Merge branch 'mdw/aead'

* mdw/aead:
  algorithms.c, etc.: Support the new AEAD abstraction.
  algorithms.py: Support the new blockcipher-based MAC modes.
  algorithms.c: Add missing `copy' methods on hash and Keccak objects.
  catacomb/__init__.py: Add `KeySZ.pad' method.

diff --git a/pock b/pock
index 46cde4d3ea4aa7d01a227a8cdf69036e0289be69..ff62d8b61156ef4409000c25a9f3a2f17f5b482b 100644 (file)
--- a/pock
+++ b/pock
@@ -239,7 +239,7 @@ class Sieve (object):
     n = (limit - 2)/2
     sievesz = (n + me._NBIT - 1)/me._NBIT
     me._sievemax = sievesz*me._NBIT
-    me._bits = n*[0]
+    me._bits = sievesz*[0]
 
     ## This is standard Sieve of Eratosthenes.  For each index i: if
     ## bit i is clear, then p = 2 i + 3 is prime, so set the bits
@@ -662,7 +662,7 @@ class PrimeProof (object):
 
     ## If the label is already taken then we have a problem.
     if step.label in me._steps:
-      raise ValueError('duplicate label `%s\'' % step.label)
+      raise ExpectedError('duplicate label `%s\'' % step.label)
 
     ## Store the proof step.
     me._pmap[step.p] = step.label
@@ -1004,20 +1004,20 @@ def __main__():
   ## Prepare an option parser.
   op = OP.OptionParser(
     usage = '''\
-pock [-qv] CMD ARGS...
+pock [-qv] [-s SIEVEBITS] CMD ARGS...
         gen NBITS
         ll NBITS NSUBBITS
-        [check] [FILE]''',
+        check [FILE]''',
     description = 'Generate or verify certified prime numbers.')
   op.add_option('-v', '--verbose', dest = 'verbosity',
                 action = 'count', default = 1,
-                help = 'Print mysterious runes while looking for prime numbers.')
+                help = 'print mysterious runes while looking for prime numbers')
   op.add_option('-q', '--quiet', dest = 'quietude',
                 action = 'count', default = 0,
-                help = 'be quiet while looking for prime numbers.')
+                help = 'be quiet while looking for prime numbers')
   op.add_option('-s', '--sievebits', dest = 'sievebits',
                 type = 'int', default = 32,
-                help = 'Size (in bits) of largest small prime.')
+                help = 'size (in bits) of largest small prime')
   opts, argv = op.parse_args()
   VERBOSITY = opts.verbosity - opts.quietude
   p = ProgressReporter()

diff --git a/pock.1 b/pock.1
index 22dab5c2b210fc58b4ec8d650e0cb81e0bd3f2e3..6879bc5fad48303b3c85e1b1080a008cbb04c024 100644 (file)
--- a/pock.1
+++ b/pock.1
@@ -157,14 +157,34 @@ and often they must pessimistically assume
 that the number was chosen maliciously,
 and the worst-case
 .IR n /4
-bound is the best one can do.
+bound is the best one can do using the Rabin\(enMiller test.
 For large candidates,
 this is inconveniently slow.
 (Also, many implementations incorrectly use
 a number of iterations suitable for randomly chosen primes
 for testing candidates of unknown provenance.)
 .PP
-The
+There
+.I are
+stronger probabilistic tests.
+A combination of Rabin\(enMiller and
+Grantham's Frobenius test
+is known as the
+Baillie\(enPSW test
+(after Baillie, Pomerance, Selfridge, and Wagstaff);
+there are
+.I no
+known composites which pass this test,
+nor is it known how to construct any.
+On the other hand, it's been conjectured that
+infinitely many Baillie\(enPSW pseudoprimes exist.
+While it may be reasonable to assume
+the strength of the Baillie\(enPSW test,
+it must be borne in mind that this
+.I does
+constitute a security assumption.
+.PP
+By contrast,the
 .B pock
 program will generate prime numbers
 of sizes suitable for use in cryptography,
@@ -452,7 +472,7 @@ the order of
 in
 .RB ( Z /\fIp Z )\*(ss\(**\*(se
 divides
-.I p
+.I n
 \-
 1.
 Consider some prime
@@ -470,7 +490,7 @@ has order dividing
 From
 .BR 4 ,
 we have
-.IR t \*(ss q \*(se
+.I t
 \*(/=
 1
 (mod
@@ -494,9 +514,7 @@ dividing
 and,
 from
 .BR 1 ,
-the
-.I q
-are distinct,
+these primes are distinct,
 we deduce that
 .I Q
 divides
@@ -747,6 +765,13 @@ Hasse's theorem tells us that
 .RI # E\*(usp\*(ue |
 \(<=
 .RI 2\*(sr p ,
+so, in particular,
+.RI # E\*(usp\*(ue
+\-
+.I p
+\- 1
+\(<=
+.RI 2\*(sr p ,
 whence
 .I p
 + 1 +