| blob | f94693ad5e0a9576f8a311b012156dfd660f1bd9 |
1 /*
2 * dlls/rsaenh/mpi.c
3 * Multi Precision Integer functions
4 *
5 * Copyright 2004 Michael Jung
6 * Based on public domain code by Tom St Denis (tomstdenis@iahu.ca)
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
21 */
23 /*
24 * This file contains code from the LibTomCrypt cryptographic
25 * library written by Tom St Denis (tomstdenis@iahu.ca). LibTomCrypt
26 * is in the public domain. The code in this file is tailored to
27 * special requirements. Take a look at http://libtomcrypt.org for the
28 * original version.
29 */
31 #include <stdarg.h>
32 #include <stdlib.h>
38 /* Known optimal configurations
39 CPU /Compiler /MUL CUTOFF/SQR CUTOFF
40 -------------------------------------------------------------
41 Intel P4 Northwood /GCC v3.4.1 / 88/ 128/LTM 0.32 ;-)
42 */
43 static const int KARATSUBA_MUL_CUTOFF = 88, /* Min. number of digits before Karatsuba multiplication is used. */
47 /* trim unused digits */
50 /* compare |a| to |b| */
53 /* Counts the number of lsbs which are zero before the first zero bit */
56 /* computes a = B**n mod b without division or multiplication useful for
57 * normalizing numbers in a Montgomery system.
58 */
61 /* computes x/R == x (mod N) via Montgomery Reduction */
64 /* setups the montgomery reduction */
67 /* Barrett Reduction, computes a (mod b) with a precomputed value c
68 *
69 * Assumes that 0 < a <= b*b, note if 0 > a > -(b*b) then you can merely
70 * compute the reduction as -1 * mp_reduce(mp_abs(a)) [pseudo code].
71 */
74 /* reduces a modulo b where b is of the form 2**p - k [0 <= a] */
77 /* determines k value for 2k reduction */
80 /* used to setup the Barrett reduction for a given modulus b */
83 /* set to a digit */
86 /* b = a*a */
89 /* c = a * a (mod b) */
96 #define s_mp_mul(a, b, c) s_mp_mul_digs(a, b, c, (a)->used + (b)->used + 1)
106 /* grow as required */
108 {
112 /* if the alloc size is smaller alloc more ram */
114 /* ensure there are always at least MP_PREC digits extra on top */
117 /* reallocate the array a->dp
118 *
119 * We store the return in a temporary variable
120 * in case the operation failed we don't want
121 * to overwrite the dp member of a.
122 */
125 /* reallocation failed but "a" is still valid [can be freed] */
127 }
129 /* reallocation succeeded so set a->dp */
132 /* zero excess digits */
137 }
138 }
140 }
142 /* b = a/2 */
144 {
147 /* copy */
151 }
152 }
156 {
159 /* source alias */
162 /* dest alias */
165 /* carry */
168 /* get the carry for the next iteration */
171 /* shift the current digit, add in carry and store */
174 /* forward carry to next iteration */
176 }
178 /* zero excess digits */
182 }
183 }
187 }
189 /* swap the elements of two integers, for cases where you can't simply swap the
190 * mp_int pointers around
191 */
192 static void
194 {
195 mp_int t;
200 }
202 /* init a new mp_int */
204 {
207 /* allocate memory required and clear it */
211 }
213 /* set the digits to zero */
216 }
218 /* set the used to zero, allocated digits to the default precision
219 * and sign to positive */
225 }
227 /* init an mp_init for a given size */
229 {
232 /* pad size so there are always extra digits */
235 /* alloc mem */
239 }
241 /* set the members */
246 /* zero the digits */
249 }
252 }
254 /* clear one (frees) */
255 static void
257 {
260 /* only do anything if a hasn't been freed previously */
262 /* first zero the digits */
265 }
267 /* free ram */
270 /* reset members to make debugging easier */
274 }
275 }
277 /* set to zero */
278 static void
280 {
284 }
286 /* b = |a|
287 *
288 * Simple function copies the input and fixes the sign to positive
289 */
290 static int
292 {
295 /* copy a to b */
299 }
300 }
302 /* force the sign of b to positive */
306 }
308 /* computes the modular inverse via binary extended euclidean algorithm,
309 * that is c = 1/a mod b
310 *
311 * Based on slow invmod except this is optimized for the case where b is
312 * odd as per HAC Note 14.64 on pp. 610
313 */
314 static int
316 {
320 /* 2. [modified] b must be odd */
323 }
325 /* init all our temps */
328 }
330 /* x == modulus, y == value to invert */
333 }
335 /* we need y = |a| */
338 }
340 /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
343 }
346 }
349 top:
350 /* 4. while u is even do */
352 /* 4.1 u = u/2 */
355 }
356 /* 4.2 if B is odd then */
360 }
361 }
362 /* B = B/2 */
365 }
366 }
368 /* 5. while v is even do */
370 /* 5.1 v = v/2 */
373 }
374 /* 5.2 if D is odd then */
376 /* D = (D-x)/2 */
379 }
380 }
381 /* D = D/2 */
384 }
385 }
387 /* 6. if u >= v then */
389 /* u = u - v, B = B - D */
392 }
396 }
398 /* v - v - u, D = D - B */
401 }
405 }
406 }
408 /* if not zero goto step 4 */
411 }
413 /* now a = C, b = D, gcd == g*v */
415 /* if v != 1 then there is no inverse */
419 }
421 /* b is now the inverse */
426 }
427 }
434 }
436 /* computes xR**-1 == x (mod N) via Montgomery Reduction
437 *
438 * This is an optimized implementation of montgomery_reduce
439 * which uses the comba method to quickly calculate the columns of the
440 * reduction.
441 *
442 * Based on Algorithm 14.32 on pp.601 of HAC.
443 */
444 static int
446 {
450 /* get old used count */
453 /* grow a as required */
457 }
458 }
460 /* first we have to get the digits of the input into
461 * an array of double precision words W[...]
462 */
463 {
467 /* alias for the W[] array */
470 /* alias for the digits of x*/
473 /* copy the digits of a into W[0..a->used-1] */
476 }
478 /* zero the high words of W[a->used..m->used*2] */
481 }
482 }
484 /* now we proceed to zero successive digits
485 * from the least significant upwards
486 */
488 /* mu = ai * m' mod b
489 *
490 * We avoid a double precision multiplication (which isn't required)
491 * by casting the value down to a mp_digit. Note this requires
492 * that W[ix-1] have the carry cleared (see after the inner loop)
493 */
497 /* a = a + mu * m * b**i
498 *
499 * This is computed in place and on the fly. The multiplication
500 * by b**i is handled by offsetting which columns the results
501 * are added to.
