CasperSecurity
/**
* Prime number generation API.
*
* @author Dave Longley
*
* Copyright (c) 2014 Digital Bazaar, Inc.
*/
var forge = require('./forge');
require('./util');
require('./jsbn');
require('./random');
(function() {
// forge.prime already defined
if(forge.prime) {
module.exports = forge.prime;
return;
}
/* PRIME API */
var prime = module.exports = forge.prime = forge.prime || {};
var BigInteger = forge.jsbn.BigInteger;
// primes are 30k+i for i = 1, 7, 11, 13, 17, 19, 23, 29
var GCD_30_DELTA = [6, 4, 2, 4, 2, 4, 6, 2];
var THIRTY = new BigInteger(null);
THIRTY.fromInt(30);
var op_or = function(x, y) {return x|y;};
/**
* Generates a random probable prime with the given number of bits.
*
* Alternative algorithms can be specified by name as a string or as an
* object with custom options like so:
*
* {
* name: 'PRIMEINC',
* options: {
* maxBlockTime: <the maximum amount of time to block the main
* thread before allowing I/O other JS to run>,
* millerRabinTests: <the number of miller-rabin tests to run>,
* workerScript: <the worker script URL>,
* workers: <the number of web workers (if supported) to use,
* -1 to use estimated cores minus one>.
* workLoad: the size of the work load, ie: number of possible prime
* numbers for each web worker to check per work assignment,
* (default: 100).
* }
* }
*
* @param bits the number of bits for the prime number.
* @param options the options to use.
* [algorithm] the algorithm to use (default: 'PRIMEINC').
* [prng] a custom crypto-secure pseudo-random number generator to use,
* that must define "getBytesSync".
*
* @return callback(err, num) called once the operation completes.
*/
prime.generateProbablePrime = function(bits, options, callback) {
if(typeof options === 'function') {
callback = options;
options = {};
}
options = options || {};
// default to PRIMEINC algorithm
var algorithm = options.algorithm || 'PRIMEINC';
if(typeof algorithm === 'string') {
algorithm = {name: algorithm};
}
algorithm.options = algorithm.options || {};
// create prng with api that matches BigInteger secure random
var prng = options.prng || forge.random;
var rng = {
// x is an array to fill with bytes
nextBytes: function(x) {
var b = prng.getBytesSync(x.length);
for(var i = 0; i < x.length; ++i) {
x[i] = b.charCodeAt(i);
}
}
};
if(algorithm.name === 'PRIMEINC') {
return primeincFindPrime(bits, rng, algorithm.options, callback);
}
throw new Error('Invalid prime generation algorithm: ' + algorithm.name);
};
function primeincFindPrime(bits, rng, options, callback) {
if('workers' in options) {
return primeincFindPrimeWithWorkers(bits, rng, options, callback);
}
return primeincFindPrimeWithoutWorkers(bits, rng, options, callback);
}
function primeincFindPrimeWithoutWorkers(bits, rng, options, callback) {
// initialize random number
var num = generateRandom(bits, rng);
/* Note: All primes are of the form 30k+i for i < 30 and gcd(30, i)=1. The
number we are given is always aligned at 30k + 1. Each time the number is
determined not to be prime we add to get to the next 'i', eg: if the number
was at 30k + 1 we add 6. */
var deltaIdx = 0;
// get required number of MR tests
var mrTests = getMillerRabinTests(num.bitLength());
if('millerRabinTests' in options) {
mrTests = options.millerRabinTests;
}
// find prime nearest to 'num' for maxBlockTime ms
// 10 ms gives 5ms of leeway for other calculations before dropping
// below 60fps (1000/60 == 16.67), but in reality, the number will
// likely be higher due to an 'atomic' big int modPow
var maxBlockTime = 10;
if('maxBlockTime' in options) {
maxBlockTime = options.maxBlockTime;
}
_primeinc(num, bits, rng, deltaIdx, mrTests, maxBlockTime, callback);
}
function _primeinc(num, bits, rng, deltaIdx, mrTests, maxBlockTime, callback) {
var start = +new Date();
do {
// overflow, regenerate random number
if(num.bitLength() > bits) {
num = generateRandom(bits, rng);
}
// do primality test
if(num.isProbablePrime(mrTests)) {
return callback(null, num);
}
// get next potential prime
num.dAddOffset(GCD_30_DELTA[deltaIdx++ % 8], 0);
} while(maxBlockTime < 0 || (+new Date() - start < maxBlockTime));
// keep trying later
forge.util.setImmediate(function() {
_primeinc(num, bits, rng, deltaIdx, mrTests, maxBlockTime, callback);
});
}
// NOTE: This algorithm is indeterminate in nature because workers
// run in parallel looking at different segments of numbers. Even if this
// algorithm is run twice with the same input from a predictable RNG, it
// may produce different outputs.
