2 * Bignum routines for RSA and DH and stuff.
\r
15 #define BIGNUM_INTERNAL
\r
16 typedef BignumInt *Bignum;
\r
20 BignumInt bnZero[1] = { 0 };
\r
21 BignumInt bnOne[2] = { 1, 1 };
\r
24 * The Bignum format is an array of `BignumInt'. The first
\r
25 * element of the array counts the remaining elements. The
\r
26 * remaining elements express the actual number, base 2^BIGNUM_INT_BITS, _least_
\r
27 * significant digit first. (So it's trivial to extract the bit
\r
28 * with value 2^n for any n.)
\r
30 * All Bignums in this module are positive. Negative numbers must
\r
31 * be dealt with outside it.
\r
33 * INVARIANT: the most significant word of any Bignum must be
\r
37 Bignum Zero = bnZero, One = bnOne;
\r
39 static Bignum newbn(int length)
\r
43 assert(length >= 0 && length < INT_MAX / BIGNUM_INT_BITS);
\r
45 b = snewn(length + 1, BignumInt);
\r
47 abort(); /* FIXME */
\r
48 memset(b, 0, (length + 1) * sizeof(*b));
\r
53 void bn_restore_invariant(Bignum b)
\r
55 while (b[0] > 1 && b[b[0]] == 0)
\r
59 Bignum copybn(Bignum orig)
\r
61 Bignum b = snewn(orig[0] + 1, BignumInt);
\r
63 abort(); /* FIXME */
\r
64 memcpy(b, orig, (orig[0] + 1) * sizeof(*b));
\r
68 void freebn(Bignum b)
\r
71 * Burn the evidence, just in case.
\r
73 smemclr(b, sizeof(b[0]) * (b[0] + 1));
\r
77 Bignum bn_power_2(int n)
\r
83 ret = newbn(n / BIGNUM_INT_BITS + 1);
\r
84 bignum_set_bit(ret, n, 1);
\r
89 * Internal addition. Sets c = a - b, where 'a', 'b' and 'c' are all
\r
90 * big-endian arrays of 'len' BignumInts. Returns a BignumInt carried
\r
93 static BignumInt internal_add(const BignumInt *a, const BignumInt *b,
\r
94 BignumInt *c, int len)
\r
97 BignumDblInt carry = 0;
\r
99 for (i = len-1; i >= 0; i--) {
\r
100 carry += (BignumDblInt)a[i] + b[i];
\r
101 c[i] = (BignumInt)carry;
\r
102 carry >>= BIGNUM_INT_BITS;
\r
105 return (BignumInt)carry;
\r
109 * Internal subtraction. Sets c = a - b, where 'a', 'b' and 'c' are
\r
110 * all big-endian arrays of 'len' BignumInts. Any borrow from the top
\r
113 static void internal_sub(const BignumInt *a, const BignumInt *b,
\r
114 BignumInt *c, int len)
\r
117 BignumDblInt carry = 1;
\r
119 for (i = len-1; i >= 0; i--) {
\r
120 carry += (BignumDblInt)a[i] + (b[i] ^ BIGNUM_INT_MASK);
\r
121 c[i] = (BignumInt)carry;
\r
122 carry >>= BIGNUM_INT_BITS;
\r
127 * Compute c = a * b.
\r
128 * Input is in the first len words of a and b.
\r
129 * Result is returned in the first 2*len words of c.
\r
131 * 'scratch' must point to an array of BignumInt of size at least
\r
132 * mul_compute_scratch(len). (This covers the needs of internal_mul
\r
133 * and all its recursive calls to itself.)
\r
135 #define KARATSUBA_THRESHOLD 50
\r
136 static int mul_compute_scratch(int len)
\r
139 while (len > KARATSUBA_THRESHOLD) {
\r
140 int toplen = len/2, botlen = len - toplen; /* botlen is the bigger */
\r
141 int midlen = botlen + 1;
\r
147 static void internal_mul(const BignumInt *a, const BignumInt *b,
\r
148 BignumInt *c, int len, BignumInt *scratch)
\r
150 if (len > KARATSUBA_THRESHOLD) {
\r
154 * Karatsuba divide-and-conquer algorithm. Cut each input in
\r
155 * half, so that it's expressed as two big 'digits' in a giant
\r
161 * Then the product is of course
\r
163 * ab = a_1 b_1 D^2 + (a_1 b_0 + a_0 b_1) D + a_0 b_0
\r
165 * and we compute the three coefficients by recursively
\r
166 * calling ourself to do half-length multiplications.
\r
168 * The clever bit that makes this worth doing is that we only
\r
169 * need _one_ half-length multiplication for the central
\r
170 * coefficient rather than the two that it obviouly looks
\r
171 * like, because we can use a single multiplication to compute
\r
173 * (a_1 + a_0) (b_1 + b_0) = a_1 b_1 + a_1 b_0 + a_0 b_1 + a_0 b_0
\r
175 * and then we subtract the other two coefficients (a_1 b_1
\r
176 * and a_0 b_0) which we were computing anyway.
\r
178 * Hence we get to multiply two numbers of length N in about
\r
179 * three times as much work as it takes to multiply numbers of
\r
180 * length N/2, which is obviously better than the four times
\r
181 * as much work it would take if we just did a long
\r
182 * conventional multiply.
\r
185 int toplen = len/2, botlen = len - toplen; /* botlen is the bigger */
\r
186 int midlen = botlen + 1;
\r
187 BignumDblInt carry;
\r
193 * The coefficients a_1 b_1 and a_0 b_0 just avoid overlapping
\r
194 * in the output array, so we can compute them immediately in
\r
199 printf("a1,a0 = 0x");
\r
200 for (i = 0; i < len; i++) {
\r
201 if (i == toplen) printf(", 0x");
\r
202 printf("%0*x", BIGNUM_INT_BITS/4, a[i]);
\r
205 printf("b1,b0 = 0x");
\r
206 for (i = 0; i < len; i++) {
\r
207 if (i == toplen) printf(", 0x");
\r
208 printf("%0*x", BIGNUM_INT_BITS/4, b[i]);
\r
214 internal_mul(a, b, c, toplen, scratch);
\r
216 printf("a1b1 = 0x");
\r
217 for (i = 0; i < 2*toplen; i++) {
\r
218 printf("%0*x", BIGNUM_INT_BITS/4, c[i]);
\r
224 internal_mul(a + toplen, b + toplen, c + 2*toplen, botlen, scratch);
\r
226 printf("a0b0 = 0x");
\r
227 for (i = 0; i < 2*botlen; i++) {
\r
228 printf("%0*x", BIGNUM_INT_BITS/4, c[2*toplen+i]);
\r
233 /* Zero padding. midlen exceeds toplen by at most 2, so just
\r
234 * zero the first two words of each input and the rest will be
\r
236 scratch[0] = scratch[1] = scratch[midlen] = scratch[midlen+1] = 0;
\r
238 for (i = 0; i < toplen; i++) {
\r
239 scratch[midlen - toplen + i] = a[i]; /* a_1 */
\r
240 scratch[2*midlen - toplen + i] = b[i]; /* b_1 */
\r
243 /* compute a_1 + a_0 */
\r
244 scratch[0] = internal_add(scratch+1, a+toplen, scratch+1, botlen);
\r
246 printf("a1plusa0 = 0x");
\r
247 for (i = 0; i < midlen; i++) {
\r
248 printf("%0*x", BIGNUM_INT_BITS/4, scratch[i]);
\r
252 /* compute b_1 + b_0 */
\r
253 scratch[midlen] = internal_add(scratch+midlen+1, b+toplen,
\r
254 scratch+midlen+1, botlen);
\r
256 printf("b1plusb0 = 0x");
\r
257 for (i = 0; i < midlen; i++) {
\r
258 printf("%0*x", BIGNUM_INT_BITS/4, scratch[midlen+i]);
\r
264 * Now we can do the third multiplication.
