Package list libcryptx-perl / 78a98ba
update libtommath Karel Miko 2 years ago
142 changed file(s) with 1428 addition(s) and 437 deletion(s). Raw diff Collapse all Expand all
141141 ltm/bn_mp_div_3.o ltm/bn_mp_div_d.o ltm/bn_mp_dr_is_modulus.o ltm/bn_mp_dr_reduce.o \
142142 ltm/bn_mp_dr_setup.o ltm/bn_mp_exch.o ltm/bn_mp_export.o ltm/bn_mp_exptmod.o ltm/bn_mp_exptmod_fast.o \
143143 ltm/bn_mp_expt_d.o ltm/bn_mp_expt_d_ex.o ltm/bn_mp_exteuclid.o ltm/bn_mp_fread.o \
144 ltm/bn_mp_fwrite.o ltm/bn_mp_gcd.o ltm/bn_mp_get_int.o ltm/bn_mp_get_long.o ltm/bn_mp_grow.o \
145 ltm/bn_mp_import.o ltm/bn_mp_init.o ltm/bn_mp_init_copy.o ltm/bn_mp_init_multi.o \
144 ltm/bn_mp_fwrite.o ltm/bn_mp_gcd.o ltm/bn_mp_get_bit.o ltm/bn_mp_get_int.o ltm/bn_mp_get_long.o \
145 ltm/bn_mp_grow.o ltm/bn_mp_import.o ltm/bn_mp_init.o ltm/bn_mp_init_copy.o ltm/bn_mp_init_multi.o \
146146 ltm/bn_mp_init_set.o ltm/bn_mp_init_set_int.o ltm/bn_mp_init_size.o ltm/bn_mp_invmod.o \
147147 ltm/bn_mp_invmod_slow.o ltm/bn_mp_is_square.o ltm/bn_mp_jacobi.o ltm/bn_mp_karatsuba_mul.o \
148 ltm/bn_mp_karatsuba_sqr.o ltm/bn_mp_lcm.o ltm/bn_mp_lshd.o ltm/bn_mp_mod.o ltm/bn_mp_mod_2d.o \
149 ltm/bn_mp_mod_d.o ltm/bn_mp_montgomery_calc_normalization.o ltm/bn_mp_montgomery_reduce.o \
150 ltm/bn_mp_montgomery_setup.o ltm/bn_mp_mul.o ltm/bn_mp_mulmod.o ltm/bn_mp_mul_2.o \
151 ltm/bn_mp_mul_2d.o ltm/bn_mp_mul_d.o ltm/bn_mp_neg.o ltm/bn_mp_n_root.o ltm/bn_mp_n_root_ex.o \
152 ltm/bn_mp_or.o ltm/bn_mp_prime_fermat.o ltm/bn_mp_prime_is_divisible.o ltm/bn_mp_prime_is_prime.o \
153 ltm/bn_mp_prime_miller_rabin.o ltm/bn_mp_prime_next_prime.o ltm/bn_mp_prime_rabin_miller_trials.o \
154 ltm/bn_mp_prime_random_ex.o ltm/bn_mp_radix_size.o ltm/bn_mp_radix_smap.o ltm/bn_mp_rand.o \
155 ltm/bn_mp_read_radix.o ltm/bn_mp_read_signed_bin.o ltm/bn_mp_read_unsigned_bin.o \
148 ltm/bn_mp_karatsuba_sqr.o ltm/bn_mp_kronecker.o ltm/bn_mp_lcm.o ltm/bn_mp_lshd.o \
149 ltm/bn_mp_mod.o ltm/bn_mp_mod_2d.o ltm/bn_mp_mod_d.o ltm/bn_mp_montgomery_calc_normalization.o \
150 ltm/bn_mp_montgomery_reduce.o ltm/bn_mp_montgomery_setup.o ltm/bn_mp_mul.o ltm/bn_mp_mulmod.o \
151 ltm/bn_mp_mul_2.o ltm/bn_mp_mul_2d.o ltm/bn_mp_mul_d.o ltm/bn_mp_neg.o ltm/bn_mp_n_root.o \
152 ltm/bn_mp_n_root_ex.o ltm/bn_mp_or.o ltm/bn_mp_prime_fermat.o ltm/bn_mp_prime_frobenius_underwood.o \
153 ltm/bn_mp_prime_is_divisible.o ltm/bn_mp_prime_is_prime.o ltm/bn_mp_prime_miller_rabin.o \
154 ltm/bn_mp_prime_next_prime.o ltm/bn_mp_prime_rabin_miller_trials.o ltm/bn_mp_prime_random_ex.o \
155 ltm/bn_mp_prime_strong_lucas_selfridge.o ltm/bn_mp_radix_size.o ltm/bn_mp_radix_smap.o \
156 ltm/bn_mp_rand.o ltm/bn_mp_read_radix.o ltm/bn_mp_read_signed_bin.o ltm/bn_mp_read_unsigned_bin.o \
156157 ltm/bn_mp_reduce.o ltm/bn_mp_reduce_2k.o ltm/bn_mp_reduce_2k_l.o ltm/bn_mp_reduce_2k_setup.o \
