From: Mark Wooding Date: Sat, 21 Sep 2019 10:47:01 +0000 (+0100) Subject: Merge branch 'mdw/aead' X-Git-Tag: 1.3.0~3 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/catacomb-python/commitdiff_plain/4abb54de656f0d5c1b35de940fe75e7e3159dee4?hp=bebf03ab18a3bc9fbb537fcf821b0b53f8db1b81 Merge branch 'mdw/aead' * mdw/aead: algorithms.c, etc.: Support the new AEAD abstraction. algorithms.py: Support the new blockcipher-based MAC modes. algorithms.c: Add missing `copy' methods on hash and Keccak objects. catacomb/__init__.py: Add `KeySZ.pad' method. --- diff --git a/pock b/pock index 46cde4d..ff62d8b 100644 --- a/pock +++ b/pock @@ -239,7 +239,7 @@ class Sieve (object): n = (limit - 2)/2 sievesz = (n + me._NBIT - 1)/me._NBIT me._sievemax = sievesz*me._NBIT - me._bits = n*[0] + me._bits = sievesz*[0] ## This is standard Sieve of Eratosthenes. For each index i: if ## bit i is clear, then p = 2 i + 3 is prime, so set the bits @@ -662,7 +662,7 @@ class PrimeProof (object): ## If the label is already taken then we have a problem. if step.label in me._steps: - raise ValueError('duplicate label `%s\'' % step.label) + raise ExpectedError('duplicate label `%s\'' % step.label) ## Store the proof step. me._pmap[step.p] = step.label @@ -1004,20 +1004,20 @@ def __main__(): ## Prepare an option parser. op = OP.OptionParser( usage = '''\ -pock [-qv] CMD ARGS... +pock [-qv] [-s SIEVEBITS] CMD ARGS... gen NBITS ll NBITS NSUBBITS - [check] [FILE]''', + check [FILE]''', description = 'Generate or verify certified prime numbers.') op.add_option('-v', '--verbose', dest = 'verbosity', action = 'count', default = 1, - help = 'Print mysterious runes while looking for prime numbers.') + help = 'print mysterious runes while looking for prime numbers') op.add_option('-q', '--quiet', dest = 'quietude', action = 'count', default = 0, - help = 'be quiet while looking for prime numbers.') + help = 'be quiet while looking for prime numbers') op.add_option('-s', '--sievebits', dest = 'sievebits', type = 'int', default = 32, - help = 'Size (in bits) of largest small prime.') + help = 'size (in bits) of largest small prime') opts, argv = op.parse_args() VERBOSITY = opts.verbosity - opts.quietude p = ProgressReporter() diff --git a/pock.1 b/pock.1 index 22dab5c..6879bc5 100644 --- a/pock.1 +++ b/pock.1 @@ -157,14 +157,34 @@ and often they must pessimistically assume that the number was chosen maliciously, and the worst-case .IR n /4 -bound is the best one can do. +bound is the best one can do using the Rabin\(enMiller test. For large candidates, this is inconveniently slow. (Also, many implementations incorrectly use a number of iterations suitable for randomly chosen primes for testing candidates of unknown provenance.) .PP -The +There +.I are +stronger probabilistic tests. +A combination of Rabin\(enMiller and +Grantham's Frobenius test +is known as the +Baillie\(enPSW test +(after Baillie, Pomerance, Selfridge, and Wagstaff); +there are +.I no +known composites which pass this test, +nor is it known how to construct any. +On the other hand, it's been conjectured that +infinitely many Baillie\(enPSW pseudoprimes exist. +While it may be reasonable to assume +the strength of the Baillie\(enPSW test, +it must be borne in mind that this +.I does +constitute a security assumption. +.PP +By contrast,the .B pock program will generate prime numbers of sizes suitable for use in cryptography, @@ -452,7 +472,7 @@ the order of in .RB ( Z /\fIp Z )\*(ss\(**\*(se divides -.I p +.I n \- 1. Consider some prime @@ -470,7 +490,7 @@ has order dividing From .BR 4 , we have -.IR t \*(ss q \*(se +.I t \*(/= 1 (mod @@ -494,9 +514,7 @@ dividing and, from .BR 1 , -the -.I q -are distinct, +these primes are distinct, we deduce that .I Q divides @@ -747,6 +765,13 @@ Hasse's theorem tells us that .RI # E\*(usp\*(ue | \(<= .RI 2\*(sr p , +so, in particular, +.RI # E\*(usp\*(ue +\- +.I p +\- 1 +\(<= +.RI 2\*(sr p , whence .I p + 1 +