\r
266 internal_mul(scratch, scratch + midlen, scratch + 2*midlen, midlen,
\r
267 scratch + 4*midlen);
\r
269 printf("a1plusa0timesb1plusb0 = 0x");
\r
270 for (i = 0; i < 2*midlen; i++) {
\r
271 printf("%0*x", BIGNUM_INT_BITS/4, scratch[2*midlen+i]);
\r
277 * Now we can reuse the first half of 'scratch' to compute the
\r
278 * sum of the outer two coefficients, to subtract from that
\r
279 * product to obtain the middle one.
\r
281 scratch[0] = scratch[1] = scratch[2] = scratch[3] = 0;
\r
282 for (i = 0; i < 2*toplen; i++)
\r
283 scratch[2*midlen - 2*toplen + i] = c[i];
\r
284 scratch[1] = internal_add(scratch+2, c + 2*toplen,
\r
285 scratch+2, 2*botlen);
\r
287 printf("a1b1plusa0b0 = 0x");
\r
288 for (i = 0; i < 2*midlen; i++) {
\r
289 printf("%0*x", BIGNUM_INT_BITS/4, scratch[i]);
\r
294 internal_sub(scratch + 2*midlen, scratch,
\r
295 scratch + 2*midlen, 2*midlen);
\r
297 printf("a1b0plusa0b1 = 0x");
\r
298 for (i = 0; i < 2*midlen; i++) {
\r
299 printf("%0*x", BIGNUM_INT_BITS/4, scratch[2*midlen+i]);
\r
305 * And now all we need to do is to add that middle coefficient
\r
306 * back into the output. We may have to propagate a carry
\r
307 * further up the output, but we can be sure it won't
\r
308 * propagate right the way off the top.
\r
310 carry = internal_add(c + 2*len - botlen - 2*midlen,
\r
311 scratch + 2*midlen,
\r
312 c + 2*len - botlen - 2*midlen, 2*midlen);
\r
313 i = 2*len - botlen - 2*midlen - 1;
\r
317 c[i] = (BignumInt)carry;
\r
318 carry >>= BIGNUM_INT_BITS;
\r
323 for (i = 0; i < 2*len; i++) {
\r
324 printf("%0*x", BIGNUM_INT_BITS/4, c[i]);
\r
333 const BignumInt *ap, *bp;
\r
334 BignumInt *cp, *cps;
\r
337 * Multiply in the ordinary O(N^2) way.
\r
340 for (i = 0; i < 2 * len; i++)
\r
343 for (cps = c + 2*len, ap = a + len; ap-- > a; cps--) {
\r
345 for (cp = cps, bp = b + len; cp--, bp-- > b ;) {
\r
346 t = (MUL_WORD(*ap, *bp) + carry) + *cp;
\r
347 *cp = (BignumInt) t;
\r
348 carry = (BignumInt)(t >> BIGNUM_INT_BITS);
\r
356 * Variant form of internal_mul used for the initial step of
\r
357 * Montgomery reduction. Only bothers outputting 'len' words
\r
358 * (everything above that is thrown away).
\r
360 static void internal_mul_low(const BignumInt *a, const BignumInt *b,
\r
361 BignumInt *c, int len, BignumInt *scratch)
\r
363 if (len > KARATSUBA_THRESHOLD) {
\r
367 * Karatsuba-aware version of internal_mul_low. As before, we
\r
368 * express each input value as a shifted combination of two
\r
374 * Then the full product is, as before,
\r
376 * ab = a_1 b_1 D^2 + (a_1 b_0 + a_0 b_1) D + a_0 b_0
\r
378 * Provided we choose D on the large side (so that a_0 and b_0
\r
379 * are _at least_ as long as a_1 and b_1), we don't need the
\r
380 * topmost term at all, and we only need half of the middle
\r
381 * term. So there's no point in doing the proper Karatsuba
\r
382 * optimisation which computes the middle term using the top
\r
383 * one, because we'd take as long computing the top one as
\r
384 * just computing the middle one directly.
\r
386 * So instead, we do a much more obvious thing: we call the
\r
387 * fully optimised internal_mul to compute a_0 b_0, and we
\r
388 * recursively call ourself to compute the _bottom halves_ of
\r
389 * a_1 b_0 and a_0 b_1, each of which we add into the result
\r
390 * in the obvious way.
\r
392 * In other words, there's no actual Karatsuba _optimisation_
\r
393 * in this function; the only benefit in doing it this way is
\r
394 * that we call internal_mul proper for a large part of the
\r
395 * work, and _that_ can optimise its operation.
\r
398 int toplen = len/2, botlen = len - toplen; /* botlen is the bigger */
\r
401 * Scratch space for the various bits and pieces we're going
\r
402 * to be adding together: we need botlen*2 words for a_0 b_0
\r
403 * (though we may end up throwing away its topmost word), and
\r
404 * toplen words for each of a_1 b_0 and a_0 b_1. That adds up
\r
405 * to exactly 2*len.
\r
409 internal_mul(a + toplen, b + toplen, scratch + 2*toplen, botlen,
\r
413 internal_mul_low(a, b + len - toplen, scratch + toplen, toplen,
\r
417 internal_mul_low(a + len - toplen, b, scratch, toplen,
\r
420 /* Copy the bottom half of the big coefficient into place */
\r
421 for (i = 0; i < botlen; i++)
\r
422 c[toplen + i] = scratch[2*toplen + botlen + i];
\r
424 /* Add the two small coefficients, throwing away the returned carry */
\r
425 internal_add(scratch, scratch + toplen, scratch, toplen);
\r
427 /* And add that to the large coefficient, leaving the result in c. */
\r
428 internal_add(scratch, scratch + 2*toplen + botlen - toplen,
\r
435 const BignumInt *ap, *bp;
\r
436 BignumInt *cp, *cps;
\r
439 * Multiply in the ordinary O(N^2) way.
\r
442 for (i = 0; i < len; i++)
\r
445 for (cps = c + len, ap = a + len; ap-- > a; cps--) {
\r
447 for (cp = cps, bp = b + len; bp--, cp-- > c ;) {
\r
448 t = (MUL_WORD(*ap, *bp) + carry) + *cp;
\r
449 *cp = (BignumInt) t;
\r
450 carry = (BignumInt)(t >> BIGNUM_INT_BITS);
\r
457 * Montgomery reduction. Expects x to be a big-endian array of 2*len
\r
458 * BignumInts whose value satisfies 0 <= x < rn (where r = 2^(len *
\r
459 * BIGNUM_INT_BITS) is the Montgomery base). Returns in the same array
\r
460 * a value x' which is congruent to xr^{-1} mod n, and satisfies 0 <=
\r
463 * 'n' and 'mninv' should be big-endian arrays of 'len' BignumInts
\r
464 * each, containing respectively n and the multiplicative inverse of
\r
467 * 'tmp' is an array of BignumInt used as scratch space, of length at
\r
468 * least 3*len + mul_compute_scratch(len).
\r
470 static void monty_reduce(BignumInt *x, const BignumInt *n,
\r
471 const BignumInt *mninv, BignumInt *tmp, int len)
\r
477 * Multiply x by (-n)^{-1} mod r. This gives us a value m such
\r
478 * that mn is congruent to -x mod r. Hence, mn+x is an exact
\r
479 * multiple of r, and is also (obviously) congruent to x mod n.