157158 ltm/bn_mp_reduce_2k_setup_l.o ltm/bn_mp_reduce_is_2k.o ltm/bn_mp_reduce_is_2k_l.o \
158159 ltm/bn_mp_reduce_setup.o ltm/bn_mp_rshd.o ltm/bn_mp_set.o ltm/bn_mp_set_int.o ltm/bn_mp_set_long.o \
149149 ltm/bn_mp_dr_is_modulus.obj ltm/bn_mp_dr_reduce.obj ltm/bn_mp_dr_setup.obj ltm/bn_mp_exch.obj \
150150 ltm/bn_mp_export.obj ltm/bn_mp_exptmod.obj ltm/bn_mp_exptmod_fast.obj ltm/bn_mp_expt_d.obj \
151151 ltm/bn_mp_expt_d_ex.obj ltm/bn_mp_exteuclid.obj ltm/bn_mp_fread.obj ltm/bn_mp_fwrite.obj \
152 ltm/bn_mp_gcd.obj ltm/bn_mp_get_int.obj ltm/bn_mp_get_long.obj ltm/bn_mp_grow.obj \
153 ltm/bn_mp_import.obj ltm/bn_mp_init.obj ltm/bn_mp_init_copy.obj ltm/bn_mp_init_multi.obj \
154 ltm/bn_mp_init_set.obj ltm/bn_mp_init_set_int.obj ltm/bn_mp_init_size.obj ltm/bn_mp_invmod.obj \
155 ltm/bn_mp_invmod_slow.obj ltm/bn_mp_is_square.obj ltm/bn_mp_jacobi.obj ltm/bn_mp_karatsuba_mul.obj \
156 ltm/bn_mp_karatsuba_sqr.obj ltm/bn_mp_lcm.obj ltm/bn_mp_lshd.obj ltm/bn_mp_mod.obj \
157 ltm/bn_mp_mod_2d.obj ltm/bn_mp_mod_d.obj ltm/bn_mp_montgomery_calc_normalization.obj \
152 ltm/bn_mp_gcd.obj ltm/bn_mp_get_bit.obj ltm/bn_mp_get_int.obj ltm/bn_mp_get_long.obj \
153 ltm/bn_mp_grow.obj ltm/bn_mp_import.obj ltm/bn_mp_init.obj ltm/bn_mp_init_copy.obj \
154 ltm/bn_mp_init_multi.obj ltm/bn_mp_init_set.obj ltm/bn_mp_init_set_int.obj ltm/bn_mp_init_size.obj \
155 ltm/bn_mp_invmod.obj ltm/bn_mp_invmod_slow.obj ltm/bn_mp_is_square.obj ltm/bn_mp_jacobi.obj \
156 ltm/bn_mp_karatsuba_mul.obj ltm/bn_mp_karatsuba_sqr.obj ltm/bn_mp_kronecker.obj ltm/bn_mp_lcm.obj \
157 ltm/bn_mp_lshd.obj ltm/bn_mp_mod.obj ltm/bn_mp_mod_2d.obj ltm/bn_mp_mod_d.obj ltm/bn_mp_montgomery_calc_normalization.obj \
158158 ltm/bn_mp_montgomery_reduce.obj ltm/bn_mp_montgomery_setup.obj ltm/bn_mp_mul.obj \
159159 ltm/bn_mp_mulmod.obj ltm/bn_mp_mul_2.obj ltm/bn_mp_mul_2d.obj ltm/bn_mp_mul_d.obj \
160160 ltm/bn_mp_neg.obj ltm/bn_mp_n_root.obj ltm/bn_mp_n_root_ex.obj ltm/bn_mp_or.obj ltm/bn_mp_prime_fermat.obj \
161 ltm/bn_mp_prime_is_divisible.obj ltm/bn_mp_prime_is_prime.obj ltm/bn_mp_prime_miller_rabin.obj \
162 ltm/bn_mp_prime_next_prime.obj ltm/bn_mp_prime_rabin_miller_trials.obj ltm/bn_mp_prime_random_ex.obj \
163 ltm/bn_mp_radix_size.obj ltm/bn_mp_radix_smap.obj ltm/bn_mp_rand.obj ltm/bn_mp_read_radix.obj \
164 ltm/bn_mp_read_signed_bin.obj ltm/bn_mp_read_unsigned_bin.obj ltm/bn_mp_reduce.obj \
165 ltm/bn_mp_reduce_2k.obj ltm/bn_mp_reduce_2k_l.obj ltm/bn_mp_reduce_2k_setup.obj ltm/bn_mp_reduce_2k_setup_l.obj \
166 ltm/bn_mp_reduce_is_2k.obj ltm/bn_mp_reduce_is_2k_l.obj ltm/bn_mp_reduce_setup.obj \
167 ltm/bn_mp_rshd.obj ltm/bn_mp_set.obj ltm/bn_mp_set_int.obj ltm/bn_mp_set_long.obj \
168 ltm/bn_mp_shrink.obj ltm/bn_mp_signed_bin_size.obj ltm/bn_mp_sqr.obj ltm/bn_mp_sqrmod.obj \
