2 * Multi-precision integer library
4 * Copyright (C) 2006-2010, Brainspark B.V.
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 * This MPI implementation is based on:
28 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
29 * http://www.stillhq.com/extracted/gnupg-api/mpi/
30 * http://math.libtomcrypt.com/files/tommath.pdf
33 #include "polarssl/config.h"
35 #if defined(POLARSSL_BIGNUM_C)
37 #include "polarssl/bignum.h"
38 #include "polarssl/bn_mul.h"
42 #define ciL (sizeof(t_uint)) /* chars in limb */
43 #define biL (ciL << 3) /* bits in limb */
44 #define biH (ciL << 2) /* half limb size */
47 * Convert between bits/chars and number of limbs
49 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
50 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
55 void mpi_init( mpi *X )
68 void mpi_free( mpi *X )
75 memset( X->p, 0, X->n * ciL );
85 * Enlarge to the specified number of limbs
87 int mpi_grow( mpi *X, size_t nblimbs )
91 if( nblimbs > POLARSSL_MPI_MAX_LIMBS )
92 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
96 if( ( p = (t_uint *) malloc( nblimbs * ciL ) ) == NULL )
97 return( POLARSSL_ERR_MPI_MALLOC_FAILED );
99 memset( p, 0, nblimbs * ciL );
103 memcpy( p, X->p, X->n * ciL );
104 memset( X->p, 0, X->n * ciL );
116 * Copy the contents of Y into X
118 int mpi_copy( mpi *X, const mpi *Y )
126 for( i = Y->n - 1; i > 0; i-- )
133 MPI_CHK( mpi_grow( X, i ) );
135 memset( X->p, 0, X->n * ciL );
136 memcpy( X->p, Y->p, i * ciL );
144 * Swap the contents of X and Y
146 void mpi_swap( mpi *X, mpi *Y )
150 memcpy( &T, X, sizeof( mpi ) );
151 memcpy( X, Y, sizeof( mpi ) );
152 memcpy( Y, &T, sizeof( mpi ) );
156 * Set value from integer
158 int mpi_lset( mpi *X, t_sint z )
162 MPI_CHK( mpi_grow( X, 1 ) );
163 memset( X->p, 0, X->n * ciL );
165 X->p[0] = ( z < 0 ) ? -z : z;
166 X->s = ( z < 0 ) ? -1 : 1;
176 int mpi_get_bit( const mpi *X, size_t pos )
178 if( X->n * biL <= pos )
181 return ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01;
185 * Set a bit to a specific value of 0 or 1
187 int mpi_set_bit( mpi *X, size_t pos, unsigned char val )
190 size_t off = pos / biL;
191 size_t idx = pos % biL;
193 if( val != 0 && val != 1 )
194 return POLARSSL_ERR_MPI_BAD_INPUT_DATA;
196 if( X->n * biL <= pos )
201 MPI_CHK( mpi_grow( X, off + 1 ) );
204 X->p[off] = ( X->p[off] & ~( 0x01 << idx ) ) | ( val << idx );
212 * Return the number of least significant bits
214 size_t mpi_lsb( const mpi *X )
216 size_t i, j, count = 0;
218 for( i = 0; i < X->n; i++ )
219 for( j = 0; j < biL; j++, count++ )
220 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
227 * Return the number of most significant bits
229 size_t mpi_msb( const mpi *X )
233 for( i = X->n - 1; i > 0; i-- )
237 for( j = biL; j > 0; j-- )
238 if( ( ( X->p[i] >> ( j - 1 ) ) & 1 ) != 0 )
241 return( ( i * biL ) + j );
245 * Return the total size in bytes
247 size_t mpi_size( const mpi *X )
249 return( ( mpi_msb( X ) + 7 ) >> 3 );
253 * Convert an ASCII character to digit value
255 static int mpi_get_digit( t_uint *d, int radix, char c )
259 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
260 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
261 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
263 if( *d >= (t_uint) radix )
264 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
270 * Import from an ASCII string
272 int mpi_read_string( mpi *X, int radix, const char *s )
275 size_t i, j, slen, n;
279 if( radix < 2 || radix > 16 )
280 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
288 n = BITS_TO_LIMBS( slen << 2 );
290 MPI_CHK( mpi_grow( X, n ) );
291 MPI_CHK( mpi_lset( X, 0 ) );
293 for( i = slen, j = 0; i > 0; i--, j++ )
295 if( i == 1 && s[i - 1] == '-' )
301 MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
302 X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
307 MPI_CHK( mpi_lset( X, 0 ) );
309 for( i = 0; i < slen; i++ )
311 if( i == 0 && s[i] == '-' )
317 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
318 MPI_CHK( mpi_mul_int( &T, X, radix ) );