function primeincFindPrimeWithWorkers(bits, rng, options, callback) {
// web workers unavailable
if(typeof Worker === 'undefined') {
return primeincFindPrimeWithoutWorkers(bits, rng, options, callback);
}
// initialize random number
var num = generateRandom(bits, rng);
// use web workers to generate keys
var numWorkers = options.workers;
var workLoad = options.workLoad || 100;
var range = workLoad * 30 / 8;
var workerScript = options.workerScript || 'forge/prime.worker.js';
if(numWorkers === -1) {
return forge.util.estimateCores(function(err, cores) {
if(err) {
// default to 2
cores = 2;
}
numWorkers = cores - 1;
generate();
});
}
generate();
function generate() {
// require at least 1 worker
numWorkers = Math.max(1, numWorkers);
// TODO: consider optimizing by starting workers outside getPrime() ...
// note that in order to clean up they will have to be made internally
// asynchronous which may actually be slower
// start workers immediately
var workers = [];
for(var i = 0; i < numWorkers; ++i) {
// FIXME: fix path or use blob URLs
workers[i] = new Worker(workerScript);
}
var running = numWorkers;
// listen for requests from workers and assign ranges to find prime
for(var i = 0; i < numWorkers; ++i) {
workers[i].addEventListener('message', workerMessage);
}
/* Note: The distribution of random numbers is unknown. Therefore, each
web worker is continuously allocated a range of numbers to check for a
random number until one is found.
Every 30 numbers will be checked just 8 times, because prime numbers
have the form:
30k+i, for i < 30 and gcd(30, i)=1 (there are 8 values of i for this)
Therefore, if we want a web worker to run N checks before asking for
a new range of numbers, each range must contain N*30/8 numbers.
For 100 checks (workLoad), this is a range of 375. */
var found = false;
function workerMessage(e) {
// ignore message, prime already found
if(found) {
return;
}
--running;
var data = e.data;
if(data.found) {
// terminate all workers
for(var i = 0; i < workers.length; ++i) {
workers[i].terminate();
}
found = true;
return callback(null, new BigInteger(data.prime, 16));
}
// overflow, regenerate random number
if(num.bitLength() > bits) {
num = generateRandom(bits, rng);
}
// assign new range to check
var hex = num.toString(16);
// start prime search
e.target.postMessage({
hex: hex,
workLoad: workLoad
});
num.dAddOffset(range, 0);
}
}
}
/**
* Generates a random number using the given number of bits and RNG.
*
* @param bits the number of bits for the number.
* @param rng the random number generator to use.
*
* @return the random number.
*/
function generateRandom(bits, rng) {
var num = new BigInteger(bits, rng);
// force MSB set
var bits1 = bits - 1;
if(!num.testBit(bits1)) {
num.bitwiseTo(BigInteger.ONE.shiftLeft(bits1), op_or, num);
}
// align number on 30k+1 boundary
num.dAddOffset(31 - num.mod(THIRTY).byteValue(), 0);
return num;
}
/**
* Returns the required number of Miller-Rabin tests to generate a
* prime with an error probability of (1/2)^80.
*
* See Handbook of Applied Cryptography Chapter 4, Table 4.4.
*
* @param bits the bit size.
*
* @return the required number of iterations.
*/
function getMillerRabinTests(bits) {
if(bits <= 100) return 27;
if(bits <= 150) return 18;
if(bits <= 200) return 15;
if(bits <= 250) return 12;
if(bits <= 300) return 9;
if(bits <= 350) return 8;
if(bits <= 400) return 7;
if(bits <= 500) return 6;
if(bits <= 600) return 5;
if(bits <= 800) return 4;
if(bits <= 1250) return 3;
return 2;
}
})();