169 ltm/bn_mp_sqrt.obj ltm/bn_mp_sqrtmod_prime.obj ltm/bn_mp_sub.obj ltm/bn_mp_submod.obj \
170 ltm/bn_mp_sub_d.obj ltm/bn_mp_tc_and.obj ltm/bn_mp_tc_div_2d.obj ltm/bn_mp_tc_or.obj \
171 ltm/bn_mp_tc_xor.obj ltm/bn_mp_toom_mul.obj ltm/bn_mp_toom_sqr.obj ltm/bn_mp_toradix.obj \
172 ltm/bn_mp_toradix_n.obj ltm/bn_mp_to_signed_bin.obj ltm/bn_mp_to_signed_bin_n.obj \
161 ltm/bn_mp_prime_frobenius_underwood.obj ltm/bn_mp_prime_is_divisible.obj ltm/bn_mp_prime_is_prime.obj \
162 ltm/bn_mp_prime_miller_rabin.obj ltm/bn_mp_prime_next_prime.obj ltm/bn_mp_prime_rabin_miller_trials.obj \
163 ltm/bn_mp_prime_random_ex.obj ltm/bn_mp_prime_strong_lucas_selfridge.obj ltm/bn_mp_radix_size.obj \
164 ltm/bn_mp_radix_smap.obj ltm/bn_mp_rand.obj ltm/bn_mp_read_radix.obj ltm/bn_mp_read_signed_bin.obj \
165 ltm/bn_mp_read_unsigned_bin.obj ltm/bn_mp_reduce.obj ltm/bn_mp_reduce_2k.obj ltm/bn_mp_reduce_2k_l.obj \
166 ltm/bn_mp_reduce_2k_setup.obj ltm/bn_mp_reduce_2k_setup_l.obj ltm/bn_mp_reduce_is_2k.obj \
167 ltm/bn_mp_reduce_is_2k_l.obj ltm/bn_mp_reduce_setup.obj ltm/bn_mp_rshd.obj ltm/bn_mp_set.obj \
168 ltm/bn_mp_set_int.obj ltm/bn_mp_set_long.obj ltm/bn_mp_shrink.obj ltm/bn_mp_signed_bin_size.obj \
169 ltm/bn_mp_sqr.obj ltm/bn_mp_sqrmod.obj ltm/bn_mp_sqrt.obj ltm/bn_mp_sqrtmod_prime.obj \
170 ltm/bn_mp_sub.obj ltm/bn_mp_submod.obj ltm/bn_mp_sub_d.obj ltm/bn_mp_tc_and.obj ltm/bn_mp_tc_div_2d.obj \
171 ltm/bn_mp_tc_or.obj ltm/bn_mp_tc_xor.obj ltm/bn_mp_toom_mul.obj ltm/bn_mp_toom_sqr.obj \
172 ltm/bn_mp_toradix.obj ltm/bn_mp_toradix_n.obj ltm/bn_mp_to_signed_bin.obj ltm/bn_mp_to_signed_bin_n.obj \
173173 ltm/bn_mp_to_unsigned_bin.obj ltm/bn_mp_to_unsigned_bin_n.obj ltm/bn_mp_unsigned_bin_size.obj \
174174 ltm/bn_mp_xor.obj ltm/bn_mp_zero.obj ltm/bn_prime_tab.obj ltm/bn_reverse.obj ltm/bn_s_mp_add.obj \
175175 ltm/bn_s_mp_exptmod.obj ltm/bn_s_mp_mul_digs.obj ltm/bn_s_mp_mul_high_digs.obj ltm/bn_s_mp_sqr.obj \
9898 type = mode & LTC_PAD_MASK;
9999
100100 if (*padded_length < l) {
101 #ifdef LTC_RNG_GET_BYTES
101102 if (type != LTC_PAD_ISO_10126) {
102103 *padded_length = l;
103104 } else {
104105 *padded_length = length + 256;
105106 }
107 #else
108 *padded_length = l;
109 #endif
106110 return CRYPT_BUFFER_OVERFLOW;
107111 }
108112
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 static const struct {
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes the modular inverse via binary extended euclidean algorithm,
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes xR**-1 == x (mod N) via Montgomery Reduction
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Fast (comba) multiplier
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* this is a modified version of fast_s_mul_digs that only produces
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* the jist of squaring...