322 MPI_CHK( mpi_add_int( X, &T, d ) );
326 MPI_CHK( mpi_sub_int( X, &T, d ) );
339 * Helper to write the digits high-order first
341 static int mpi_write_hlp( mpi *X, int radix, char **p )
346 if( radix < 2 || radix > 16 )
347 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
349 MPI_CHK( mpi_mod_int( &r, X, radix ) );
350 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
352 if( mpi_cmp_int( X, 0 ) != 0 )
353 MPI_CHK( mpi_write_hlp( X, radix, p ) );
356 *(*p)++ = (char)( r + 0x30 );
358 *(*p)++ = (char)( r + 0x37 );
366 * Export into an ASCII string
368 int mpi_write_string( const mpi *X, int radix, char *s, size_t *slen )
375 if( radix < 2 || radix > 16 )
376 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
379 if( radix >= 4 ) n >>= 1;
380 if( radix >= 16 ) n >>= 1;
386 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
400 for( i = X->n, k = 0; i > 0; i-- )
402 for( j = ciL; j > 0; j-- )
404 c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
406 if( c == 0 && k == 0 && ( i + j + 3 ) != 0 )
409 *(p++) = "0123456789ABCDEF" [c / 16];
410 *(p++) = "0123456789ABCDEF" [c % 16];
417 MPI_CHK( mpi_copy( &T, X ) );
422 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
435 #if defined(POLARSSL_FS_IO)
437 * Read X from an opened file
439 int mpi_read_file( mpi *X, int radix, FILE *fin )
445 * Buffer should have space for (short) label and decimal formatted MPI,
446 * newline characters and '\0'
448 char s[ POLARSSL_MPI_RW_BUFFER_SIZE ];
450 memset( s, 0, sizeof( s ) );
451 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
452 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
455 if( slen == sizeof( s ) - 2 )
456 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
458 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
459 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
463 if( mpi_get_digit( &d, radix, *p ) != 0 )
466 return( mpi_read_string( X, radix, p + 1 ) );
470 * Write X into an opened file (or stdout if fout == NULL)
472 int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout )
475 size_t n, slen, plen;
477 * Buffer should have space for (short) label and decimal formatted MPI,
478 * newline characters and '\0'
480 char s[ POLARSSL_MPI_RW_BUFFER_SIZE ];
486 MPI_CHK( mpi_write_string( X, radix, s, (size_t *) &n ) );
488 if( p == NULL ) p = "";
497 if( fwrite( p, 1, plen, fout ) != plen ||
498 fwrite( s, 1, slen, fout ) != slen )
499 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
502 printf( "%s%s", p, s );
508 #endif /* POLARSSL_FS_IO */
511 * Import X from unsigned binary data, big endian
513 int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen )
518 for( n = 0; n < buflen; n++ )
522 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
523 MPI_CHK( mpi_lset( X, 0 ) );
525 for( i = buflen, j = 0; i > n; i--, j++ )
526 X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3);
534 * Export X into unsigned binary data, big endian
536 int mpi_write_binary( const mpi *X, unsigned char *buf, size_t buflen )
543 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
545 memset( buf, 0, buflen );
547 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
548 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
554 * Left-shift: X <<= count
556 int mpi_shift_l( mpi *X, size_t count )
563 t1 = count & (biL - 1);
565 i = mpi_msb( X ) + count;
568 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
573 * shift by count / limb_size
577 for( i = X->n; i > v0; i-- )
578 X->p[i - 1] = X->p[i - v0 - 1];
585 * shift by count % limb_size
589 for( i = v0; i < X->n; i++ )
591 r1 = X->p[i] >> (biL - t1);
604 * Right-shift: X >>= count
606 int mpi_shift_r( mpi *X, size_t count )
612 v1 = count & (biL - 1);
614 if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
615 return mpi_lset( X, 0 );
618 * shift by count / limb_size
622 for( i = 0; i < X->n - v0; i++ )
623 X->p[i] = X->p[i + v0];
625 for( ; i < X->n; i++ )
630 * shift by count % limb_size
634 for( i = X->n; i > 0; i-- )
636 r1 = X->p[i - 1] << (biL - v1);
647 * Compare unsigned values