502 *
503 * Note the comba method normally doesn't handle carries in the
504 * inner loop In this case we fix the carry from the previous
505 * column since the Montgomery reduction requires digits of the
506 * result (so far) [see above] to work. This is
507 * handled by fixing up one carry after the inner loop. The
508 * carry fixups are done in order so after these loops the
509 * first m->used words of W[] have the carries fixed
510 */
511 {
516 /* alias for the digits of the modulus */
519 /* Alias for the columns set by an offset of ix */
522 /* inner loop */
525 }
526 }
528 /* now fix carry for next digit, W[ix+1] */
530 }
532 /* now we have to propagate the carries and
533 * shift the words downward [all those least
534 * significant digits we zeroed].
535 */
536 {
540 /* nox fix rest of carries */
542 /* alias for current word */
545 /* alias for next word, where the carry goes */
550 }
552 /* copy out, A = A/b**n
553 *
554 * The result is A/b**n but instead of converting from an
555 * array of mp_word to mp_digit than calling mp_rshd
556 * we just copy them in the right order
557 */
559 /* alias for destination word */
562 /* alias for shifted double precision result */
567 }
569 /* zero oldused digits, if the input a was larger than
570 * m->used+1 we'll have to clear the digits
571 */
574 }
575 }
577 /* set the max used and clamp */
581 /* if A >= m then A = A - m */
584 }
586 }
588 /* Fast (comba) multiplier
589 *
590 * This is the fast column-array [comba] multiplier. It is
591 * designed to compute the columns of the product first
592 * then handle the carries afterwards. This has the effect
593 * of making the nested loops that compute the columns very
594 * simple and schedulable on super-scalar processors.
595 *
596 * This has been modified to produce a variable number of
597 * digits of output so if say only a half-product is required
598 * you don't have to compute the upper half (a feature
599 * required for fast Barrett reduction).
600 *
601 * Based on Algorithm 14.12 on pp.595 of HAC.
602 *
603 */
604 static int
606 {
611 /* grow the destination as required */
615 }
616 }
618 /* number of output digits to produce */
621 /* clear the carry */
628 /* get offsets into the two bignums */
632 /* setup temp aliases */
636 /* This is the number of times the loop will iterate, essentially it's
637 while (tx++ < a->used && ty-- >= 0) { ... }
638 */
641 /* execute loop */
644 }
646 /* store term */
649 /* make next carry */
651 }
653 /* setup dest */
657 {
661 /* now extract the previous digit [below the carry] */
663 }
665 /* clear unused digits [that existed in the old copy of c] */
668 }
669 }
672 }
674 /* this is a modified version of fast_s_mul_digs that only produces
675 * output digits *above* digs. See the comments for fast_s_mul_digs
676 * to see how it works.
677 *
678 * This is used in the Barrett reduction since for one of the multiplications
679 * only the higher digits were needed. This essentially halves the work.
680 *
681 * Based on Algorithm 14.12 on pp.595 of HAC.
682 */
683 static int
685 {
688 mp_word _W;
690 /* grow the destination as required */
695 }
696 }
698 /* number of output digits to produce */
705 /* get offsets into the two bignums */
709 /* setup temp aliases */
713 /* This is the number of times the loop will iterate, essentially it's
714 while (tx++ < a->used && ty-- >= 0) { ... }
715 */
718 /* execute loop */
721 }
723 /* store term */
726 /* make next carry */
728 }
730 /* setup dest */
734 {
739 /* now extract the previous digit [below the carry] */
741 }
743 /* clear unused digits [that existed in the old copy of c] */
746 }
747 }
750 }
752 /* fast squaring
753 *
754 * This is the comba method where the columns of the product
755 * are computed first then the carries are computed. This
756 * has the effect of making a very simple inner loop that
757 * is executed the most
758 *
759 * W2 represents the outer products and W the inner.
760 *
761 * A further optimizations is made because the inner
762 * products are of the form "A * B * 2". The *2 part does
763 * not need to be computed until the end which is good
764 * because 64-bit shifts are slow!
765 *
766 * Based on Algorithm 14.16 on pp.597 of HAC.
767 *
768 */
769 /* the jist of squaring...
771 you do like mult except the offset of the tmpx [one that starts closer to zero]
772 can't equal the offset of tmpy. So basically you set up iy like before then you min it with
773 (ty-tx) so that it never happens. You double all those you add in the inner loop
775 After that loop you do the squares and add them in.
777 Remove W2 and don't memset W
779 */
782 {
785 mp_word W1;
787 /* grow the destination as required */
792 }
793 }
795 /* number of output digits to produce */
799 mp_word _W;
802 /* clear counter */
805 /* get offsets into the two bignums */
809 /* setup temp aliases */
813 /* This is the number of times the loop will iterate, essentially it's
814 while (tx++ < a->used && ty-- >= 0) { ... }
815 */
818 /* now for squaring tx can never equal ty
819 * we halve the distance since they approach at a rate of 2x
820 * and we have to round because odd cases need to be executed
821 */
824 /* execute loop */
827 }
829 /* double the inner product and add carry */
832 /* even columns have the square term in them */
835 }
837 /* store it */
840 /* make next carry */
842 }
844 /* setup dest */
848 {
853 }
855 /* clear unused digits [that existed in the old copy of c] */
858 }
859 }
862 }
864 /* computes a = 2**b
865 *
866 * Simple algorithm which zeroes the int, grows it then just sets one bit
867 * as required.
868 */
869 static int
871 {
874 /* zero a as per default */
877 /* grow a to accommodate the single bit */
880 }
882 /* set the used count of where the bit will go */
885 /* put the single bit in its place */
889 }
891 /* high level addition (handles signs) */
893 {
896 /* get sign of both inputs */
900 /* handle two cases, not four */
902 /* both positive or both negative */
903 /* add their magnitudes, copy the sign */
907 /* one positive, the other negative */
908 /* subtract the one with the greater magnitude from */
909 /* the one of the lesser magnitude. The result gets */
910 /* the sign of the one with the greater magnitude. */
917 }
918 }
920 }
923 /* single digit addition */
924 static int
926 {
930 /* grow c as required */
934 }
935 }
937 /* if a is negative and |a| >= b, call c = |a| - b */
939 /* temporarily fix sign of a */
942 /* c = |a| - b */
945 /* fix sign */
949 }
951 /* old number of used digits in c */
954 /* sign always positive */
957 /* source alias */
960 /* destination alias */
963 /* if a is positive */
965 /* add digit, after this we're propagating
966 * the carry.