\r
481 internal_mul_low(x + len, mninv, tmp, len, tmp + 3*len);
\r
484 * Compute t = (mn+x)/r in ordinary, non-modular, integer
\r
485 * arithmetic. By construction this is exact, and is congruent mod
\r
486 * n to x * r^{-1}, i.e. the answer we want.
\r
488 * The following multiply leaves that answer in the _most_
\r
489 * significant half of the 'x' array, so then we must shift it
\r
492 internal_mul(tmp, n, tmp+len, len, tmp + 3*len);
\r
493 carry = internal_add(x, tmp+len, x, 2*len);
\r
494 for (i = 0; i < len; i++)
\r
495 x[len + i] = x[i], x[i] = 0;
\r
498 * Reduce t mod n. This doesn't require a full-on division by n,
\r
499 * but merely a test and single optional subtraction, since we can
\r
500 * show that 0 <= t < 2n.
\r
503 * + we computed m mod r, so 0 <= m < r.
\r
504 * + so 0 <= mn < rn, obviously
\r
505 * + hence we only need 0 <= x < rn to guarantee that 0 <= mn+x < 2rn
\r
506 * + yielding 0 <= (mn+x)/r < 2n as required.
\r
509 for (i = 0; i < len; i++)
\r
510 if (x[len + i] != n[i])
\r
513 if (carry || i >= len || x[len + i] > n[i])
\r
514 internal_sub(x+len, n, x+len, len);
\r
517 static void internal_add_shifted(BignumInt *number,
\r
518 BignumInt n, int shift)
\r
520 int word = 1 + (shift / BIGNUM_INT_BITS);
\r
521 int bshift = shift % BIGNUM_INT_BITS;
\r
522 BignumDblInt addend;
\r
524 addend = (BignumDblInt)n << bshift;
\r
527 assert(word <= number[0]);
\r
528 addend += number[word];
\r
529 number[word] = (BignumInt) addend & BIGNUM_INT_MASK;
\r
530 addend >>= BIGNUM_INT_BITS;
\r
536 * Compute a = a % m.
\r
537 * Input in first alen words of a and first mlen words of m.
\r
538 * Output in first alen words of a
\r
539 * (of which first alen-mlen words will be zero).
\r
540 * The MSW of m MUST have its high bit set.
\r
541 * Quotient is accumulated in the `quotient' array, which is a Bignum
\r
542 * rather than the internal bigendian format. Quotient parts are shifted
\r
543 * left by `qshift' before adding into quot.
\r
545 static void internal_mod(BignumInt *a, int alen,
\r
546 BignumInt *m, int mlen,
\r
547 BignumInt *quot, int qshift)
\r
549 BignumInt m0, m1, h;
\r
553 assert(m0 >> (BIGNUM_INT_BITS-1) == 1);
\r
559 for (i = 0; i <= alen - mlen; i++) {
\r
561 BignumInt q, r, c, ai1;
\r
575 /* Find q = h:a[i] / m0 */
\r
580 * To illustrate it, suppose a BignumInt is 8 bits, and
\r
581 * we are dividing (say) A1:23:45:67 by A1:B2:C3. Then
\r
582 * our initial division will be 0xA123 / 0xA1, which
\r
583 * will give a quotient of 0x100 and a divide overflow.
\r
584 * However, the invariants in this division algorithm
\r
585 * are not violated, since the full number A1:23:... is
\r
586 * _less_ than the quotient prefix A1:B2:... and so the
\r
587 * following correction loop would have sorted it out.
\r
589 * In this situation we set q to be the largest
\r
590 * quotient we _can_ stomach (0xFF, of course).
\r
592 q = BIGNUM_INT_MASK;
\r
594 /* Macro doesn't want an array subscript expression passed
\r
595 * into it (see definition), so use a temporary. */
\r
596 BignumInt tmplo = a[i];
\r
597 DIVMOD_WORD(q, r, h, tmplo, m0);
\r
599 /* Refine our estimate of q by looking at
\r
600 h:a[i]:a[i+1] / m0:m1 */
\r
601 t = MUL_WORD(m1, q);
\r
602 if (t > ((BignumDblInt) r << BIGNUM_INT_BITS) + ai1) {
\r
605 r = (r + m0) & BIGNUM_INT_MASK; /* overflow? */
\r
606 if (r >= (BignumDblInt) m0 &&
\r
607 t > ((BignumDblInt) r << BIGNUM_INT_BITS) + ai1) q--;
\r
611 /* Subtract q * m from a[i...] */
\r
613 for (k = mlen - 1; k >= 0; k--) {
\r
614 t = MUL_WORD(q, m[k]);
\r
616 c = (BignumInt)(t >> BIGNUM_INT_BITS);
\r
617 if ((BignumInt) t > a[i + k])
\r
619 a[i + k] -= (BignumInt) t;
\r
622 /* Add back m in case of borrow */
\r
625 for (k = mlen - 1; k >= 0; k--) {
\r
628 a[i + k] = (BignumInt) t;
\r
629 t = t >> BIGNUM_INT_BITS;
\r
634 internal_add_shifted(quot, q, qshift + BIGNUM_INT_BITS * (alen - mlen - i));
\r
639 * Compute (base ^ exp) % mod, the pedestrian way.
\r
641 Bignum modpow_simple(Bignum base_in, Bignum exp, Bignum mod)
\r
643 BignumInt *a, *b, *n, *m, *scratch;
\r
645 int mlen, scratchlen, i, j;
\r
646 Bignum base, result;
\r
649 * The most significant word of mod needs to be non-zero. It
\r
650 * should already be, but let's make sure.
\r
652 assert(mod[mod[0]] != 0);
\r
655 * Make sure the base is smaller than the modulus, by reducing
\r
656 * it modulo the modulus if not.