649 int mpi_cmp_abs( const mpi *X, const mpi *Y )
653 for( i = X->n; i > 0; i-- )
654 if( X->p[i - 1] != 0 )
657 for( j = Y->n; j > 0; j-- )
658 if( Y->p[j - 1] != 0 )
661 if( i == 0 && j == 0 )
664 if( i > j ) return( 1 );
665 if( j > i ) return( -1 );
669 if( X->p[i - 1] > Y->p[i - 1] ) return( 1 );
670 if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
677 * Compare signed values
679 int mpi_cmp_mpi( const mpi *X, const mpi *Y )
683 for( i = X->n; i > 0; i-- )
684 if( X->p[i - 1] != 0 )
687 for( j = Y->n; j > 0; j-- )
688 if( Y->p[j - 1] != 0 )
691 if( i == 0 && j == 0 )
694 if( i > j ) return( X->s );
695 if( j > i ) return( -Y->s );
697 if( X->s > 0 && Y->s < 0 ) return( 1 );
698 if( Y->s > 0 && X->s < 0 ) return( -1 );
702 if( X->p[i - 1] > Y->p[i - 1] ) return( X->s );
703 if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
710 * Compare signed values
712 int mpi_cmp_int( const mpi *X, t_sint z )
717 *p = ( z < 0 ) ? -z : z;
718 Y.s = ( z < 0 ) ? -1 : 1;
722 return( mpi_cmp_mpi( X, &Y ) );
726 * Unsigned addition: X = |A| + |B| (HAC 14.7)
728 int mpi_add_abs( mpi *X, const mpi *A, const mpi *B )
736 const mpi *T = A; A = X; B = T;
740 MPI_CHK( mpi_copy( X, A ) );
743 * X should always be positive as a result of unsigned additions.
747 for( j = B->n; j > 0; j-- )
748 if( B->p[j - 1] != 0 )
751 MPI_CHK( mpi_grow( X, j ) );
753 o = B->p; p = X->p; c = 0;
755 for( i = 0; i < j; i++, o++, p++ )
757 *p += c; c = ( *p < c );
758 *p += *o; c += ( *p < *o );
765 MPI_CHK( mpi_grow( X, i + 1 ) );
769 *p += c; c = ( *p < c ); i++; p++;
778 * Helper for mpi substraction
780 static void mpi_sub_hlp( size_t n, t_uint *s, t_uint *d )
785 for( i = c = 0; i < n; i++, s++, d++ )
787 z = ( *d < c ); *d -= c;
788 c = ( *d < *s ) + z; *d -= *s;
793 z = ( *d < c ); *d -= c;
799 * Unsigned substraction: X = |A| - |B| (HAC 14.9)
801 int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B )
807 if( mpi_cmp_abs( A, B ) < 0 )
808 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
814 MPI_CHK( mpi_copy( &TB, B ) );
819 MPI_CHK( mpi_copy( X, A ) );
822 * X should always be positive as a result of unsigned substractions.
828 for( n = B->n; n > 0; n-- )
829 if( B->p[n - 1] != 0 )
832 mpi_sub_hlp( n, B->p, X->p );
842 * Signed addition: X = A + B
844 int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B )
848 if( A->s * B->s < 0 )
850 if( mpi_cmp_abs( A, B ) >= 0 )
852 MPI_CHK( mpi_sub_abs( X, A, B ) );
857 MPI_CHK( mpi_sub_abs( X, B, A ) );
863 MPI_CHK( mpi_add_abs( X, A, B ) );
873 * Signed substraction: X = A - B
875 int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B )
879 if( A->s * B->s > 0 )
881 if( mpi_cmp_abs( A, B ) >= 0 )
883 MPI_CHK( mpi_sub_abs( X, A, B ) );
888 MPI_CHK( mpi_sub_abs( X, B, A ) );
894 MPI_CHK( mpi_add_abs( X, A, B ) );
904 * Signed addition: X = A + b
906 int mpi_add_int( mpi *X, const mpi *A, t_sint b )
911 p[0] = ( b < 0 ) ? -b : b;
912 _B.s = ( b < 0 ) ? -1 : 1;
916 return( mpi_add_mpi( X, A, &_B ) );
920 * Signed substraction: X = A - b
922 int mpi_sub_int( mpi *X, const mpi *A, t_sint b )
927 p[0] = ( b < 0 ) ? -b : b;
928 _B.s = ( b < 0 ) ? -1 : 1;
932 return( mpi_sub_mpi( X, A, &_B ) );
936 * Helper for mpi multiplication
938 static void mpi_mul_hlp( size_t i, t_uint *s, t_uint *d, t_uint b )
942 #if defined(MULADDC_HUIT)
943 for( ; i >= 8; i -= 8 )
957 for( ; i >= 16; i -= 16 )
960 MULADDC_CORE MULADDC_CORE
961 MULADDC_CORE MULADDC_CORE
962 MULADDC_CORE MULADDC_CORE
963 MULADDC_CORE MULADDC_CORE
965 MULADDC_CORE MULADDC_CORE
966 MULADDC_CORE MULADDC_CORE
967 MULADDC_CORE MULADDC_CORE
968 MULADDC_CORE MULADDC_CORE
972 for( ; i >= 8; i -= 8 )
975 MULADDC_CORE MULADDC_CORE
976 MULADDC_CORE MULADDC_CORE
978 MULADDC_CORE MULADDC_CORE
979 MULADDC_CORE MULADDC_CORE
994 *d += c; c = ( *d < c ); d++;
1000 * Baseline multiplication: X = A * B (HAC 14.12)
1002 int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B )
1008 mpi_init( &TA ); mpi_init( &TB );
1010 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
1011 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