967 */
972 /* now handle rest of the digits */
977 }
978 /* set final carry */
979 ix++;
982 /* setup size */
985 /* a was negative and |a| < b */
988 /* the result is a single digit */
993 }
995 /* setup count so the clearing of oldused
996 * can fall through correctly
997 */
999 }
1001 /* now zero to oldused */
1004 }
1008 }
1010 /* trim unused digits
1011 *
1012 * This is used to ensure that leading zero digits are
1013 * trimmed and the leading "used" digit will be non-zero
1014 * Typically very fast. Also fixes the sign if there
1015 * are no more leading digits
1016 */
1017 void
1019 {
1020 /* decrease used while the most significant digit is
1021 * zero.
1022 */
1025 }
1027 /* reset the sign flag if used == 0 */
1030 }
1031 }
1034 {
1041 }
1043 }
1045 /* compare two ints (signed)*/
1046 int
1048 {
1049 /* compare based on sign */
1055 }
1056 }
1058 /* compare digits */
1060 /* if negative compare opposite direction */
1064 }
1065 }
1067 /* compare a digit */
1069 {
1070 /* compare based on sign */
1073 }
1075 /* compare based on magnitude */
1078 }
1080 /* compare the only digit of a to b */
1087 }
1088 }
1090 /* compare maginitude of two ints (unsigned) */
1092 {
1096 /* compare based on # of non-zero digits */
1099 }
1103 }
1105 /* alias for a */
1108 /* alias for b */
1111 /* compare based on digits */
1115 }
1119 }
1120 }
1122 }
1126 };
1128 /* Counts the number of lsbs which are zero before the first zero bit */
1130 {
1134 /* easy out */
1137 }
1139 /* scan lower digits until non-zero */
1144 /* now scan this digit until a 1 is found */
1151 }
1153 }
1155 /* copy, b = a */
1156 int
1158 {
1161 /* if dst == src do nothing */
1164 }
1166 /* grow dest */
1170 }
1171 }
1173 /* zero b and copy the parameters over */
1174 {
1177 /* pointer aliases */
1179 /* source */
1182 /* destination */
1185 /* copy all the digits */
1188 }
1190 /* clear high digits */
1193 }
1194 }
1196 /* copy used count and sign */
1200 }
1202 /* returns the number of bits in an int */
1203 int
1205 {
1207 mp_digit q;
1209 /* shortcut */
1212 }
1214 /* get number of digits and add that */
1217 /* take the last digit and count the bits in it */
1222 }
1224 }
1226 /* calc a value mod 2**b */
1227 static int
1229 {
1232 /* if b is <= 0 then zero the int */
1236 }
1238 /* if the modulus is larger than the value than return */
1242 }
1244 /* copy */
1247 }
1249 /* zero digits above the last digit of the modulus */
1252 }
1253 /* clear the digit that is not completely outside/inside the modulus */
1257 }
1259 /* shift right a certain amount of digits */
1261 {
1264 /* if b <= 0 then ignore it */
1267 }
1269 /* if b > used then simply zero it and return */
1273 }
1275 {
1278 /* shift the digits down */
1280 /* bottom */
1283 /* top [offset into digits] */
1286 /* this is implemented as a sliding window where
1287 * the window is b-digits long and digits from
1288 * the top of the window are copied to the bottom
1289 *
1290 * e.g.
1292 b-2 | b-1 | b0 | b1 | b2 | ... | bb | ---->
1293 /\ | ---->
1294 \-------------------/ ---->
1295 */
1298 }
1300 /* zero the top digits */
1303 }
1304 }
1306 /* remove excess digits */
1308 }
1310 /* shift right by a certain bit count (store quotient in c, optional remainder in d) */
1312 {
1315 mp_int t;
1318 /* if the shift count is <= 0 then we do no work */
1323 }
1325 }
1329 }
1331 /* get the remainder */
1336 }
1337 }
1339 /* copy */
1343 }
1345 /* shift by as many digits in the bit count */
1348 }
1350 /* shift any bit count < DIGIT_BIT */
1355 /* mask */
1358 /* shift for lsb */
1361 /* alias */
1364 /* carry */
1367 /* get the lower bits of this word in a temp */
1370 /* shift the current word and mix in the carry bits from the previous word */
1374 /* set the carry to the carry bits of the current word found above */
1376 }
1377 }
1381 }
1384 }
1386 /* shift left a certain amount of digits */
1388 {
1391 /* if it's less than zero return */
1394 }
1396 /* grow to fit the new digits */
1400 }
1401 }
1403 {
1406 /* increment the used by the shift amount then copy upwards */
1409 /* top */
1412 /* base */
1415 /* much like mp_rshd this is implemented using a sliding window
1416 * except the window goes the other way around. Copying from
1417 * the bottom to the top. see bn_mp_rshd.c for more info.
1418 */
1421 }
1423 /* zero the lower digits */
1427 }
1428 }
1430 }
1432 /* shift left by a certain bit count */
1434 {
1435 mp_digit d;
1438 /* copy */
1442 }
1443 }
1448 }
1449 }
1451 /* shift by as many digits in the bit count */
1455 }
1456 }
1458 /* shift any bit count < DIGIT_BIT */
1464 /* bitmask for carries */
1467 /* shift for msbs */
1470 /* alias */
1473 /* carry */
1476 /* get the higher bits of the current word */
1479 /* shift the current word and OR in the carry */
1483 /* set the carry to the carry bits of the current word */
1485 }
1487 /* set final carry */
1490 }
1491 }
1494 }
1496 /* multiply by a digit */
1497 static int
1499 {
1501 mp_word r;
1504 /* make sure c is big enough to hold a*b */
1508 }
1509 }
1511 /* get the original destinations used count */
1514 /* set the sign */
1517 /* alias for a->dp [source] */
1520 /* alias for c->dp [dest] */
1523 /* zero carry */
1526 /* compute columns */
1528 /* compute product and carry sum for this term */
1531 /* mask off higher bits to get a single digit */
1534 /* send carry into next iteration */
1536 }
1538 /* store final carry [if any] */
1541 /* now zero digits above the top */
1544 }
1546 /* set used count */
1551 }
1553 /* integer signed division.
