
192 lines
6.0 KiB
Raw Normal View History

2024-02-21 16:23:18 -08:00
* ZMap Copyright 2013 Regents of the University of Michigan
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at
* cyclic provides an inexpensive approach to iterating over the IPv4 address
* space in a random(-ish) manner such that we connect to every host once in
* a scan execution without having to keep track of the IPs that have been
* scanned or need to be scanned and such that each scan has a different
* ordering. We accomplish this by utilizing a cyclic multiplicative group
* of integers modulo a prime and generating a new primitive root (generator)
* for each scan.
* We know that 3 is a generator of (Z mod 2^32 + 15 - {0}, *)
* and that we have coverage over the entire address space because 2**32 + 15
* is prime and ||(Z mod PRIME - {0}, *)|| == PRIME - 1. Therefore, we
* just need to find a new generator (primitive root) of the cyclic group for
* each scan that we perform.
* Because generators map to generators over an isomorphism, we can efficiently
* find random primitive roots of our mult. group by finding random generators
* of the group (Zp-1, +) which is isomorphic to (Zp*, *). Specifically the
* generators of (Zp-1, +) are { s | (s, p-1) == 1 } which implies that
* the generators of (Zp*, *) are { d^s | (s, p-1) == 1 }. where d is a known
* generator of the multiplicative group. We efficiently find
* generators of the additive group by precalculating the psub1_f of
* p - 1 and randomly checking random numbers against the psub1_f until
* we find one that is coprime and map it into Zp*. Because
* totient(totient(p)) ~= 10^9, this should take relatively few
* iterations to find a new generator.
#include "cyclic.h"
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <time.h>
#include <assert.h>
#include <string.h>
#include <math.h>
#include <gmp.h>
#include "../lib/includes.h"
#include "../lib/logger.h"
// We will pick the first cyclic group from this list that is
// larger than the number of IPs in our allowlist. E.g. for an
// entire Internet scan, this would be cyclic32
// Note: this list should remain ordered by size (primes) ascending.
static cyclic_group_t groups[] = {
{// 2^8 + 1
.prime = 257,
.known_primroot = 3,
.prime_factors = {2},
.num_prime_factors = 1},
{// 2^16 + 1
.prime = 65537,
.known_primroot = 3,
.prime_factors = {2},
.num_prime_factors = 1},
{// 2^24 + 43
.prime = 16777259,
.known_primroot = 2,
.prime_factors = {2, 23, 103, 3541},
.num_prime_factors = 4},
{// 2^28 + 3
.prime = 268435459,
.known_primroot = 2,
.prime_factors = {2, 3, 19, 87211},
.num_prime_factors = 4},
{// 2^32 + 15
.prime = 4294967311,
.known_primroot = 3,
.prime_factors = {2, 3, 5, 131, 364289},
.num_prime_factors = 5},
{// 2^33 + 17
.prime = 8589934609,
.known_primroot = 19,
.prime_factors = {2, 3, 59, 3033169},
.num_prime_factors = 4},
{// 2^34 + 25
.prime = 17179869209,
.known_primroot = 3,
.prime_factors = {2, 83, 1277, 20261},
.num_prime_factors = 4},
{// 2^36 + 31
.prime = 68719476767,
.known_primroot = 5,
.prime_factors = {2, 163, 883, 238727},
.num_prime_factors = 4},
{// 2^40 + 15
.prime = 1099511627791,
.known_primroot = 3,
.prime_factors = {2, 3, 5, 36650387593},
.num_prime_factors = 4},
{// 2^44 + 7
.prime = 17592186044423,
.known_primroot = 5,
.prime_factors = {2, 11, 53, 97, 155542661},
.num_prime_factors = 5},
{// 2^48 + 23
.prime = 281474976710677,
.known_primroot = 6,
.prime_factors = {2, 3, 7, 1361, 2462081249},
.num_prime_factors = 5},
// Return a (random) number coprime with (p - 1) of the group,
// which is a generator of the additive group mod (p - 1)
static uint32_t find_primroot(const cyclic_group_t *group, aesrand_t *aes)
uint32_t candidate =
(uint32_t)((aesrand_getword(aes) & 0xFFFFFFFF) % group->prime);
uint64_t retv = 0;
// The maximum primitive root we can return needs to be small enough such
// that there is no overflow when multiplied by any element in the largest
// group in ZMap, which currently has p = 2^{32} + 15.
const uint64_t max_root = (UINT64_C(1) << 22);
// Repeatedly find a generator until we hit one that is small enough. For
// the largest group, we have a very low probability of ever executing this
// loop more than once, and for small groups it will only execute once.
do {
candidate += 1;
// Only one of these mods will ever have an effect.
candidate %= group->prime;
candidate %= max_root;
if (candidate == 0) {
mpz_t prime;
mpz_init_set_ui(prime, group->prime);
int ok = 1;
for (size_t i = 0; i < group->num_prime_factors && ok; ++i) {
const uint64_t q = group->prime_factors[i];
const uint64_t k = (group->prime - 1) / q;
mpz_t base, power, res;
mpz_init_set_ui(base, candidate);
mpz_init_set_ui(power, k);
mpz_powm(res, base, power, prime);
uint64_t res_ui = mpz_get_ui(res);
if (res_ui == 1) {
ok = 0;
if (ok) {
retv = candidate;
} while (1);
log_debug("zmap", "Isomorphism: %llu", retv);
return retv;
const cyclic_group_t *get_group(uint64_t min_size)
for (unsigned i = 0; i < sizeof(groups); ++i) {
if (groups[i].prime > min_size) {
return &groups[i];
// Should not reach, final group should always be larger than 2^48
// which is max based on 2**32 IPs and 2**16 ports
cycle_t make_cycle(const cyclic_group_t *group, aesrand_t *aes)
cycle_t cycle; = group;
cycle.generator = find_primroot(group, aes);
cycle.offset = (uint32_t)(aesrand_getword(aes) & 0xFFFFFFFF);
cycle.offset %= group->prime;
cycle.order = group->prime - 1;
return cycle;