1013 for( i = A->n; i > 0; i-- )
1014 if( A->p[i - 1] != 0 )
1017 for( j = B->n; j > 0; j-- )
1018 if( B->p[j - 1] != 0 )
1021 MPI_CHK( mpi_grow( X, i + j ) );
1022 MPI_CHK( mpi_lset( X, 0 ) );
1024 for( i++; j > 0; j-- )
1025 mpi_mul_hlp( i - 1, A->p, X->p + j - 1, B->p[j - 1] );
1031 mpi_free( &TB ); mpi_free( &TA );
1037 * Baseline multiplication: X = A * b
1039 int mpi_mul_int( mpi *X, const mpi *A, t_sint b )
1049 return( mpi_mul_mpi( X, A, &_B ) );
1053 * Division by mpi: A = Q * B + R (HAC 14.20)
1055 int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
1059 mpi X, Y, Z, T1, T2;
1061 if( mpi_cmp_int( B, 0 ) == 0 )
1062 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1064 mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z );
1065 mpi_init( &T1 ); mpi_init( &T2 );
1067 if( mpi_cmp_abs( A, B ) < 0 )
1069 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
1070 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
1074 MPI_CHK( mpi_copy( &X, A ) );
1075 MPI_CHK( mpi_copy( &Y, B ) );
1078 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
1079 MPI_CHK( mpi_lset( &Z, 0 ) );
1080 MPI_CHK( mpi_grow( &T1, 2 ) );
1081 MPI_CHK( mpi_grow( &T2, 3 ) );
1083 k = mpi_msb( &Y ) % biL;
1087 MPI_CHK( mpi_shift_l( &X, k ) );
1088 MPI_CHK( mpi_shift_l( &Y, k ) );
1094 MPI_CHK( mpi_shift_l( &Y, biL * (n - t) ) );
1096 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1099 mpi_sub_mpi( &X, &X, &Y );
1101 mpi_shift_r( &Y, biL * (n - t) );
1103 for( i = n; i > t ; i-- )
1105 if( X.p[i] >= Y.p[t] )
1106 Z.p[i - t - 1] = ~0;
1109 #if defined(POLARSSL_HAVE_UDBL)
1112 r = (t_udbl) X.p[i] << biL;
1113 r |= (t_udbl) X.p[i - 1];
1115 if( r > ((t_udbl) 1 << biL) - 1)
1116 r = ((t_udbl) 1 << biL) - 1;
1118 Z.p[i - t - 1] = (t_uint) r;
1121 * __udiv_qrnnd_c, from gmp/longlong.h
1123 t_uint q0, q1, r0, r1;
1124 t_uint d0, d1, d, m;
1127 d0 = ( d << biH ) >> biH;
1131 r1 = X.p[i] - d1 * q1;
1133 r1 |= ( X.p[i - 1] >> biH );
1139 while( r1 >= d && r1 < m )
1147 r0 |= ( X.p[i - 1] << biH ) >> biH;
1153 while( r0 >= d && r0 < m )
1158 Z.p[i - t - 1] = ( q1 << biH ) | q0;
1167 MPI_CHK( mpi_lset( &T1, 0 ) );
1168 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1170 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1172 MPI_CHK( mpi_lset( &T2, 0 ) );
1173 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1174 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1177 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1179 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1180 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1181 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1183 if( mpi_cmp_int( &X, 0 ) < 0 )
1185 MPI_CHK( mpi_copy( &T1, &Y ) );
1186 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1187 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1200 mpi_shift_r( &X, k );
1204 if( mpi_cmp_int( R, 0 ) == 0 )
1210 mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z );
1211 mpi_free( &T1 ); mpi_free( &T2 );
1217 * Division by int: A = Q * b + R
1219 int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b )
1224 p[0] = ( b < 0 ) ? -b : b;
1225 _B.s = ( b < 0 ) ? -1 : 1;
1229 return( mpi_div_mpi( Q, R, A, &_B ) );
1233 * Modulo: R = A mod B
1235 int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B )
1239 if( mpi_cmp_int( B, 0 ) < 0 )
1240 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1242 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1244 while( mpi_cmp_int( R, 0 ) < 0 )
1245 MPI_CHK( mpi_add_mpi( R, R, B ) );
1247 while( mpi_cmp_mpi( R, B ) >= 0 )
1248 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1256 * Modulo: r = A mod b
1258 int mpi_mod_int( t_uint *r, const mpi *A, t_sint b )
1264 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1267 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1270 * handle trivial cases
1287 for( i = A->n, y = 0; i > 0; i-- )
1290 y = ( y << biH ) | ( x >> biH );
1295 y = ( y << biH ) | ( x >> biH );
1301 * If A is negative, then the current y represents a negative value.
