-
Notifications
You must be signed in to change notification settings - Fork 2
/
mul_accum.go
96 lines (85 loc) · 2.14 KB
/
mul_accum.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package batchgcd
import (
"github.com/ncw/gmp"
"sync"
)
// This performs the GCD of the product of all previous moduli with the current one.
// This uses around double the memory (minus quite a lot of overhead), and identifies
// problematic input in O(n) time, but has to do another O(n) scan for each collision
// to figure get the private key back.
// If there are no collisions, this algorithm isn't parallel at all.
// If we get a GCD that is the same as the modulus, we do a manual scan for either colliding Q or identical moduli
// If we get a GCD lower than the modulus, we have one private key, then do a manual scan for others.
func MulAccumGCD(moduli []*gmp.Int, collisions chan<- Collision) {
accum := gmp.NewInt(1)
gcd := new(gmp.Int)
var wg sync.WaitGroup
for i, modulus := range moduli {
gcd.GCD(nil, nil, accum, modulus)
if gcd.BitLen() != 1 {
wg.Add(1)
if gcd.Cmp(modulus) == 0 {
go findGCD(&wg, moduli, i, collisions)
continue
} else {
go findDivisors(&wg, moduli, i, gcd, collisions)
gcd = new(gmp.Int)
}
}
accum.Mul(accum, modulus)
}
wg.Wait()
close(collisions)
}
// Tests the candidate (i) against all other moduli
func findDivisors(wg *sync.WaitGroup, moduli []*gmp.Int, i int, gcd *gmp.Int, collisions chan<- Collision) {
m := moduli[i]
q := gmp.NewInt(0)
r := gmp.NewInt(0)
q.Quo(m, gcd)
collisions <- Collision{
Modulus: m,
P: gcd,
Q: q,
}
q = gmp.NewInt(0)
for j := 0; j < i; j++ {
n := moduli[j]
q.QuoRem(n, gcd, r)
if r.BitLen() == 0 {
collisions <- Collision{
Modulus: n,
P: gcd,
Q: q,
}
}
q = gmp.NewInt(0)
}
wg.Done()
}
func findGCD(wg *sync.WaitGroup, moduli []*gmp.Int, i int, collisions chan<- Collision) {
m := moduli[i]
q := gmp.NewInt(0)
gcd := gmp.NewInt(0)
for j := 0; j < i; j++ {
n := moduli[j]
if gcd.GCD(nil, nil, m, n).BitLen() != 1 {
q.Quo(m, gcd)
collisions <- Collision{
Modulus: m,
P: gcd,
Q: q,
}
q = gmp.NewInt(0)
q.Quo(n, gcd)
collisions <- Collision{
Modulus: n,
P: gcd,
Q: q,
}
q = gmp.NewInt(0)
gcd = gmp.NewInt(0)
}
}
wg.Done()
}