1554 * c*b + d == a [e.g. a/b, c=quotient, d=remainder]
1555 * HAC pp.598 Algorithm 14.20
1556 *
1557 * Note that the description in HAC is horribly
1558 * incomplete. For example, it doesn't consider
1559 * the case where digits are removed from 'x' in
1560 * the inner loop. It also doesn't consider the
1561 * case that y has fewer than three digits, etc..
1562 *
1563 * The overall algorithm is as described as
1564 * 14.20 from HAC but fixed to treat these cases.
1565 */
1567 {
1571 /* is divisor zero ? */
1574 }
1576 /* if a < b then q=0, r = a */
1582 }
1585 }
1587 }
1591 }
1596 }
1600 }
1604 }
1608 }
1610 /* fix the sign */
1614 /* normalize both x and y, ensure that y >= b/2, [b == 2**DIGIT_BIT] */
1620 }
1623 }
1626 }
1628 /* note hac does 0 based, so if used==5 then it's 0,1,2,3,4, e.g. use 4 */
1632 /* while (x >= y*b**n-t) do { q[n-t] += 1; x -= y*b**{n-t} } */
1635 }
1641 }
1642 }
1644 /* reset y by shifting it back down */
1647 /* step 3. for i from n down to (t + 1) */
1651 }
1653 /* step 3.1 if xi == yt then set q{i-t-1} to b-1,
1654 * otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */
1658 mp_word tmp;
1665 }
1667 /* while (q{i-t-1} * (yt * b + y{t-1})) >
1668 xi * b**2 + xi-1 * b + xi-2
1670 do q{i-t-1} -= 1;
1671 */
1676 /* find left hand */
1683 }
1685 /* find right hand */
1692 /* step 3.3 x = x - q{i-t-1} * y * b**{i-t-1} */
1695 }
1699 }
1703 }
1705 /* if x < 0 then { x = x + y*b**{i-t-1}; q{i-t-1} -= 1; } */
1709 }
1712 }
1715 }
1718 }
1719 }
1721 /* now q is the quotient and x is the remainder
1722 * [which we have to normalize]
1723 */
1725 /* get sign before writing to c */
1732 }
1737 }
1747 }
1750 {
1757 }
1758 }
1760 }
1762 /* single digit division (based on routine from MPI) */
1764 {
1765 mp_int q;
1766 mp_word w;
1767 mp_digit t;
1770 /* cannot divide by zero */
1773 }
1775 /* quick outs */
1779 }
1782 }
1784 }
1786 /* power of two ? */
1790 }
1793 }
1795 }
1797 /* no easy answer [c'est la vie]. Just division */
1800 }
1813 }
1815 }
1819 }
1824 }
1828 }
1830 /* reduce "x" in place modulo "n" using the Diminished Radix algorithm.
1831 *
1832 * Based on algorithm from the paper
1833 *
1834 * "Generating Efficient Primes for Discrete Log Cryptosystems"
1835 * Chae Hoon Lim, Pil Loong Lee,
1836 * POSTECH Information Research Laboratories
1837 *
1838 * The modulus must be of a special format [see manual]
1839 *
1840 * Has been modified to use algorithm 7.10 from the LTM book instead
1841 *
1842 * Input x must be in the range 0 <= x <= (n-1)**2
1843 */
1844 static int
1846 {
1848 mp_word r;
1851 /* m = digits in modulus */
1854 /* ensure that "x" has at least 2m digits */
1858 }
1859 }
1861 /* top of loop, this is where the code resumes if
1862 * another reduction pass is required.
1863 */
1864 top:
1865 /* aliases for digits */
1866 /* alias for lower half of x */
1869 /* alias for upper half of x, or x/B**m */
1872 /* set carry to zero */
1875 /* compute (x mod B**m) + k * [x/B**m] inline and inplace */
1880 }
1882 /* set final carry */
1885 /* zero words above m */
1888 }
1890 /* clamp, sub and return */
1893 /* if x >= n then subtract and reduce again
1894 * Each successive "recursion" makes the input smaller and smaller.
1895 */
1899 }
1901 }
1903 /* sets the value of "d" required for mp_dr_reduce */
1905 {
1906 /* the casts are required if DIGIT_BIT is one less than
1907 * the number of bits in a mp_digit [e.g. DIGIT_BIT==31]
1908 */
1911 }
1913 /* this is a shell function that calls either the normal or Montgomery
1914 * exptmod functions. Originally the call to the montgomery code was
1915 * embedded in the normal function but that wasted a lot of stack space
1916 * for nothing (since 99% of the time the Montgomery code would be called)
1917 */
1919 {
1922 /* modulus P must be positive */
1925 }
1927 /* if exponent X is negative we have to recurse */
1932 /* first compute 1/G mod P */
1935 }
1939 }
1941 /* now get |X| */
1945 }
1949 }
1951 /* and now compute (1/G)**|X| instead of G**X [X < 0] */
1955 }
1959 /* if the modulus is odd use the fast method */
1963 /* otherwise use the generic Barrett reduction technique */
1965 }
1966 }
1968 /* computes Y == G**X mod P, HAC pp.616, Algorithm 14.85
1969 *
1970 * Uses a left-to-right k-ary sliding window to compute the modular exponentiation.
1971 * The value of k changes based on the size of the exponent.
1972 *
1973 * Uses Montgomery or Diminished Radix reduction [whichever appropriate]
1974 */
1976 int
1978 {
1983 /* use a pointer to the reduction algorithm. This allows us to use
1984 * one of many reduction algorithms without modding the guts of
1985 * the code with if statements everywhere.