1302 * Flipping it to the positive side.
1304 if( A->s < 0 && y != 0 )
1313 * Fast Montgomery initialization (thanks to Tom St Denis)
1315 static void mpi_montg_init( t_uint *mm, const mpi *N )
1317 t_uint x, m0 = N->p[0];
1320 x += ( ( m0 + 2 ) & 4 ) << 1;
1321 x *= ( 2 - ( m0 * x ) );
1323 if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
1324 if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
1325 if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
1331 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1333 static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_uint mm, const mpi *T )
1338 memset( T->p, 0, T->n * ciL );
1342 m = ( B->n < n ) ? B->n : n;
1344 for( i = 0; i < n; i++ )
1347 * T = (T + u0*B + u1*N) / 2^biL
1350 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1352 mpi_mul_hlp( m, B->p, d, u0 );
1353 mpi_mul_hlp( n, N->p, d, u1 );
1355 *d++ = u0; d[n + 1] = 0;
1358 memcpy( A->p, d, (n + 1) * ciL );
1360 if( mpi_cmp_abs( A, N ) >= 0 )
1361 mpi_sub_hlp( n, N->p, A->p );
1363 /* prevent timing attacks */
1364 mpi_sub_hlp( n, A->p, T->p );
1368 * Montgomery reduction: A = A * R^-1 mod N
1370 static void mpi_montred( mpi *A, const mpi *N, t_uint mm, const mpi *T )
1375 U.n = U.s = (int) z;
1378 mpi_montmul( A, &U, N, mm, T );
1382 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1384 int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
1387 size_t wbits, wsize, one = 1;
1388 size_t i, j, nblimbs;
1389 size_t bufsize, nbits;
1390 t_uint ei, mm, state;
1391 mpi RR, T, W[ 2 << POLARSSL_MPI_WINDOW_SIZE ], Apos;
1394 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
1395 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1397 if( mpi_cmp_int( E, 0 ) < 0 )
1398 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1401 * Init temps and window size
1403 mpi_montg_init( &mm, N );
1404 mpi_init( &RR ); mpi_init( &T );
1405 memset( W, 0, sizeof( W ) );
1409 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1410 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1412 if( wsize > POLARSSL_MPI_WINDOW_SIZE )
1413 wsize = POLARSSL_MPI_WINDOW_SIZE;
1416 MPI_CHK( mpi_grow( X, j ) );
1417 MPI_CHK( mpi_grow( &W[1], j ) );
1418 MPI_CHK( mpi_grow( &T, j * 2 ) );
1421 * Compensate for negative A (and correct at the end)
1423 neg = ( A->s == -1 );
1428 MPI_CHK( mpi_copy( &Apos, A ) );
1434 * If 1st call, pre-compute R^2 mod N
1436 if( _RR == NULL || _RR->p == NULL )
1438 MPI_CHK( mpi_lset( &RR, 1 ) );
1439 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1440 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1443 memcpy( _RR, &RR, sizeof( mpi ) );
1446 memcpy( &RR, _RR, sizeof( mpi ) );
1449 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1451 if( mpi_cmp_mpi( A, N ) >= 0 )
1452 mpi_mod_mpi( &W[1], A, N );
1453 else mpi_copy( &W[1], A );
1455 mpi_montmul( &W[1], &RR, N, mm, &T );
1458 * X = R^2 * R^-1 mod N = R mod N
1460 MPI_CHK( mpi_copy( X, &RR ) );
1461 mpi_montred( X, N, mm, &T );
1466 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1468 j = one << (wsize - 1);
1470 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1471 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1473 for( i = 0; i < wsize - 1; i++ )
1474 mpi_montmul( &W[j], &W[j], N, mm, &T );
1477 * W[i] = W[i - 1] * W[1]
1479 for( i = j + 1; i < (one << wsize); i++ )
1481 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1482 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1484 mpi_montmul( &W[i], &W[1], N, mm, &T );
1498 if( nblimbs-- == 0 )
1501 bufsize = sizeof( t_uint ) << 3;
1506 ei = (E->p[nblimbs] >> bufsize) & 1;
1511 if( ei == 0 && state == 0 )
1514 if( ei == 0 && state == 1 )
1517 * out of window, square X
1519 mpi_montmul( X, X, N, mm, &T );
1524 * add ei to current window
1529 wbits |= (ei << (wsize - nbits));
1531 if( nbits == wsize )
1534 * X = X^wsize R^-1 mod N