\r
658 base = bigmod(base_in, mod);
\r
660 /* Allocate m of size mlen, copy mod to m */
\r
661 /* We use big endian internally */
\r
663 m = snewn(mlen, BignumInt);
\r
664 for (j = 0; j < mlen; j++)
\r
665 m[j] = mod[mod[0] - j];
\r
667 /* Shift m left to make msb bit set */
\r
668 for (mshift = 0; mshift < BIGNUM_INT_BITS-1; mshift++)
\r
669 if ((m[0] << mshift) & BIGNUM_TOP_BIT)
\r
672 for (i = 0; i < mlen - 1; i++)
\r
673 m[i] = (m[i] << mshift) | (m[i + 1] >> (BIGNUM_INT_BITS - mshift));
\r
674 m[mlen - 1] = m[mlen - 1] << mshift;
\r
677 /* Allocate n of size mlen, copy base to n */
\r
678 n = snewn(mlen, BignumInt);
\r
679 i = mlen - base[0];
\r
680 for (j = 0; j < i; j++)
\r
682 for (j = 0; j < (int)base[0]; j++)
\r
683 n[i + j] = base[base[0] - j];
\r
685 /* Allocate a and b of size 2*mlen. Set a = 1 */
\r
686 a = snewn(2 * mlen, BignumInt);
\r
687 b = snewn(2 * mlen, BignumInt);
\r
688 for (i = 0; i < 2 * mlen; i++)
\r
690 a[2 * mlen - 1] = 1;
\r
692 /* Scratch space for multiplies */
\r
693 scratchlen = mul_compute_scratch(mlen);
\r
694 scratch = snewn(scratchlen, BignumInt);
\r
696 /* Skip leading zero bits of exp. */
\r
698 j = BIGNUM_INT_BITS-1;
\r
699 while (i < (int)exp[0] && (exp[exp[0] - i] & ((BignumInt)1 << j)) == 0) {
\r
703 j = BIGNUM_INT_BITS-1;
\r
707 /* Main computation */
\r
708 while (i < (int)exp[0]) {
\r
710 internal_mul(a + mlen, a + mlen, b, mlen, scratch);
\r
711 internal_mod(b, mlen * 2, m, mlen, NULL, 0);
\r
712 if ((exp[exp[0] - i] & ((BignumInt)1 << j)) != 0) {
\r
713 internal_mul(b + mlen, n, a, mlen, scratch);
\r
714 internal_mod(a, mlen * 2, m, mlen, NULL, 0);
\r
724 j = BIGNUM_INT_BITS-1;
\r
727 /* Fixup result in case the modulus was shifted */
\r
729 for (i = mlen - 1; i < 2 * mlen - 1; i++)
\r
730 a[i] = (a[i] << mshift) | (a[i + 1] >> (BIGNUM_INT_BITS - mshift));
\r
731 a[2 * mlen - 1] = a[2 * mlen - 1] << mshift;
\r
732 internal_mod(a, mlen * 2, m, mlen, NULL, 0);
\r
733 for (i = 2 * mlen - 1; i >= mlen; i--)
\r
734 a[i] = (a[i] >> mshift) | (a[i - 1] << (BIGNUM_INT_BITS - mshift));
\r
737 /* Copy result to buffer */
\r
738 result = newbn(mod[0]);
\r
739 for (i = 0; i < mlen; i++)
\r
740 result[result[0] - i] = a[i + mlen];
\r
741 while (result[0] > 1 && result[result[0]] == 0)
\r
744 /* Free temporary arrays */
\r
745 smemclr(a, 2 * mlen * sizeof(*a));
\r
747 smemclr(scratch, scratchlen * sizeof(*scratch));
\r
749 smemclr(b, 2 * mlen * sizeof(*b));
\r
751 smemclr(m, mlen * sizeof(*m));
\r
753 smemclr(n, mlen * sizeof(*n));
\r
762 * Compute (base ^ exp) % mod. Uses the Montgomery multiplication
\r
763 * technique where possible, falling back to modpow_simple otherwise.
\r
765 Bignum modpow(Bignum base_in, Bignum exp, Bignum mod)
\r
767 BignumInt *a, *b, *x, *n, *mninv, *scratch;
\r
768 int len, scratchlen, i, j;
\r
769 Bignum base, base2, r, rn, inv, result;
\r
772 * The most significant word of mod needs to be non-zero. It
\r
773 * should already be, but let's make sure.
\r
775 assert(mod[mod[0]] != 0);
\r
778 * mod had better be odd, or we can't do Montgomery multiplication
\r
779 * using a power of two at all.
\r
782 return modpow_simple(base_in, exp, mod);
\r
785 * Make sure the base is smaller than the modulus, by reducing
\r
786 * it modulo the modulus if not.
\r
788 base = bigmod(base_in, mod);
\r
791 * Compute the inverse of n mod r, for monty_reduce. (In fact we
\r
792 * want the inverse of _minus_ n mod r, but we'll sort that out
\r
796 r = bn_power_2(BIGNUM_INT_BITS * len);
\r
797 inv = modinv(mod, r);
\r
798 assert(inv); /* cannot fail, since mod is odd and r is a power of 2 */
\r
801 * Multiply the base by r mod n, to get it into Montgomery
\r
804 base2 = modmul(base, r, mod);
\r
808 rn = bigmod(r, mod); /* r mod n, i.e. Montgomerified 1 */
\r
810 freebn(r); /* won't need this any more */
\r
813 * Set up internal arrays of the right lengths, in big-endian
\r
814 * format, containing the base, the modulus, and the modulus's
\r
817 n = snewn(len, BignumInt);
\r
818 for (j = 0; j < len; j++)
\r
819 n[len - 1 - j] = mod[j + 1];
\r
821 mninv = snewn(len, BignumInt);
\r
822 for (j = 0; j < len; j++)
\r
823 mninv[len - 1 - j] = (j < (int)inv[0] ? inv[j + 1] : 0);
\r
824 freebn(inv); /* we don't need this copy of it any more */
\r
825 /* Now negate mninv mod r, so it's the inverse of -n rather than +n. */
\r
826 x = snewn(len, BignumInt);
\r
827 for (j = 0; j < len; j++)
\r
829 internal_sub(x, mninv, mninv, len);
\r
831 /* x = snewn(len, BignumInt); */ /* already done above */
\r
832 for (j = 0; j < len; j++)
\r
833 x[len - 1 - j] = (j < (int)base[0] ? base[j + 1] : 0);
\r
834 freebn(base); /* we don't need this copy of it any more */
\r
836 a = snewn(2*len, BignumInt);
\r
837 b = snewn(2*len, BignumInt);
\r
838 for (j = 0; j < len; j++)
\r
839 a[2*len - 1 - j] = (j < (int)rn[0] ? rn[j + 1] : 0);
\r
842 /* Scratch space for multiplies */
\r
843 scratchlen = 3*len + mul_compute_scratch(len);
\r
844 scratch = snewn(scratchlen, BignumInt);
\r
846 /* Skip leading zero bits of exp. */
\r
848 j = BIGNUM_INT_BITS-1;
\r
849 while (i < (int)exp[0] && (exp[exp[0] - i] & ((BignumInt)1 << j)) == 0) {
\r
853 j = BIGNUM_INT_BITS-1;
\r
857 /* Main computation */
\r
858 while (i < (int)exp[0]) {
\r
860 internal_mul(a + len, a + len, b, len, scratch);
\r
861 monty_reduce(b, n, mninv, scratch, len);
\r
862 if ((exp[exp[0] - i] & ((BignumInt)1 << j)) != 0) {
\r
863 internal_mul(b + len, x, a, len, scratch);
\r
864 monty_reduce(a, n, mninv, scratch, len);
\r
874 j = BIGNUM_INT_BITS-1;
\r
878 * Final monty_reduce to get back from the adjusted Montgomery
\r
881 monty_reduce(a, n, mninv, scratch, len);
\r
883 /* Copy result to buffer */
\r
884 result = newbn(mod[0]);
\r
885 for (i = 0; i < len; i++)
\r
886 result[result[0] - i] = a[i + len];
\r
887 while (result[0] > 1 && result[result[0]] == 0)
\r
890 /* Free temporary arrays */
\r
891 smemclr(scratch, scratchlen * sizeof(*scratch));
\r
893 smemclr(a, 2 * len * sizeof(*a));
\r
895 smemclr(b, 2 * len * sizeof(*b));
\r
897 smemclr(mninv, len * sizeof(*mninv));
\r
899 smemclr(n, len * sizeof(*n));
\r
901 smemclr(x, len * sizeof(*x));
\r
908 * Compute (p * q) % mod.
\r
909 * The most significant word of mod MUST be non-zero.
\r
910 * We assume that the result array is the same size as the mod array.
\r
912 Bignum modmul(Bignum p, Bignum q, Bignum mod)
\r
914 BignumInt *a, *n, *m, *o, *scratch;
\r
915 int mshift, scratchlen;
\r
916 int pqlen, mlen, rlen, i, j;
\r
920 * The most significant word of mod needs to be non-zero. It
\r
921 * should already be, but let's make sure.