1986 */
1989 /* find window size */
2005 }
2007 /* init M array */
2008 /* init first cell */
2011 }
2013 /* now init the second half of the array */
2018 }
2021 }
2022 }
2024 /* determine and setup reduction code */
2026 /* now setup montgomery */
2029 }
2031 /* automatically pick the comba one if available (saves quite a few calls/ifs) */
2036 /* use slower baseline Montgomery method */
2038 }
2040 /* setup DR reduction for moduli of the form B**k - b */
2044 /* setup DR reduction for moduli of the form 2**k - b */
2047 }
2049 }
2051 /* setup result */
2054 }
2056 /* create M table
2057 *
2059 *
2060 * The first half of the table is not computed though accept for M[0] and M[1]
2061 */
2064 /* now we need R mod m */
2067 }
2069 /* now set M[1] to G * R mod m */
2072 }
2077 }
2078 }
2080 /* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times */
2083 }
2088 }
2091 }
2092 }
2094 /* create upper table */
2098 }
2101 }
2102 }
2104 /* set initial mode and bit cnt */
2113 /* grab next digit as required */
2115 /* if digidx == -1 we are out of digits so break */
2118 }
2119 /* read next digit and reset bitcnt */
2122 }
2124 /* grab the next msb from the exponent */
2128 /* if the bit is zero and mode == 0 then we ignore it
2129 * These represent the leading zero bits before the first 1 bit
2130 * in the exponent. Technically this opt is not required but it
2131 * does lower the # of trivial squaring/reductions used
2132 */
2135 }
2137 /* if the bit is zero and mode == 1 then we square */
2141 }
2144 }
2146 }
2148 /* else we add it to the window */
2153 /* ok window is filled so square as required and multiply */
2154 /* square first */
2158 }
2161 }
2162 }
2164 /* then multiply */
2167 }
2170 }
2172 /* empty window and reset */
2176 }
2177 }
2179 /* if bits remain then square/multiply */
2181 /* square then multiply if the bit is set */
2185 }
2188 }
2190 /* get next bit of the window */
2193 /* then multiply */
2196 }
2199 }
2200 }
2201 }
2202 }
2205 /* fixup result if Montgomery reduction is used
2206 * recall that any value in a Montgomery system is
2207 * actually multiplied by R mod n. So we have
2208 * to reduce one more time to cancel out the factor
2209 * of R.
2210 */
2213 }
2214 }
2216 /* swap res with Y */
2220 __M:
2224 }
2226 }
2228 /* Greatest Common Divisor using the binary method */
2230 {
2234 /* either zero than gcd is the largest */
2237 }
2240 }
2242 /* optimized. At this point if a == 0 then
2243 * b must equal zero too
2244 */
2248 }
2250 /* get copies of a and b we can modify */
2253 }
2257 }
2259 /* must be positive for the remainder of the algorithm */
2262 /* B1. Find the common power of two for u and v */
2268 /* divide the power of two out */
2271 }
2275 }
2276 }
2278 /* divide any remaining factors of two out */
2282 }
2283 }
2288 }
2289 }
2292 /* make sure v is the largest */
2294 /* swap u and v to make sure v is >= u */
2296 }
2298 /* subtract smallest from largest */
2301 }
2303 /* Divide out all factors of two */
2306 }
2307 }
2309 /* multiply by 2**k which we divided out at the beginning */
2312 }
2318 }
2320 /* get the lower 32-bits of an mp_int */
2322 {
2328 }
2330 /* get number of digits of the lsb we have to read */
2333 /* get most significant digit of result */
2338 }
2340 /* force result to 32-bits always so it is consistent on non 32-bit platforms */
2342 }
2344 /* creates "a" then copies b into it */
2346 {
2351 }
2353 }
2356 {
2365 /* Oops - error! Back-track and mp_clear what we already
2366 succeeded in init-ing, then return error.
2367 */
2370 /* now start cleaning up */
2376 }
2380 }
2381 n++;
2383 }
2386 }
2388 /* hac 14.61, pp608 */
2390 {
2391 /* b cannot be negative */
2394 }
2396 /* if the modulus is odd we can use a faster routine instead */
2399 }
2402 }
2404 /* hac 14.61, pp608 */
2406 {
2410 /* b cannot be negative */
2413 }
2415 /* init temps */
2419 }
2421 /* x = a, y = b */
2424 }
2427 }
2429 /* 2. [modified] if x,y are both even then return an error! */
2433 }
2435 /* 3. u=x, v=y, A=1, B=0, C=0,D=1 */
2438 }
2441 }
2445 top:
2446 /* 4. while u is even do */
2448 /* 4.1 u = u/2 */
2451 }
2452 /* 4.2 if A or B is odd then */
2454 /* A = (A+y)/2, B = (B-x)/2 */
2457 }
2460 }
2461 }
2462 /* A = A/2, B = B/2 */
2465 }
2468 }
2469 }
2471 /* 5. while v is even do */
2473 /* 5.1 v = v/2 */
2476 }
2477 /* 5.2 if C or D is odd then */
2479 /* C = (C+y)/2, D = (D-x)/2 */
2482 }
2485 }
2486 }
2487 /* C = C/2, D = D/2 */
2490 }
2493 }
2494 }
2496 /* 6. if u >= v then */
2498 /* u = u - v, A = A - C, B = B - D */
2501 }
2505 }
2509 }
2511 /* v - v - u, C = C - A, D = D - B */
2514 }
2518 }
2522 }
2523 }
2525 /* if not zero goto step 4 */
2529 /* now a = C, b = D, gcd == g*v */
2531 /* if v != 1 then there is no inverse */
2535 }
2537 /* if it's too low */
2541 }
2542 }
2544 /* too big */
2548 }
2549 }
2551 /* C is now the inverse */
2556 }
2558 /* c = |a| * |b| using Karatsuba Multiplication using
2559 * three half size multiplications
2560 *
2561 * Let B represent the radix [e.g. 2**DIGIT_BIT] and
2562 * let n represent half of the number of digits in
2563 * the min(a,b)
2564 *
2565 * a = a1 * B**n + a0
2566 * b = b1 * B**n + b0
2567 *
2568 * Then, a * b =>
2569 a1b1 * B**2n + ((a1 - a0)(b1 - b0) + a0b0 + a1b1) * B + a0b0
2570 *
2571 * Note that a1b1 and a0b0 are used twice and only need to be
2572 * computed once. So in total three half size (half # of
2573 * digit) multiplications are performed, a0b0, a1b1 and
2574 * (a1-b1)(a0-b0)
2575 *
2576 * Note that a multiplication of half the digits requires
2577 * 1/4th the number of single precision multiplications so in
2578 * total after one call 25% of the single precision multiplications
2579 * are saved. Note also that the call to mp_mul can end up back
2580 * in this function if the a0, a1, b0, or b1 are above the threshold.
2581 * This is known as divide-and-conquer and leads to the famous
2582 * O(N**lg(3)) or O(N**1.584) work which is asymptotically lower than
2583 * the standard O(N**2) that the baseline/comba methods use.
2584 * Generally though the overhead of this method doesn't pay off
2585 * until a certain size (N ~ 80) is reached.