1536 for( i = 0; i < wsize; i++ )
1537 mpi_montmul( X, X, N, mm, &T );
1540 * X = X * W[wbits] R^-1 mod N
1542 mpi_montmul( X, &W[wbits], N, mm, &T );
1551 * process the remaining bits
1553 for( i = 0; i < nbits; i++ )
1555 mpi_montmul( X, X, N, mm, &T );
1559 if( (wbits & (one << wsize)) != 0 )
1560 mpi_montmul( X, &W[1], N, mm, &T );
1564 * X = A^E * R * R^-1 mod N = A^E mod N
1566 mpi_montred( X, N, mm, &T );
1571 mpi_add_mpi( X, N, X );
1576 for( i = (one << (wsize - 1)); i < (one << wsize); i++ )
1579 mpi_free( &W[1] ); mpi_free( &T ); mpi_free( &Apos );
1588 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1590 int mpi_gcd( mpi *G, const mpi *A, const mpi *B )
1596 mpi_init( &TG ); mpi_init( &TA ); mpi_init( &TB );
1598 MPI_CHK( mpi_copy( &TA, A ) );
1599 MPI_CHK( mpi_copy( &TB, B ) );
1601 lz = mpi_lsb( &TA );
1602 lzt = mpi_lsb( &TB );
1607 MPI_CHK( mpi_shift_r( &TA, lz ) );
1608 MPI_CHK( mpi_shift_r( &TB, lz ) );
1612 while( mpi_cmp_int( &TA, 0 ) != 0 )
1614 MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
1615 MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
1617 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1619 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1620 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1624 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1625 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1629 MPI_CHK( mpi_shift_l( &TB, lz ) );
1630 MPI_CHK( mpi_copy( G, &TB ) );
1634 mpi_free( &TG ); mpi_free( &TA ); mpi_free( &TB );
1639 int mpi_fill_random( mpi *X, size_t size,
1640 int (*f_rng)(void *, unsigned char *, size_t),
1645 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( size ) ) );
1646 MPI_CHK( mpi_lset( X, 0 ) );
1648 MPI_CHK( f_rng( p_rng, (unsigned char *) X->p, size ) );
1655 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1657 int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N )
1660 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1662 if( mpi_cmp_int( N, 0 ) <= 0 )
1663 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1665 mpi_init( &TA ); mpi_init( &TU ); mpi_init( &U1 ); mpi_init( &U2 );
1666 mpi_init( &G ); mpi_init( &TB ); mpi_init( &TV );
1667 mpi_init( &V1 ); mpi_init( &V2 );
1669 MPI_CHK( mpi_gcd( &G, A, N ) );
1671 if( mpi_cmp_int( &G, 1 ) != 0 )
1673 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1677 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1678 MPI_CHK( mpi_copy( &TU, &TA ) );
1679 MPI_CHK( mpi_copy( &TB, N ) );
1680 MPI_CHK( mpi_copy( &TV, N ) );
1682 MPI_CHK( mpi_lset( &U1, 1 ) );
1683 MPI_CHK( mpi_lset( &U2, 0 ) );
1684 MPI_CHK( mpi_lset( &V1, 0 ) );
1685 MPI_CHK( mpi_lset( &V2, 1 ) );
1689 while( ( TU.p[0] & 1 ) == 0 )
1691 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1693 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1695 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1696 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1699 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1700 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1703 while( ( TV.p[0] & 1 ) == 0 )
1705 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1707 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1709 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1710 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1713 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1714 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1717 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1719 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1720 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1721 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1725 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1726 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1727 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1730 while( mpi_cmp_int( &TU, 0 ) != 0 );
