2  & 3  & 4   \\
+4096  & 1  & 1  & 2  & 2  & 2  & 3   \\
+6144  & 1  & 1  & 1  & 1  & 2  & 2   \\
+8192  & 1  & 1  & 1  & 1  & 2  & 2   \\
+12288 & 1  & 1  & 1  & 1  & 1  & 1   \\
+16384 & 1  & 1  & 1  & 1  & 1  & 1   \\
+24576 & 1  & 1  & 1  & 1  & 1  & 1   \\
+32768 & 1  & 1  & 1  & 1  & 1  & 1
+\end{tabular}
+\caption{ Number of Miller-Rabin rounds. Part I } \label{table:millerrabinrunsp1}
+\end{center}
+\end{table}
+\newpage
+\begin{table}[h]
+\begin{center}
+\begin{tabular}{c c c c c c c c}
+\textbf{bits} &$\mathbf{2^{-224}}$ & $\mathbf{2^{-256}}$ & $\mathbf{2^{-288}}$ & $\mathbf{2^{-320}}$ & $\mathbf{2^{-352}}$ & $\mathbf{2^{-384}}$ & $\mathbf{2^{-416}}$\\
+80    & 103 & 119 & 135 & 151 & 167 & 183 & 199 \\
+96    & 101 & 117 & 133 & 149 & 165 & 181 & 197 \\
+128   & 96  & 112 & 128 & 144 & 160 & 176 & 192 \\
+160   & 91  & 107 & 123 & 139 & 155 & 171 & 187 \\
+192   & 85  & 101 & 117 & 133 & 149 & 165 & 181 \\
+256   & 75  & 91  & 107 & 123 & 139 & 155 & 171 \\
+384   & 54  & 70  & 86  & 102 & 118 & 134 & 150 \\
+512   & 36  & 49  & 65  & 81  & 97  & 113 & 129 \\
+768   & 22  & 29  & 37  & 47  & 58  & 70  & 86  \\
+1024  & 16  & 21  & 26  & 33  & 40  & 48  & 58  \\
+1536  & 10  & 13  & 17  & 21  & 25  & 30  & 35  \\
+2048  & 8   & 10  & 13  & 15  & 18  & 22  & 26  \\
+3072  & 5   & 7   & 8	& 10  & 12  & 14  & 17  \\
+4096  & 4   & 5   & 6	& 8   & 9   & 11  & 12  \\
+6144  & 3   & 4   & 4	& 5   & 6   & 7   & 8	\\
+8192  & 2   & 3   & 3	& 4   & 5   & 6   & 6	\\
+12288 & 2   & 2   & 2	& 3   & 3   & 4   & 4	\\
+16384 & 1   & 2   & 2	& 2   & 3   & 3   & 3	\\
+24576 & 1   & 1   & 2	& 2   & 2   & 2   & 2	\\
+32768 & 1   & 1   & 1	& 1   & 2   & 2   & 2
+\end{tabular}
+\caption{ Number of Miller-Rabin rounds. Part II } \label{table:millerrabinrunsp2}
+\end{center}
+\end{table}
+
+Determining the probability needed to pick the right column is a bit harder. Fips 186.4, for example has $2^{-80}$ for $512$ bit large numbers, $2^{-112}$ for $1024$ bits, and $2^{128}$ for $1536$ bits. It can be seen in table \ref{table:millerrabinrunsp1} that those combinations follow the diagonal from $(512,2^{-80})$ downwards and to the right to gain a lower probabilty of getting a composite declared a pseudoprime for the same amount of work or less.
+
+If this version of the library has the strong Lucas-Selfridge and/or the Frobenius-Underwood test implemented only one or two rounds of the Miller-Rabin test with a random base is necesssary for numbers larger than or equal to $1024$ bits.
+
+
 \section{Strong Lucas-Selfridge Test}
 \index{mp\_prime\_strong\_lucas\_selfridge}
 \begin{alltt}
kmx.io     mail     discord kmxgit v0.4.0