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes a = 2**b
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* b = |a|
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* high level addition (handles signs) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* single digit addition */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* d = a + b (mod c) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* AND two ints together */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* trim unused digits
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* clear one (frees) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 #include <stdarg.h>
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* compare two ints (signed)*/
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* compare a digit */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* compare maginitude of two ints (unsigned) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 static const int lnz[16] = {
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* b = ~a */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* copy, b = a */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* returns the number of bits in an int */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 #ifdef BN_MP_DIV_SMALL
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* b = a/2 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* shift right by a certain bit count (store quotient in c, optional remainder in d) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* divide by three (based on routine from MPI and the GMP manual) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 static int s_is_power_of_two(mp_digit b, int *p)
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines if a number is a valid DR modulus */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* reduce "x" in place modulo "n" using the Diminished Radix algorithm.
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines the setup value */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* swap the elements of two integers, for cases where you can't simply swap the
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* based on gmp's mpz_export.
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* wrapper function for mp_expt_d_ex() */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* calculate c = a**b using a square-multiply algorithm */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes Y == G**X mod P, HAC pp.616, Algorithm 14.85
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Extended euclidean algorithm of (a, b) produces
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 #ifndef LTM_NO_FILE
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 #ifndef LTM_NO_FILE
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Greatest Common Divisor using the binary method */
0 #include "tommath_private.h"
1 #ifdef BN_MP_GET_BIT_C
2
3 /* LibTomMath, multiple-precision integer library -- Tom St Denis
4 *
5 * LibTomMath is a library that provides multiple-precision
6 * integer arithmetic as well as number theoretic functionality.
7 *
8 * The library was designed directly after the MPI library by
9 * Michael Fromberger but has been written from scratch with
10 * additional optimizations in place.
11 *
12 * SPDX-License-Identifier: Unlicense
13 */
14
15 /* Checks the bit at position b and returns MP_YES
16 if the bit is 1, MP_NO if it is 0 and MP_VAL
17 in case of error */
18 int mp_get_bit(const mp_int *a, int b)
19 {
20 int limb;
21 mp_digit bit, isset;
22
23 if (b < 0) {
24 return MP_VAL;
25 }
26
27 limb = b / DIGIT_BIT;
28
29 /*
30 * Zero is a special value with the member "used" set to zero.
31 * Needs to be tested before the check for the upper boundary
32 * otherwise (limb >= a->used) would be true for a = 0
33 */
34
35 if (mp_iszero(a) != MP_NO) {
36 return MP_NO;
37 }
38
39 if (limb >= a->used) {
40 return MP_VAL;
41 }
42
43 bit = (mp_digit)(1) << (b % DIGIT_BIT);
44
45 isset = a->dp[limb] & bit;
46 return (isset != 0u) ? MP_YES : MP_NO;
47 }
48
49 #endif
50
51 /* ref: $Format:%D$ */
52 /* git commit: $Format:%H$ */
53 /* commit time: $Format:%ai$ */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* get the lower 32-bits of an mp_int */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* get the lower unsigned long of an mp_int, platform dependent */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* grow as required */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* based on gmp's mpz_import.