1732 while( mpi_cmp_int( &V1, 0 ) < 0 )
1733 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1735 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1736 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1738 MPI_CHK( mpi_copy( X, &V1 ) );
1742 mpi_free( &TA ); mpi_free( &TU ); mpi_free( &U1 ); mpi_free( &U2 );
1743 mpi_free( &G ); mpi_free( &TB ); mpi_free( &TV );
1744 mpi_free( &V1 ); mpi_free( &V2 );
1749 #if defined(POLARSSL_GENPRIME)
1751 static const int small_prime[] =
1753 3, 5, 7, 11, 13, 17, 19, 23,
1754 29, 31, 37, 41, 43, 47, 53, 59,
1755 61, 67, 71, 73, 79, 83, 89, 97,
1756 101, 103, 107, 109, 113, 127, 131, 137,
1757 139, 149, 151, 157, 163, 167, 173, 179,
1758 181, 191, 193, 197, 199, 211, 223, 227,
1759 229, 233, 239, 241, 251, 257, 263, 269,
1760 271, 277, 281, 283, 293, 307, 311, 313,
1761 317, 331, 337, 347, 349, 353, 359, 367,
1762 373, 379, 383, 389, 397, 401, 409, 419,
1763 421, 431, 433, 439, 443, 449, 457, 461,
1764 463, 467, 479, 487, 491, 499, 503, 509,
1765 521, 523, 541, 547, 557, 563, 569, 571,
1766 577, 587, 593, 599, 601, 607, 613, 617,
1767 619, 631, 641, 643, 647, 653, 659, 661,
1768 673, 677, 683, 691, 701, 709, 719, 727,
1769 733, 739, 743, 751, 757, 761, 769, 773,
1770 787, 797, 809, 811, 821, 823, 827, 829,
1771 839, 853, 857, 859, 863, 877, 881, 883,
1772 887, 907, 911, 919, 929, 937, 941, 947,
1773 953, 967, 971, 977, 983, 991, 997, -103
1777 * Miller-Rabin primality test (HAC 4.24)
1779 int mpi_is_prime( mpi *X,
1780 int (*f_rng)(void *, unsigned char *, size_t),
1787 if( mpi_cmp_int( X, 0 ) == 0 ||
1788 mpi_cmp_int( X, 1 ) == 0 )
1789 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1791 if( mpi_cmp_int( X, 2 ) == 0 )
1794 mpi_init( &W ); mpi_init( &R ); mpi_init( &T ); mpi_init( &A );
1797 xs = X->s; X->s = 1;
1800 * test trivial factors first
1802 if( ( X->p[0] & 1 ) == 0 )
1803 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1805 for( i = 0; small_prime[i] > 0; i++ )
1809 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
1812 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
1815 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1822 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
1824 MPI_CHK( mpi_copy( &R, &W ) );
1825 MPI_CHK( mpi_shift_r( &R, s ) );
1831 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
1832 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
1833 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
1835 for( i = 0; i < n; i++ )
1838 * pick a random A, 1 < A < |X| - 1
1840 MPI_CHK( mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
1842 if( mpi_cmp_mpi( &A, &W ) >= 0 )
1844 j = mpi_msb( &A ) - mpi_msb( &W );
1845 MPI_CHK( mpi_shift_r( &A, j + 1 ) );
1852 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
1854 if( mpi_cmp_mpi( &A, &W ) == 0 ||
1855 mpi_cmp_int( &A, 1 ) == 0 )
1859 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
1864 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
1865 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
1867 if( mpi_cmp_int( &A, 1 ) == 0 )
1874 * not prime if A != |X| - 1 or A == 1
1876 if( mpi_cmp_mpi( &A, &W ) != 0 ||
1877 mpi_cmp_int( &A, 1 ) == 0 )
1879 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1888 mpi_free( &W ); mpi_free( &R ); mpi_free( &T ); mpi_free( &A );
1895 * Prime number generation
1897 int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag,
1898 int (*f_rng)(void *, unsigned char *, size_t),
1905 if( nbits < 3 || nbits > POLARSSL_MPI_MAX_BITS )
1906 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1910 n = BITS_TO_LIMBS( nbits );
1912 MPI_CHK( mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
1915 if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
1916 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
1922 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
1924 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1927 MPI_CHK( mpi_add_int( X, X, 2 ) );