\r
923 assert(mod[mod[0]] != 0);
\r
925 /* Allocate m of size mlen, copy mod to m */
\r
926 /* We use big endian internally */
\r
928 m = snewn(mlen, BignumInt);
\r
929 for (j = 0; j < mlen; j++)
\r
930 m[j] = mod[mod[0] - j];
\r
932 /* Shift m left to make msb bit set */
\r
933 for (mshift = 0; mshift < BIGNUM_INT_BITS-1; mshift++)
\r
934 if ((m[0] << mshift) & BIGNUM_TOP_BIT)
\r
937 for (i = 0; i < mlen - 1; i++)
\r
938 m[i] = (m[i] << mshift) | (m[i + 1] >> (BIGNUM_INT_BITS - mshift));
\r
939 m[mlen - 1] = m[mlen - 1] << mshift;
\r
942 pqlen = (p[0] > q[0] ? p[0] : q[0]);
\r
945 * Make sure that we're allowing enough space. The shifting below
\r
946 * will underflow the vectors we allocate if pqlen is too small.
\r
948 if (2*pqlen <= mlen)
\r
949 pqlen = mlen/2 + 1;
\r
951 /* Allocate n of size pqlen, copy p to n */
\r
952 n = snewn(pqlen, BignumInt);
\r
954 for (j = 0; j < i; j++)
\r
956 for (j = 0; j < (int)p[0]; j++)
\r
957 n[i + j] = p[p[0] - j];
\r
959 /* Allocate o of size pqlen, copy q to o */
\r
960 o = snewn(pqlen, BignumInt);
\r
962 for (j = 0; j < i; j++)
\r
964 for (j = 0; j < (int)q[0]; j++)
\r
965 o[i + j] = q[q[0] - j];
\r
967 /* Allocate a of size 2*pqlen for result */
\r
968 a = snewn(2 * pqlen, BignumInt);
\r
970 /* Scratch space for multiplies */
\r
971 scratchlen = mul_compute_scratch(pqlen);
\r
972 scratch = snewn(scratchlen, BignumInt);
\r
974 /* Main computation */
\r
975 internal_mul(n, o, a, pqlen, scratch);
\r
976 internal_mod(a, pqlen * 2, m, mlen, NULL, 0);
\r
978 /* Fixup result in case the modulus was shifted */
\r
980 for (i = 2 * pqlen - mlen - 1; i < 2 * pqlen - 1; i++)
\r
981 a[i] = (a[i] << mshift) | (a[i + 1] >> (BIGNUM_INT_BITS - mshift));
\r
982 a[2 * pqlen - 1] = a[2 * pqlen - 1] << mshift;
\r
983 internal_mod(a, pqlen * 2, m, mlen, NULL, 0);
\r
984 for (i = 2 * pqlen - 1; i >= 2 * pqlen - mlen; i--)
\r
985 a[i] = (a[i] >> mshift) | (a[i - 1] << (BIGNUM_INT_BITS - mshift));
\r
988 /* Copy result to buffer */
\r
989 rlen = (mlen < pqlen * 2 ? mlen : pqlen * 2);
\r
990 result = newbn(rlen);
\r
991 for (i = 0; i < rlen; i++)
\r
992 result[result[0] - i] = a[i + 2 * pqlen - rlen];
\r
993 while (result[0] > 1 && result[result[0]] == 0)
\r
996 /* Free temporary arrays */
\r
997 smemclr(scratch, scratchlen * sizeof(*scratch));
\r
999 smemclr(a, 2 * pqlen * sizeof(*a));
\r
1001 smemclr(m, mlen * sizeof(*m));
\r
1003 smemclr(n, pqlen * sizeof(*n));
\r
1005 smemclr(o, pqlen * sizeof(*o));
\r
1012 * Compute p % mod.
\r
1013 * The most significant word of mod MUST be non-zero.
\r
1014 * We assume that the result array is the same size as the mod array.
\r
1015 * We optionally write out a quotient if `quotient' is non-NULL.
\r
1016 * We can avoid writing out the result if `result' is NULL.
\r
1018 static void bigdivmod(Bignum p, Bignum mod, Bignum result, Bignum quotient)
\r
1022 int plen, mlen, i, j;
\r
1025 * The most significant word of mod needs to be non-zero. It
\r
1026 * should already be, but let's make sure.
\r
1028 assert(mod[mod[0]] != 0);
\r
1030 /* Allocate m of size mlen, copy mod to m */
\r
1031 /* We use big endian internally */
\r
1033 m = snewn(mlen, BignumInt);
\r
1034 for (j = 0; j < mlen; j++)
\r
1035 m[j] = mod[mod[0] - j];
\r
1037 /* Shift m left to make msb bit set */
\r
1038 for (mshift = 0; mshift < BIGNUM_INT_BITS-1; mshift++)
\r
1039 if ((m[0] << mshift) & BIGNUM_TOP_BIT)
\r
1042 for (i = 0; i < mlen - 1; i++)
\r
1043 m[i] = (m[i] << mshift) | (m[i + 1] >> (BIGNUM_INT_BITS - mshift));
\r
1044 m[mlen - 1] = m[mlen - 1] << mshift;
\r
1048 /* Ensure plen > mlen */
\r
1052 /* Allocate n of size plen, copy p to n */
\r
1053 n = snewn(plen, BignumInt);
\r
1054 for (j = 0; j < plen; j++)
\r
1056 for (j = 1; j <= (int)p[0]; j++)
\r
1057 n[plen - j] = p[j];
\r
1059 /* Main computation */
\r
1060 internal_mod(n, plen, m, mlen, quotient, mshift);
\r
1062 /* Fixup result in case the modulus was shifted */
\r
1064 for (i = plen - mlen - 1; i < plen - 1; i++)
\r
1065 n[i] = (n[i] << mshift) | (n[i + 1] >> (BIGNUM_INT_BITS - mshift));
\r
1066 n[plen - 1] = n[plen - 1] << mshift;
\r
1067 internal_mod(n, plen, m, mlen, quotient, 0);
\r
1068 for (i = plen - 1; i >= plen - mlen; i--)
\r
1069 n[i] = (n[i] >> mshift) | (n[i - 1] << (BIGNUM_INT_BITS - mshift));
\r
1072 /* Copy result to buffer */
\r
1074 for (i = 1; i <= (int)result[0]; i++) {
\r
1076 result[i] = j >= 0 ? n[j] : 0;
\r
1080 /* Free temporary arrays */
\r
1081 smemclr(m, mlen * sizeof(*m));
\r
1083 smemclr(n, plen * sizeof(*n));
\r
1088 * Decrement a number.
\r
1090 void decbn(Bignum bn)
\r
1093 while (i < (int)bn[0] && bn[i] == 0)
\r
1094 bn[i++] = BIGNUM_INT_MASK;
\r
1098 Bignum bignum_from_bytes(const unsigned char *data, int nbytes)
\r
1103 assert(nbytes >= 0 && nbytes < INT_MAX/8);
\r
1105 w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /* bytes->words */
\r
1107 result = newbn(w);
\r
1108 for (i = 1; i <= w; i++)
\r
1110 for (i = nbytes; i--;) {
\r
1111 unsigned char byte = *data++;
\r
1112 result[1 + i / BIGNUM_INT_BYTES] |=
\r
1113 (BignumInt)byte << (8*i % BIGNUM_INT_BITS);
\r
1116 while (result[0] > 1 && result[result[0]] == 0)
\r
1122 * Read an SSH-1-format bignum from a data buffer. Return the number
\r
1123 * of bytes consumed, or -1 if there wasn't enough data.