2586 */
2588 {
2592 /* default the return code to an error */
2595 /* min # of digits */
2598 /* now divide in two */
2601 /* init copy all the temps */
2611 /* init temps */
2619 /* now shift the digits */
2624 {
2628 /* we copy the digits directly instead of using higher level functions
2629 * since we also need to shift the digits
2630 */
2639 }
2644 }
2649 }
2650 }
2652 /* only need to clamp the lower words since by definition the
2653 * upper words x1/y1 must have a known number of digits
2654 */
2658 /* now calc the products x0y0 and x1y1 */
2659 /* after this x0 is no longer required, free temp [x0==t2]! */
2665 /* now calc x1-x0 and y1-y0 */
2673 /* add x0y0 */
2679 /* shift by B */
2690 /* Algorithm succeeded set the return code to MP_OKAY */
2700 ERR:
2702 }
2704 /* Karatsuba squaring, computes b = a*a using three
2705 * half size squarings
2706 *
2707 * See comments of karatsuba_mul for details. It
2708 * is essentially the same algorithm but merely
2709 * tuned to perform recursive squarings.
2710 */
2712 {
2718 /* min # of digits */
2721 /* now divide in two */
2724 /* init copy all the temps */
2730 /* init temps */
2740 {
2746 /* now shift the digits */
2750 }
2755 }
2756 }
2763 /* now calc the products x0*x0 and x1*x1 */
2769 /* now calc (x1-x0)**2 */
2775 /* add x0y0 */
2781 /* shift by B */
2800 ERR:
2802 }
2804 /* computes least common multiple as |a*b|/(a, b) */
2806 {
2813 }
2815 /* t1 = get the GCD of the two inputs */
2818 }
2820 /* divide the smallest by the GCD */
2822 /* store quotient in t2 so that t2 * b is the LCM */
2825 }
2828 /* store quotient in t2 so that t2 * a is the LCM */
2831 }
2833 }
2835 /* fix the sign to positive */
2838 __T:
2841 }
2843 /* c = a mod b, 0 <= c < b */
2844 int
2846 {
2847 mp_int t;
2852 }
2857 }
2864 }
2868 }
2870 static int
2872 {
2874 }
2876 /* b = a*2 */
2878 {
2881 /* grow to accommodate result */
2885 }
2886 }
2891 {
2894 /* alias for source */
2897 /* alias for dest */
2900 /* carry */
2904 /* get what will be the *next* carry bit from the
2905 * MSB of the current digit
2906 */
2909 /* now shift up this digit, add in the carry [from the previous] */
2912 /* copy the carry that would be from the source
2913 * digit into the next iteration
2914 */
2916 }
2918 /* new leading digit? */
2920 /* add a MSB which is always 1 at this point */
2923 }
2925 /* now zero any excess digits on the destination
2926 * that we didn't write to
2927 */
2931 }
2932 }
2935 }
2937 /*
2938 * shifts with subtractions when the result is greater than b.
2939 *
2940 * The method is slightly modified to shift B unconditionally up to just under
2941 * the leading bit of b. This saves a lot of multiple precision shifting.
2942 */
2944 {
2947 /* how many bits of last digit does b use */
2954 }
2958 }
2961 /* now compute C = A * B mod b */
2965 }
2969 }
2970 }
2971 }
2974 }
2976 /* computes xR**-1 == x (mod N) via Montgomery Reduction */
2977 int
2979 {
2981 mp_digit mu;
2983 /* can the fast reduction [comba] method be used?
2984 *
2985 * Note that unlike in mul you're safely allowed *less*
2986 * than the available columns [255 per default] since carries
2987 * are fixed up in the inner loop.
2988 */
2994 }
2996 /* grow the input as required */
3000 }
3001 }
3005 /* mu = ai * rho mod b
3006 *
3007 * The value of rho must be precalculated via
3008 * montgomery_setup() such that
3009 * it equals -1/n0 mod b this allows the
3010 * following inner loop to reduce the
3011 * input one digit at a time
3012 */
3015 /* a = a + mu * m * b**i */
3016 {
3021 /* alias for digits of the modulus */
3024 /* alias for the digits of x [the input] */
3027 /* set the carry to zero */
3030 /* Multiply and add in place */
3032 /* compute product and sum */
3036 /* get carry */
3039 /* fix digit */
3041 }
3042 /* At this point the ix'th digit of x should be zero */
3045 /* propagate carries upwards as required*/
3050 }
3051 }
3052 }
3054 /* at this point the n.used'th least
3055 * significant digits of x are all zero
3056 * which means we can shift x to the
3057 * right by n.used digits and the
3058 * residue is unchanged.
3059 */
3061 /* x = x/b**n.used */
3065 /* if x >= n then x = x - n */
3068 }
3071 }
3073 /* setups the montgomery reduction stuff */
3074 int
3076 {
3079 /* fast inversion mod 2**k
3080 *
3081 * Based on the fact that
3082 *
3083 * XA = 1 (mod 2**n) => (X(2-XA)) A = 1 (mod 2**2n)
3084 * => 2*X*A - X*X*A*A = 1
3085 * => 2*(1) - (1) = 1
3086 */
3091 }
3098 /* rho = -1/m mod b */
3102 }
3104 /* high level multiplication (handles sign) */
3106 {
3110 /* use Karatsuba? */
3114 {
3115 /* can we use the fast multiplier?
3116 *
3117 * The fast multiplier can be used if the output will
3118 * have less than MP_WARRAY digits and the number of
3119 * digits won't affect carry propagation
3120 */
3129 }
3132 }
3134 /* d = a * b (mod c) */
3135 int
3137 {
3139 mp_int t;
3143 }
3148 }
3152 }
3154 /* table of first PRIME_SIZE primes */
3191 };
3193 /* determines if an integers is divisible by one
3194 * of the first PRIME_SIZE primes or not
3195 *
3196 * sets result to 0 if not, 1 if yes
3197 */
3199 {
3201 mp_digit res;
3203 /* default to not */
3207 /* what is a mod __prime_tab[ix] */
3210 }
3212 /* is the residue zero? */
3216 }
3217 }
3220 }
3222 /* Miller-Rabin test of "a" to the base of "b" as described in
3223 * HAC pp. 139 Algorithm 4.24
3224 *
3225 * Sets result to 0 if definitely composite or 1 if probably prime.
3226 * Randomly the chance of error is no more than 1/4 and often
3227 * very much lower.
