diff options
Diffstat (limited to 'java/com/google/security/wycheproof/RandomUtil.java')
-rw-r--r-- | java/com/google/security/wycheproof/RandomUtil.java | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/java/com/google/security/wycheproof/RandomUtil.java b/java/com/google/security/wycheproof/RandomUtil.java new file mode 100644 index 0000000..388c272 --- /dev/null +++ b/java/com/google/security/wycheproof/RandomUtil.java @@ -0,0 +1,185 @@ +/** + * @license + * Copyright 2016 Google Inc. All rights reserved. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.security.wycheproof; + +import java.math.BigInteger; +import java.nio.ByteBuffer; +import java.security.GeneralSecurityException; +import java.util.Random; + +/** + * A collection of utilities for testing random number generators. So far this util simply checks + * that random numbers are not generated by java.util.Random. Eventually we plan to add detection + * for other random number generators too. + * + * @author bleichen@google.com (Daniel Bleichenbacher) + */ +public class RandomUtil { + // Constants for java.util.Random; + static final long A = 0x5DEECE66DL; + static final long A_INVERSE = 246154705703781L; + static final long C = 0xBL; + + /** Given a state of a java.util.Random object compute the next state. */ + protected static long nextState(long seed) { + return (seed * A + C) & ((1L << 48) - 1); + } + + /** Give the state after stepping java.util.Random n times. */ + protected static long step(long seed, long n) { + long a = A; + long c = C; + n = n & 0xffffffffffffL; + while (n != 0) { + if ((n & 1) == 1) { + seed = seed * a + c; + } + c = c * (a + 1); + a = a * a; + n = n >> 1; + } + return seed & 0xffffffffffffL; + } + + /** Given a state of a java.util.Random object compute the previous state. */ + protected static long previousState(long seed) { + return ((seed - C) * A_INVERSE) & ((1L << 48) - 1); + } + + /** Computes a seed that would initialize a java.util.Random object with a given state. */ + protected static long getSeedForState(long seed) { + return seed ^ A; + } + + protected static long getStateForSeed(long seed) { + return (seed ^ A) & 0xffffffffffffL; + } + + /** + * Given two subsequent outputs x0 and x1 from java.util.Random this function computes the + * internal state of java.util.Random after returning x0 or returns -1 if no such state exists. + */ + protected static long getState(int x0, int x1) { + long mask = (1L << 48) - 1; + long multiplier = A; + // The state of the random number generator after returning x0 is + // l0 + eps for some 0 <= eps < 2**16. + long l0 = ((long) x0 << 16) & mask; + // The state of the random number generator after returning x1 is + // l1 + delta for some 0 <= delta < 2**16. + long l1 = ((long) x1 << 16) & mask; + // We have l1 + delta = (l0 + eps)*multiplier + 0xBL (mod 2**48). + // This allows to find an upper bound w for eps * multiplier mod 2**48 + // by assuming delta = 2**16-1. + long w = (l1 - l0 * multiplier + 65535L - 0xBL) & mask; + // The reduction eps * multiplier mod 2**48 only cuts off at most 3 bits. + // Hence a simple search is sufficient. The maximal number of loops is 6. + for (long em = w; em < (multiplier << 16); em += 1L << 48) { + // If the high order bits of em are guessed correctly then + // em == eps * multiplier + 65535 - delta. + long eps = em / multiplier; + long state0 = l0 + eps; + long state1 = nextState(state0); + if ((state1 & 0xffffffff0000L) == l1) { + return state0; + } + } + return -1; + } + + /** + * Find a seed such that this integer is the result of + * + * <pre>{@code + * Random rand = new Random(); + * rand.setSeed(seed); + * return new BigInteger(k, rand); + * }</pre> + * + * where k is max(64, x.BitLength()); + * + * <p>Returns -1 if no such seed exists. + */ + // TODO(bleichen): We want to detect cases where some of the bits + // (i.e. most significant bits or least significant bits have + // been modified. Often this happens during the generation + // of primes or other things. + // TODO(bleichen): This method is incomplete. + protected static long getSeedFor(java.math.BigInteger x) { + byte[] bytes = x.toByteArray(); + if (bytes.length == 0) { + return -1; + } + ByteBuffer buffer = ByteBuffer.allocate(8); + int offset = bytes[0] == 0 ? 1 : 0; + if (bytes.length - offset < 8) { + int size = bytes.length - offset; + buffer.position(8 - size); + buffer.put(bytes, offset, size); + } else { + buffer.put(bytes, offset, 8); + } + buffer.flip(); + buffer.order(java.nio.ByteOrder.LITTLE_ENDIAN); + int x0 = buffer.getInt(); + int x1 = buffer.getInt(); + long state = getState(x0, x1); + if (state == -1) { + return -1; + } + return getSeedForState(previousState(state)); + } + + /** Attempts to find a seed such that it generates the prime p. Returns -1 if no seed is found. */ + static long getSeedForPrime(BigInteger p) { + int confidence = 64; + Random rand = new Random(); + int size = p.bitLength(); + // Prime generation often sets the most significant bit. + // Hence, clearing the most significant bit can help to find + // the seed used for the prime generation. + for (BigInteger x : new BigInteger[] {p, p.clearBit(size - 1)}) { + long seed = getSeedFor(x); + if (seed != -1) { + rand.setSeed(seed); + BigInteger q = new BigInteger(size, confidence, rand); + if (q.equals(p)) { + return seed; + } + } + } + return -1; + } + + /** + * Checks whether p is a random prime. A prime generated with a secure random number generator + * passes with probability > 1-2^{-32}. No checks are performed for primes smaller than 96 bits. + * + * @throws GeneralSecurityException if the prime was generated using java.util.Random + */ + static void checkPrime(BigInteger p) throws GeneralSecurityException { + // We can't reliably detect java.util.Random for small primes. + if (p.bitLength() < 96) { + return; + } + long seed = getSeedForPrime(p); + if (seed != -1) { + throw new GeneralSecurityException( + "java.util.Random with seed " + seed + " was likely used to generate prime"); + } + } +} |