\r
1125 int ssh1_read_bignum(const unsigned char *data, int len, Bignum * result)
\r
1127 const unsigned char *p = data;
\r
1135 for (i = 0; i < 2; i++)
\r
1136 w = (w << 8) + *p++;
\r
1137 b = (w + 7) / 8; /* bits -> bytes */
\r
1142 if (!result) /* just return length */
\r
1145 *result = bignum_from_bytes(p, b);
\r
1147 return p + b - data;
\r
1151 * Return the bit count of a bignum, for SSH-1 encoding.
\r
1153 int bignum_bitcount(Bignum bn)
\r
1155 int bitcount = bn[0] * BIGNUM_INT_BITS - 1;
\r
1156 while (bitcount >= 0
\r
1157 && (bn[bitcount / BIGNUM_INT_BITS + 1] >> (bitcount % BIGNUM_INT_BITS)) == 0) bitcount--;
\r
1158 return bitcount + 1;
\r
1162 * Return the byte length of a bignum when SSH-1 encoded.
\r
1164 int ssh1_bignum_length(Bignum bn)
\r
1166 return 2 + (bignum_bitcount(bn) + 7) / 8;
\r
1170 * Return the byte length of a bignum when SSH-2 encoded.
\r
1172 int ssh2_bignum_length(Bignum bn)
\r
1174 return 4 + (bignum_bitcount(bn) + 8) / 8;
\r
1178 * Return a byte from a bignum; 0 is least significant, etc.
\r
1180 int bignum_byte(Bignum bn, int i)
\r
1182 if (i < 0 || i >= (int)(BIGNUM_INT_BYTES * bn[0]))
\r
1183 return 0; /* beyond the end */
\r
1185 return (bn[i / BIGNUM_INT_BYTES + 1] >>
\r
1186 ((i % BIGNUM_INT_BYTES)*8)) & 0xFF;
\r
1190 * Return a bit from a bignum; 0 is least significant, etc.
\r
1192 int bignum_bit(Bignum bn, int i)
\r
1194 if (i < 0 || i >= (int)(BIGNUM_INT_BITS * bn[0]))
\r
1195 return 0; /* beyond the end */
\r
1197 return (bn[i / BIGNUM_INT_BITS + 1] >> (i % BIGNUM_INT_BITS)) & 1;
\r
1201 * Set a bit in a bignum; 0 is least significant, etc.
\r
1203 void bignum_set_bit(Bignum bn, int bitnum, int value)
\r
1205 if (bitnum < 0 || bitnum >= (int)(BIGNUM_INT_BITS * bn[0]))
\r
1206 abort(); /* beyond the end */
\r
1208 int v = bitnum / BIGNUM_INT_BITS + 1;
\r
1209 BignumInt mask = (BignumInt)1 << (bitnum % BIGNUM_INT_BITS);
\r
1218 * Write a SSH-1-format bignum into a buffer. It is assumed the
\r
1219 * buffer is big enough. Returns the number of bytes used.
\r
1221 int ssh1_write_bignum(void *data, Bignum bn)
\r
1223 unsigned char *p = data;
\r
1224 int len = ssh1_bignum_length(bn);
\r
1226 int bitc = bignum_bitcount(bn);
\r
1228 *p++ = (bitc >> 8) & 0xFF;
\r
1229 *p++ = (bitc) & 0xFF;
\r
1230 for (i = len - 2; i--;)
\r
1231 *p++ = bignum_byte(bn, i);
\r
1236 * Compare two bignums. Returns like strcmp.
\r
1238 int bignum_cmp(Bignum a, Bignum b)
\r
1240 int amax = a[0], bmax = b[0];
\r
1243 /* Annoyingly we have two representations of zero */
\r
1244 if (amax == 1 && a[amax] == 0)
\r
1246 if (bmax == 1 && b[bmax] == 0)
\r
1249 assert(amax == 0 || a[amax] != 0);
\r
1250 assert(bmax == 0 || b[bmax] != 0);
\r
1252 i = (amax > bmax ? amax : bmax);
\r
1254 BignumInt aval = (i > amax ? 0 : a[i]);
\r
1255 BignumInt bval = (i > bmax ? 0 : b[i]);
\r
1266 * Right-shift one bignum to form another.
\r
1268 Bignum bignum_rshift(Bignum a, int shift)
\r
1271 int i, shiftw, shiftb, shiftbb, bits;
\r
1272 BignumInt ai, ai1;
\r
1274 assert(shift >= 0);
\r
1276 bits = bignum_bitcount(a) - shift;
\r
1277 ret = newbn((bits + BIGNUM_INT_BITS - 1) / BIGNUM_INT_BITS);
\r
1280 shiftw = shift / BIGNUM_INT_BITS;
\r
1281 shiftb = shift % BIGNUM_INT_BITS;
\r
1282 shiftbb = BIGNUM_INT_BITS - shiftb;
\r
1284 ai1 = a[shiftw + 1];
\r
1285 for (i = 1; i <= (int)ret[0]; i++) {
\r
1287 ai1 = (i + shiftw + 1 <= (int)a[0] ? a[i + shiftw + 1] : 0);
\r
1288 ret[i] = ((ai >> shiftb) | (ai1 << shiftbb)) & BIGNUM_INT_MASK;
\r
1296 * Non-modular multiplication and addition.
\r
1298 Bignum bigmuladd(Bignum a, Bignum b, Bignum addend)
\r
1300 int alen = a[0], blen = b[0];
\r
1301 int mlen = (alen > blen ? alen : blen);
\r
1302 int rlen, i, maxspot;
\r
1304 BignumInt *workspace;
\r
1307 /* mlen space for a, mlen space for b, 2*mlen for result,
\r
1308 * plus scratch space for multiplication */
\r
1309 wslen = mlen * 4 + mul_compute_scratch(mlen);
\r
1310 workspace = snewn(wslen, BignumInt);
\r
1311 for (i = 0; i < mlen; i++) {
\r
1312 workspace[0 * mlen + i] = (mlen - i <= (int)a[0] ? a[mlen - i] : 0);
\r
1313 workspace[1 * mlen + i] = (mlen - i <= (int)b[0] ? b[mlen - i] : 0);
\r
1316 internal_mul(workspace + 0 * mlen, workspace + 1 * mlen,
\r
1317 workspace + 2 * mlen, mlen, workspace + 4 * mlen);
\r
1319 /* now just copy the result back */
\r
1320 rlen = alen + blen + 1;
\r
1321 if (addend && rlen <= (int)addend[0])
\r
1322 rlen = addend[0] + 1;
\r
1323 ret = newbn(rlen);
\r
1325 for (i = 1; i <= (int)ret[0]; i++) {
\r
1326 ret[i] = (i <= 2 * mlen ? workspace[4 * mlen - i] : 0);
\r
1332 /* now add in the addend, if any */
\r
1334 BignumDblInt carry = 0;
\r
1335 for (i = 1; i <= rlen; i++) {
\r
1336 carry += (i <= (int)ret[0] ? ret[i] : 0);
\r
1337 carry += (i <= (int)addend[0] ? addend[i] : 0);
\r
1338 ret[i] = (BignumInt) carry & BIGNUM_INT_MASK;
\r
1339 carry >>= BIGNUM_INT_BITS;
\r
1340 if (ret[i] != 0 && i > maxspot)
\r
1346 smemclr(workspace, wslen * sizeof(*workspace));
\r
1352 * Non-modular multiplication.
\r
1354 Bignum bigmul(Bignum a, Bignum b)
\r
1356 return bigmuladd(a, b, NULL);
\r
1360 * Simple addition.