3228 */
3230 {
3234 /* default */
3237 /* ensure b > 1 */
3240 }
3242 /* get n1 = a - 1 */
3245 }
3248 }
3250 /* set 2**s * r = n1 */
3253 }
3255 /* count the number of least significant bits
3256 * which are zero
3257 */
3260 /* now divide n - 1 by 2**s */
3263 }
3265 /* compute y = b**r mod a */
3268 }
3271 }
3273 /* if y != 1 and y != n1 do */
3276 /* while j <= s-1 and y != n1 */
3280 }
3282 /* if y == 1 then composite */
3285 }
3288 }
3290 /* if y != n1 then composite */
3293 }
3294 }
3296 /* probably prime now */
3302 }
3304 /* performs a variable number of rounds of Miller-Rabin
3305 *
3306 * Probability of error after t rounds is no more than
3308 *
3309 * Sets result to 1 if probably prime, 0 otherwise
3310 */
3312 {
3313 mp_int b;
3316 /* default to no */
3319 /* valid value of t? */
3322 }
3324 /* is the input equal to one of the primes in the table? */
3329 }
3330 }
3332 /* first perform trial division */
3335 }
3337 /* return if it was trivially divisible */
3340 }
3342 /* now perform the miller-rabin rounds */
3345 }
3348 /* set the prime */
3353 }
3357 }
3358 }
3360 /* passed the test */
3364 }
3377 };
3379 /* returns # of RM trials required for a given bit size */
3381 {
3389 }
3390 }
3392 }
3394 /* makes a truly random prime of a given size (bits),
3395 *
3396 * Flags are as follows:
3397 *
3398 * LTM_PRIME_BBS - make prime congruent to 3 mod 4
3399 * LTM_PRIME_SAFE - make sure (p-1)/2 is prime as well (implies LTM_PRIME_BBS)
3400 * LTM_PRIME_2MSB_OFF - make the 2nd highest bit zero
3401 * LTM_PRIME_2MSB_ON - make the 2nd highest bit one
3402 *
3403 * You have to supply a callback which fills in a buffer with random bytes. "dat" is a parameter you can
3404 * have passed to the callback (e.g. a state or something). This function doesn't use "dat" itself
3405 * so it can be NULL
3406 *
3407 */
3409 /* This is possibly the mother of all prime generation functions, muahahahahaha! */
3410 int mp_prime_random_ex(mp_int *a, int t, int size, int flags, ltm_prime_callback cb, void *dat)
3411 {
3415 /* sanity check the input */
3418 }
3420 /* LTM_PRIME_SAFE implies LTM_PRIME_BBS */
3423 }
3425 /* calc the byte size */
3428 /* we need a buffer of bsize bytes */
3432 }
3434 /* calc the maskAND value for the MSbyte*/
3437 /* calc the maskOR_msb */
3444 }
3446 /* get the maskOR_lsb */
3450 }
3453 /* read the bytes */
3457 }
3459 /* work over the MSbyte */
3463 /* mix in the maskORs */
3467 /* read it in */
3470 /* is it prime? */
3474 }
3477 /* see if (a-1)/2 is prime */
3481 /* is it prime? */
3483 }
3487 /* restore a to the original value */
3490 }
3493 error:
3496 }
3498 /* reads an unsigned char array, assumes the msb is stored first [big endian] */
3499 int
3501 {
3504 /* make sure there are at least two digits */
3508 }
3509 }
3511 /* zero the int */
3514 /* read the bytes in */
3518 }
3522 }
3525 }
3527 /* reduces x mod m, assumes 0 < x < m**2, mu is
3528 * precomputed via mp_reduce_setup.
3529 * From HAC pp.604 Algorithm 14.42
3530 */
3531 int
3533 {
3534 mp_int q;
3537 /* q = x */
3540 }
3542 /* q1 = x / b**(k-1) */
3545 /* according to HAC this optimization is ok */
3549 }
3553 }
3554 }
3556 /* q3 = q2 / b**(k+1) */
3559 /* x = x mod b**(k+1), quick (no division) */
3562 }
3564 /* q = q * m mod b**(k+1), quick (no division) */
3567 }
3569 /* x = x - q */
3572 }
3574 /* If x < 0, add b**(k+1) to it */
3581 }
3583 /* Back off if it's too big */
3587 }
3588 }
3590 CLEANUP:
3594 }
3596 /* reduces a modulo n where n is of the form 2**p - d */
3597 int
3599 {
3600 mp_int q;
3605 }
3608 top:
3609 /* q = a/2**p, a = a mod 2**p */
3612 }
3615 /* q = q * d */
3618 }
3619 }
3621 /* a = a + q */
3624 }
3629 }
3631 ERR:
3634 }
3636 /* determines the setup value */
3637 static int
3639 {
3641 mp_int tmp;
3645 }
3651 }
3656 }
3661 }
3663 /* pre-calculate the value required for Barrett reduction
3664 * For a given modulus "b" it calculates the value required in "a"
3665 */
3667 {
3672 }
3674 }
3676 /* set to a digit */
3678 {
3682 }
3684 /* set a 32-bit const */
3686 {
3691 /* set four bits at a time */
3693 /* shift the number up four bits */
3696 }
3698 /* OR in the top four bits of the source */
3701 /* shift the source up to the next four bits */
3704 /* ensure that digits are not clamped off */
3706 }
3709 }
3711 /* shrink a bignum */
3713 {
3718 }
3721 }
3723 }
3725 /* computes b = a*a */
3726 int
3728 {
3734 {
3735 /* can we use the fast comba multiplier? */
3742 }
3745 }
3747 /* c = a * a (mod b) */
3748 int
3750 {
3752 mp_int t;
3756 }
3761 }
3765 }
3767 /* high level subtraction (handles signs) */
3768 int
3770 {
3777 /* subtract a negative from a positive, OR */
3778 /* subtract a positive from a negative. */
3779 /* In either case, ADD their magnitudes, */
3780 /* and use the sign of the first number. */
3784 /* subtract a positive from a positive, OR */
3785 /* subtract a negative from a negative. */
3786 /* First, take the difference between their */
3787 /* magnitudes, then... */
3789 /* Copy the sign from the first */
3791 /* The first has a larger or equal magnitude */
3794 /* The result has the *opposite* sign from */
3795 /* the first number. */
3797 /* The second has a larger magnitude */
3799 }
3800 }
3802 }
3804 /* single digit subtraction */
3805 int
3807 {
3811 /* grow c as required */
3815 }
3816 }
3818 /* if a is negative just do an unsigned
3819 * addition [with fudged signs]
3820 */
3826 }
3828 /* setup regs */
3833 /* if a <= b simply fix the single digit */
3839 }
3842 /* negative/1digit */
3846 /* positive/size */
3850 /* subtract first digit */
3855 /* handle rest of the digits */
3860 }
3861 }
3863 /* zero excess digits */
3866 }
3869 }
3871 /* store in unsigned [big endian] format */
3872 int
3874 {
3876 mp_int t;
3880 }
3888 }
3889 }
3893 }
3895 /* get the size for an unsigned equivalent */