1932 MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
1933 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1937 if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
1939 if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
1942 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1946 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1949 MPI_CHK( mpi_add_int( &Y, X, 1 ) );
1950 MPI_CHK( mpi_add_int( X, X, 2 ) );
1951 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1964 #if defined(POLARSSL_SELF_TEST)
1966 #define GCD_PAIR_COUNT 3
1968 static const int gcd_pairs[GCD_PAIR_COUNT][3] =
1972 { 768454923, 542167814, 1 }
1978 int mpi_self_test( int verbose )
1981 mpi A, E, N, X, Y, U, V;
1983 mpi_init( &A ); mpi_init( &E ); mpi_init( &N ); mpi_init( &X );
1984 mpi_init( &Y ); mpi_init( &U ); mpi_init( &V );
1986 MPI_CHK( mpi_read_string( &A, 16,
1987 "EFE021C2645FD1DC586E69184AF4A31E" \
1988 "D5F53E93B5F123FA41680867BA110131" \
1989 "944FE7952E2517337780CB0DB80E61AA" \
1990 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
1992 MPI_CHK( mpi_read_string( &E, 16,
1993 "B2E7EFD37075B9F03FF989C7C5051C20" \
1994 "34D2A323810251127E7BF8625A4F49A5" \
1995 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
1996 "5B5C25763222FEFCCFC38B832366C29E" ) );
1998 MPI_CHK( mpi_read_string( &N, 16,
1999 "0066A198186C18C10B2F5ED9B522752A" \
2000 "9830B69916E535C8F047518A889A43A5" \
2001 "94B6BED27A168D31D4A52F88925AA8F5" ) );
2003 MPI_CHK( mpi_mul_mpi( &X, &A, &N ) );
2005 MPI_CHK( mpi_read_string( &U, 16,
2006 "602AB7ECA597A3D6B56FF9829A5E8B85" \
2007 "9E857EA95A03512E2BAE7391688D264A" \
2008 "A5663B0341DB9CCFD2C4C5F421FEC814" \
2009 "8001B72E848A38CAE1C65F78E56ABDEF" \
2010 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
2011 "ECF677152EF804370C1A305CAF3B5BF1" \
2012 "30879B56C61DE584A0F53A2447A51E" ) );
2015 printf( " MPI test #1 (mul_mpi): " );
2017 if( mpi_cmp_mpi( &X, &U ) != 0 )
2020 printf( "failed\n" );
2026 printf( "passed\n" );
2028 MPI_CHK( mpi_div_mpi( &X, &Y, &A, &N ) );
2030 MPI_CHK( mpi_read_string( &U, 16,
2031 "256567336059E52CAE22925474705F39A94" ) );
2033 MPI_CHK( mpi_read_string( &V, 16,
2034 "6613F26162223DF488E9CD48CC132C7A" \
2035 "0AC93C701B001B092E4E5B9F73BCD27B" \
2036 "9EE50D0657C77F374E903CDFA4C642" ) );
2039 printf( " MPI test #2 (div_mpi): " );
2041 if( mpi_cmp_mpi( &X, &U ) != 0 ||
2042 mpi_cmp_mpi( &Y, &V ) != 0 )
2045 printf( "failed\n" );
2051 printf( "passed\n" );
2053 MPI_CHK( mpi_exp_mod( &X, &A, &E, &N, NULL ) );
2055 MPI_CHK( mpi_read_string( &U, 16,
2056 "36E139AEA55215609D2816998ED020BB" \
2057 "BD96C37890F65171D948E9BC7CBAA4D9" \
2058 "325D24D6A3C12710F10A09FA08AB87" ) );
2061 printf( " MPI test #3 (exp_mod): " );
2063 if( mpi_cmp_mpi( &X, &U ) != 0 )
2066 printf( "failed\n" );
2072 printf( "passed\n" );
2074 #if defined(POLARSSL_GENPRIME)
2075 MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
2077 MPI_CHK( mpi_read_string( &U, 16,
2078 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
2079 "C3DBA76456363A10869622EAC2DD84EC" \
2080 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
2083 printf( " MPI test #4 (inv_mod): " );
2085 if( mpi_cmp_mpi( &X, &U ) != 0 )
2088 printf( "failed\n" );
2094 printf( "passed\n" );
2098 printf( " MPI test #5 (simple gcd): " );
2100 for ( i = 0; i < GCD_PAIR_COUNT; i++)
2102 MPI_CHK( mpi_lset( &X, gcd_pairs[i][0] ) );
2103 MPI_CHK( mpi_lset( &Y, gcd_pairs[i][1] ) );
2105 MPI_CHK( mpi_gcd( &A, &X, &Y ) );
2107 if( mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
2110 printf( "failed at %d\n", i );
2117 printf( "passed\n" );
2121 if( ret != 0 && verbose != 0 )
2122 printf( "Unexpected error, return code = %08X\n", ret );
2124 mpi_free( &A ); mpi_free( &E ); mpi_free( &N ); mpi_free( &X );
2125 mpi_free( &Y ); mpi_free( &U ); mpi_free( &V );
projects / gnuk / gnuk.git / blob