\r
1362 Bignum bigadd(Bignum a, Bignum b)
\r
1364 int alen = a[0], blen = b[0];
\r
1365 int rlen = (alen > blen ? alen : blen) + 1;
\r
1368 BignumDblInt carry;
\r
1370 ret = newbn(rlen);
\r
1374 for (i = 1; i <= rlen; i++) {
\r
1375 carry += (i <= (int)a[0] ? a[i] : 0);
\r
1376 carry += (i <= (int)b[0] ? b[i] : 0);
\r
1377 ret[i] = (BignumInt) carry & BIGNUM_INT_MASK;
\r
1378 carry >>= BIGNUM_INT_BITS;
\r
1379 if (ret[i] != 0 && i > maxspot)
\r
1388 * Subtraction. Returns a-b, or NULL if the result would come out
\r
1389 * negative (recall that this entire bignum module only handles
\r
1390 * positive numbers).
\r
1392 Bignum bigsub(Bignum a, Bignum b)
\r
1394 int alen = a[0], blen = b[0];
\r
1395 int rlen = (alen > blen ? alen : blen);
\r
1398 BignumDblInt carry;
\r
1400 ret = newbn(rlen);
\r
1404 for (i = 1; i <= rlen; i++) {
\r
1405 carry += (i <= (int)a[0] ? a[i] : 0);
\r
1406 carry += (i <= (int)b[0] ? b[i] ^ BIGNUM_INT_MASK : BIGNUM_INT_MASK);
\r
1407 ret[i] = (BignumInt) carry & BIGNUM_INT_MASK;
\r
1408 carry >>= BIGNUM_INT_BITS;
\r
1409 if (ret[i] != 0 && i > maxspot)
\r
1423 * Create a bignum which is the bitmask covering another one. That
\r
1424 * is, the smallest integer which is >= N and is also one less than
\r
1427 Bignum bignum_bitmask(Bignum n)
\r
1429 Bignum ret = copybn(n);
\r
1434 while (n[i] == 0 && i > 0)
\r
1437 return ret; /* input was zero */
\r
1443 ret[i] = BIGNUM_INT_MASK;
\r
1448 * Convert a (max 32-bit) long into a bignum.
\r
1450 Bignum bignum_from_long(unsigned long nn)
\r
1453 BignumDblInt n = nn;
\r
1456 ret[1] = (BignumInt)(n & BIGNUM_INT_MASK);
\r
1457 ret[2] = (BignumInt)((n >> BIGNUM_INT_BITS) & BIGNUM_INT_MASK);
\r
1459 ret[0] = (ret[2] ? 2 : 1);
\r
1464 * Add a long to a bignum.
\r
1466 Bignum bignum_add_long(Bignum number, unsigned long addendx)
\r
1468 Bignum ret = newbn(number[0] + 1);
\r
1469 int i, maxspot = 0;
\r
1470 BignumDblInt carry = 0, addend = addendx;
\r
1472 for (i = 1; i <= (int)ret[0]; i++) {
\r
1473 carry += addend & BIGNUM_INT_MASK;
\r
1474 carry += (i <= (int)number[0] ? number[i] : 0);
\r
1475 addend >>= BIGNUM_INT_BITS;
\r
1476 ret[i] = (BignumInt) carry & BIGNUM_INT_MASK;
\r
1477 carry >>= BIGNUM_INT_BITS;
\r
1486 * Compute the residue of a bignum, modulo a (max 16-bit) short.
\r
1488 unsigned short bignum_mod_short(Bignum number, unsigned short modulus)
\r
1490 BignumDblInt mod, r;
\r
1495 for (i = number[0]; i > 0; i--)
\r
1496 r = (r * (BIGNUM_TOP_BIT % mod) * 2 + number[i] % mod) % mod;
\r
1497 return (unsigned short) r;
\r
1501 void diagbn(char *prefix, Bignum md)
\r
1503 int i, nibbles, morenibbles;
\r
1504 static const char hex[] = "0123456789ABCDEF";
\r
1506 debug(("%s0x", prefix ? prefix : ""));
\r
1508 nibbles = (3 + bignum_bitcount(md)) / 4;
\r
1511 morenibbles = 4 * md[0] - nibbles;
\r
1512 for (i = 0; i < morenibbles; i++)
\r
1514 for (i = nibbles; i--;)
\r
1516 hex[(bignum_byte(md, i / 2) >> (4 * (i % 2))) & 0xF]));
\r
1524 * Simple division.
\r
1526 Bignum bigdiv(Bignum a, Bignum b)
\r
1528 Bignum q = newbn(a[0]);
\r
1529 bigdivmod(a, b, NULL, q);
\r
1530 while (q[0] > 1 && q[q[0]] == 0)
\r
1536 * Simple remainder.
\r
1538 Bignum bigmod(Bignum a, Bignum b)
\r
1540 Bignum r = newbn(b[0]);
\r
1541 bigdivmod(a, b, r, NULL);
\r
1542 while (r[0] > 1 && r[r[0]] == 0)
\r
1548 * Greatest common divisor.
\r
1550 Bignum biggcd(Bignum av, Bignum bv)
\r
1552 Bignum a = copybn(av);
\r
1553 Bignum b = copybn(bv);
\r
1555 while (bignum_cmp(b, Zero) != 0) {
\r
1556 Bignum t = newbn(b[0]);
\r
1557 bigdivmod(a, b, t, NULL);
\r
1558 while (t[0] > 1 && t[t[0]] == 0)
\r
1570 * Modular inverse, using Euclid's extended algorithm.
\r
1572 Bignum modinv(Bignum number, Bignum modulus)
\r
1574 Bignum a = copybn(modulus);
\r
1575 Bignum b = copybn(number);
\r
1576 Bignum xp = copybn(Zero);
\r
1577 Bignum x = copybn(One);
\r
1580 assert(number[number[0]] != 0);
\r
1581 assert(modulus[modulus[0]] != 0);
\r
1583 while (bignum_cmp(b, One) != 0) {
\r
1586 if (bignum_cmp(b, Zero) == 0) {
\r
1588 * Found a common factor between the inputs, so we cannot
\r
1589 * return a modular inverse at all.
\r
1600 bigdivmod(a, b, t, q);
\r
1601 while (t[0] > 1 && t[t[0]] == 0)
\r
1603 while (q[0] > 1 && q[q[0]] == 0)
\r
1610 x = bigmuladd(q, xp, t);
\r
1620 /* now we know that sign * x == 1, and that x < modulus */
\r
1622 /* set a new x to be modulus - x */
\r
1623 Bignum newx = newbn(modulus[0]);
\r
1624 BignumInt carry = 0;
\r
1628 for (i = 1; i <= (int)newx[0]; i++) {
\r
1629 BignumInt aword = (i <= (int)modulus[0] ? modulus[i] : 0);
\r
1630 BignumInt bword = (i <= (int)x[0] ? x[i] : 0);
\r
1631 newx[i] = aword - bword - carry;
\r
1633 carry = carry ? (newx[i] >= bword) : (newx[i] > bword);
\r
1637 newx[0] = maxspot;
\r
1647 * Render a bignum into decimal. Return a malloced string holding
\r
1648 * the decimal representation.
\r
1650 char *bignum_decimal(Bignum x)
\r
1652 int ndigits, ndigit;
\r
1654 BignumDblInt carry;
\r
1656 BignumInt *workspace;
\r
1659 * First, estimate the number of digits. Since log(10)/log(2)
\r
1660 * is just greater than 93/28 (the joys of continued fraction
\r
1661 * approximations...) we know that for every 93 bits, we need
\r
1662 * at most 28 digits. This will tell us how much to malloc.