3896 int
3898 {
3901 }
3903 /* reverse an array, used for radix code */
3904 static void
3906 {
3918 }
3919 }
3921 /* low level addition, based on HAC pp.594, Algorithm 14.7 */
3922 static int
3924 {
3928 /* find sizes, we let |a| <= |b| which means we have to sort
3929 * them. "x" will point to the input with the most digits
3930 */
3939 }
3941 /* init result */
3945 }
3946 }
3948 /* get old used digit count and set new one */
3952 {
3956 /* alias for digit pointers */
3958 /* first input */
3961 /* second input */
3964 /* destination */
3967 /* zero the carry */
3970 /* Compute the sum at one digit, T[i] = A[i] + B[i] + U */
3973 /* U = carry bit of T[i] */
3976 /* take away carry bit from T[i] */
3978 }
3980 /* now copy higher words if any, that is in A+B
3981 * if A or B has more digits add those in
3982 */
3985 /* T[i] = X[i] + U */
3988 /* U = carry bit of T[i] */
3991 /* take away carry bit from T[i] */
3993 }
3994 }
3996 /* add carry */
3999 /* clear digits above oldused */
4002 }
4003 }
4007 }
4010 {
4012 mp_digit buf;
4015 /* find window size */
4031 }
4033 /* init M array */
4034 /* init first cell */
4037 }
4039 /* now init the second half of the array */
4044 }
4047 }
4048 }
4050 /* create mu, used for Barrett reduction */
4053 }
4056 }
4058 /* create M table
4059 *
4060 * The M table contains powers of the base,
4061 * e.g. M[x] = G**x mod P
4062 *
4063 * The first half of the table is not
4064 * computed though accept for M[0] and M[1]
4065 */
4068 }
4070 /* compute the value at M[1<<(winsize-1)] by squaring
4071 * M[1] (winsize-1) times
4072 */
4075 }
4081 }
4084 }
4085 }
4087 /* create upper table, that is M[x] = M[x-1] * M[1] (mod P)
4088 * for x = (2**(winsize - 1) + 1) to (2**winsize - 1)
4089 */
4093 }
4096 }
4097 }
4099 /* setup result */
4102 }
4105 /* set initial mode and bit cnt */
4114 /* grab next digit as required */
4116 /* if digidx == -1 we are out of digits */
4119 }
4120 /* read next digit and reset the bitcnt */
4123 }
4125 /* grab the next msb from the exponent */
4129 /* if the bit is zero and mode == 0 then we ignore it
4130 * These represent the leading zero bits before the first 1 bit
4131 * in the exponent. Technically this opt is not required but it
4132 * does lower the # of trivial squaring/reductions used
4133 */
4136 }
4138 /* if the bit is zero and mode == 1 then we square */
4142 }
4145 }
4147 }
4149 /* else we add it to the window */
4154 /* ok window is filled so square as required and multiply */
4155 /* square first */
4159 }
4162 }
4163 }
4165 /* then multiply */
4168 }
4171 }
4173 /* empty window and reset */
4177 }
4178 }
4180 /* if bits remain then square/multiply */
4182 /* square then multiply if the bit is set */
4186 }
4189 }
4193 /* then multiply */
4196 }
4199 }
4200 }
4201 }
4202 }
4208 __M:
4212 }
4214 }
4216 /* multiplies |a| * |b| and only computes up to digs digits of result
4217 * HAC pp. 595, Algorithm 14.12 Modified so you can control how
4218 * many digits of output are created.
4219 */
4220 static int
4222 {
4223 mp_int t;
4225 mp_digit u;
4226 mp_word r;
4229 /* can we use the fast multiplier? */
4234 }
4238 }
4241 /* compute the digits of the product directly */
4244 /* set the carry to zero */
4247 /* limit ourselves to making digs digits of output */
4250 /* setup some aliases */
4251 /* copy of the digit from a used within the nested loop */
4254 /* an alias for the destination shifted ix places */
4257 /* an alias for the digits of b */
4260 /* compute the columns of the output and propagate the carry */
4262 /* compute the column as a mp_word */
4267 /* the new column is the lower part of the result */
4270 /* get the carry word from the result */
4272 }
4273 /* set carry if it is placed below digs */
4276 }
4277 }
4284 }
4286 /* multiplies |a| * |b| and does not compute the lower digs digits
4287 * [meant to get the higher part of the product]
4288 */
4289 static int
4291 {
4292 mp_int t;
4294 mp_digit u;
4295 mp_word r;
4298 /* can we use the fast multiplier? */
4302 }
4306 }
4312 /* clear the carry */
4315 /* left hand side of A[ix] * B[iy] */
4318 /* alias to the address of where the digits will be stored */
4321 /* alias for where to read the right hand side from */
4325 /* calculate the double precision result */
4330 /* get the lower part */
4333 /* carry the carry */
4335 }
4337 }
4342 }
4344 /* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */
4345 static int
4347 {
4348 mp_int t;
4350 mp_word r;
4356 }
4358 /* default used is maximum possible size */
4362 /* first calculate the digit at 2*ix */
4363 /* calculate double precision result */
4367 /* store lower part in result */
4370 /* get the carry */
4373 /* left hand side of A[ix] * A[iy] */
4376 /* alias for where to store the results */
4380 /* first calculate the product */
4383 /* now calculate the double precision result, note we use
4384 * addition instead of *2 since it's easier to optimize
4385 */
4388 /* store lower part */
4391 /* get carry */
4393 }
4394 /* propagate upwards */
4399 }
4400 }
4406 }
4408 /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */
4409 int
4411 {
4414 /* find sizes */
4418 /* init result */
4422 }
4423 }
4427 {
4431 /* alias for digit pointers */
4436 /* set carry to zero */
4439 /* T[i] = A[i] - B[i] - U */
4442 /* U = carry bit of T[i]
4443 * Note this saves performing an AND operation since
4444 * if a carry does occur it will propagate all the way to the
4445 * MSB. As a result a single shift is enough to get the carry
4446 */
4449 /* Clear carry from T[i] */
4451 }
4453 /* now copy higher words if any, e.g. if A has more digits than B */
4455 /* T[i] = A[i] - U */
4458 /* U = carry bit of T[i] */
4461 /* Clear carry from T[i] */
4463 }
4465 /* clear digits above used (since we may not have grown result above) */
4468 }
4469 }
4473 }