\r
1664 * Formally: if x has i bits, that means x is strictly less
\r
1665 * than 2^i. Since 2 is less than 10^(28/93), this is less than
\r
1666 * 10^(28i/93). We need an integer power of ten, so we must
\r
1667 * round up (rounding down might make it less than x again).
\r
1668 * Therefore if we multiply the bit count by 28/93, rounding
\r
1669 * up, we will have enough digits.
\r
1671 * i=0 (i.e., x=0) is an irritating special case.
\r
1673 i = bignum_bitcount(x);
\r
1675 ndigits = 1; /* x = 0 */
\r
1677 ndigits = (28 * i + 92) / 93; /* multiply by 28/93 and round up */
\r
1678 ndigits++; /* allow for trailing \0 */
\r
1679 ret = snewn(ndigits, char);
\r
1682 * Now allocate some workspace to hold the binary form as we
\r
1683 * repeatedly divide it by ten. Initialise this to the
\r
1684 * big-endian form of the number.
\r
1686 workspace = snewn(x[0], BignumInt);
\r
1687 for (i = 0; i < (int)x[0]; i++)
\r
1688 workspace[i] = x[x[0] - i];
\r
1691 * Next, write the decimal number starting with the last digit.
\r
1692 * We use ordinary short division, dividing 10 into the
\r
1695 ndigit = ndigits - 1;
\r
1696 ret[ndigit] = '\0';
\r
1700 for (i = 0; i < (int)x[0]; i++) {
\r
1701 carry = (carry << BIGNUM_INT_BITS) + workspace[i];
\r
1702 workspace[i] = (BignumInt) (carry / 10);
\r
1707 ret[--ndigit] = (char) (carry + '0');
\r
1708 } while (!iszero);
\r
1711 * There's a chance we've fallen short of the start of the
\r
1712 * string. Correct if so.
\r
1715 memmove(ret, ret + ndigit, ndigits - ndigit);
\r
1720 smemclr(workspace, x[0] * sizeof(*workspace));
\r
1727 #include <stdio.h>
\r
1728 #include <stdlib.h>
\r
1729 #include <ctype.h>
\r
1732 * gcc -Wall -g -O0 -DTESTBN -o testbn sshbn.c misc.c conf.c tree234.c unix/uxmisc.c -I. -I unix -I charset
\r
1734 * Then feed to this program's standard input the output of
\r
1735 * testdata/bignum.py .
\r
1738 void modalfatalbox(char *p, ...)
\r
1741 fprintf(stderr, "FATAL ERROR: ");
\r
1743 vfprintf(stderr, p, ap);
\r
1745 fputc('\n', stderr);
\r
1749 int random_byte(void)
\r
1751 modalfatalbox("random_byte called in testbn");
\r
1755 #define fromxdigit(c) ( (c)>'9' ? ((c)&0xDF) - 'A' + 10 : (c) - '0' )
\r
1757 int main(int argc, char **argv)
\r
1761 int passes = 0, fails = 0;
\r
1763 while ((buf = fgetline(stdin)) != NULL) {
\r
1764 int maxlen = strlen(buf);
\r
1765 unsigned char *data = snewn(maxlen, unsigned char);
\r
1766 unsigned char *ptrs[5], *q;
\r
1775 while (*bufp && !isspace((unsigned char)*bufp))
\r
1781 char *start, *end;
\r
1784 while (*bufp && !isxdigit((unsigned char)*bufp))
\r
1791 while (*bufp && isxdigit((unsigned char)*bufp))
\r
1795 if (ptrnum >= lenof(ptrs))
\r
1797 ptrs[ptrnum++] = q;
\r
1799 for (i = -((end - start) & 1); i < end-start; i += 2) {
\r
1800 unsigned char val = (i < 0 ? 0 : fromxdigit(start[i]));
\r
1801 val = val * 16 + fromxdigit(start[i+1]);
\r
1808 if (!strcmp(buf, "mul")) {
\r
1809 Bignum a, b, c, p;
\r
1811 if (ptrnum != 3) {
\r
1812 printf("%d: mul with %d parameters, expected 3\n", line, ptrnum);
\r
1815 a = bignum_from_bytes(ptrs[0], ptrs[1]-ptrs[0]);
\r
1816 b = bignum_from_bytes(ptrs[1], ptrs[2]-ptrs[1]);
\r
1817 c = bignum_from_bytes(ptrs[2], ptrs[3]-ptrs[2]);
\r
1820 if (bignum_cmp(c, p) == 0) {
\r
1823 char *as = bignum_decimal(a);
\r
1824 char *bs = bignum_decimal(b);
\r
1825 char *cs = bignum_decimal(c);
\r
1826 char *ps = bignum_decimal(p);
\r
1828 printf("%d: fail: %s * %s gave %s expected %s\n",
\r
1829 line, as, bs, ps, cs);
\r
1841 } else if (!strcmp(buf, "modmul")) {
\r
1842 Bignum a, b, m, c, p;
\r
1844 if (ptrnum != 4) {
\r
1845 printf("%d: modmul with %d parameters, expected 4\n",
\r
1849 a = bignum_from_bytes(ptrs[0], ptrs[1]-ptrs[0]);
\r
1850 b = bignum_from_bytes(ptrs[1], ptrs[2]-ptrs[1]);
\r
1851 m = bignum_from_bytes(ptrs[2], ptrs[3]-ptrs[2]);
\r
1852 c = bignum_from_bytes(ptrs[3], ptrs[4]-ptrs[3]);
\r
1853 p = modmul(a, b, m);
\r
1855 if (bignum_cmp(c, p) == 0) {
\r
1858 char *as = bignum_decimal(a);
\r
1859 char *bs = bignum_decimal(b);
\r
1860 char *ms = bignum_decimal(m);
\r
1861 char *cs = bignum_decimal(c);
\r
1862 char *ps = bignum_decimal(p);
\r
1864 printf("%d: fail: %s * %s mod %s gave %s expected %s\n",
\r
1865 line, as, bs, ms, ps, cs);
\r
1879 } else if (!strcmp(buf, "pow")) {
\r
1880 Bignum base, expt, modulus, expected, answer;
\r
1882 if (ptrnum != 4) {
\r
1883 printf("%d: mul with %d parameters, expected 4\n", line, ptrnum);
\r
1887 base = bignum_from_bytes(ptrs[0], ptrs[1]-ptrs[0]);
\r
1888 expt = bignum_from_bytes(ptrs[1], ptrs[2]-ptrs[1]);
\r
1889 modulus = bignum_from_bytes(ptrs[2], ptrs[3]-ptrs[2]);
\r
1890 expected = bignum_from_bytes(ptrs[3], ptrs[4]-ptrs[3]);
\r
1891 answer = modpow(base, expt, modulus);
\r
1893 if (bignum_cmp(expected, answer) == 0) {
\r
1896 char *as = bignum_decimal(base);
\r
1897 char *bs = bignum_decimal(expt);
\r
1898 char *cs = bignum_decimal(modulus);
\r
1899 char *ds = bignum_decimal(answer);
\r
1900 char *ps = bignum_decimal(expected);
\r
1902 printf("%d: fail: %s ^ %s mod %s gave %s expected %s\n",
\r
1903 line, as, bs, cs, ds, ps);
\r
1918 printf("%d: unrecognised test keyword: '%s'\n", line, buf);
\r
1926 printf("passed %d failed %d total %d\n", passes, fails, passes+fails);
\r
1927 return fails != 0;
\r