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* init a new mp_int */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* creates "a" then copies b into it */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 #include <stdarg.h>
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* initialize and set a digit */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* initialize and set a digit */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* init an mp_init for a given size */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* hac 14.61, pp608 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* hac 14.61, pp608 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Check if remainders are possible squares - fast exclude non-squares */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes the jacobi c = (a | n) (or Legendre if n is prime)
16 * HAC pp. 73 Algorithm 2.149
17 * HAC is wrong here, as the special case of (0 | 1) is not
18 * handled correctly.
15 * Kept for legacy reasons, please use mp_kronecker() instead
1916 */
2017 int mp_jacobi(const mp_int *a, const mp_int *n, int *c)
2118 {
22 mp_int a1, p1;
23 int k, s, r, res;
24 mp_digit residue;
25
2619 /* if a < 0 return MP_VAL */
2720 if (mp_isneg(a) == MP_YES) {
2821 return MP_VAL;
3326 return MP_VAL;
3427 }
3528
36 /* step 1. handle case of a == 0 */
37 if (mp_iszero(a) == MP_YES) {
38 /* special case of a == 0 and n == 1 */
39 if (mp_cmp_d(n, 1uL) == MP_EQ) {
40 *c = 1;
41 } else {
42 *c = 0;
43 }
44 return MP_OKAY;
45 }
46
47 /* step 2. if a == 1, return 1 */
48 if (mp_cmp_d(a, 1uL) == MP_EQ) {
49 *c = 1;
50 return MP_OKAY;
51 }
52
53 /* default */
54 s = 0;
55
56 /* step 3. write a = a1 * 2**k */
57 if ((res = mp_init_copy(&a1, a)) != MP_OKAY) {
58 return res;
59 }
60
61 if ((res = mp_init(&p1)) != MP_OKAY) {
62 goto LBL_A1;
63 }
64
65 /* divide out larger power of two */
66 k = mp_cnt_lsb(&a1);
67 if ((res = mp_div_2d(&a1, k, &a1, NULL)) != MP_OKAY) {
68 goto LBL_P1;
69 }
70
71 /* step 4. if e is even set s=1 */
72 if (((unsigned)k & 1u) == 0u) {
73 s = 1;
74 } else {
75 /* else set s=1 if p = 1/7 (mod 8) or s=-1 if p = 3/5 (mod 8) */
76 residue = n->dp[0] & 7u;
77
78 if ((residue == 1u) || (residue == 7u)) {
79 s = 1;
80 } else if ((residue == 3u) || (residue == 5u)) {
81 s = -1;
82 }
83 }
84
85 /* step 5. if p == 3 (mod 4) *and* a1 == 3 (mod 4) then s = -s */
86 if (((n->dp[0] & 3u) == 3u) && ((a1.dp[0] & 3u) == 3u)) {
87 s = -s;
88 }
89
90 /* if a1 == 1 we're done */
91 if (mp_cmp_d(&a1, 1uL) == MP_EQ) {
92 *c = s;
93 } else {
94 /* n1 = n mod a1 */
95 if ((res = mp_mod(n, &a1, &p1)) != MP_OKAY) {
96 goto LBL_P1;
97 }
98 if ((res = mp_jacobi(&p1, &a1, &r)) != MP_OKAY) {
99 goto LBL_P1;
100 }
101 *c = s * r;
102 }
103
104 /* done */
105 res = MP_OKAY;
106 LBL_P1:
107 mp_clear(&p1);
108 LBL_A1:
109 mp_clear(&a1);
110 return res;
29 return mp_kronecker(a, n, c);
11130 }
11231 #endif
11332
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* c = |a| * |b| using Karatsuba Multiplication using
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Karatsuba squaring, computes b = a*a using three
0 #include "tommath_private.h"
1 #ifdef BN_MP_KRONECKER_C
2
3 /* LibTomMath, multiple-precision integer library -- Tom St Denis
4 *
5 * LibTomMath is a library that provides multiple-precision
6 * integer arithmetic as well as number theoretic functionality.
7 *
8 * The library was designed directly after the MPI library by
9 * Michael Fromberger but has been written from scratch with
10 * additional optimizations in place.
11 *
12 * SPDX-License-Identifier: Unlicense
13 */
14
15 /*
16 Kronecker symbol (a|p)
17 Straightforward implementation of algorithm 1.4.10 in
18 Henri Cohen: "A Course in Computational Algebraic Number Theory"
19
20 @book{cohen2013course,
21 title={A course in computational algebraic number theory},
22 author={Cohen, Henri},
23 volume={138},
24 year={2013},
25 publisher={Springer Science \& Business Media}
26 }
27 */
28 int mp_kronecker(const mp_int *a, const mp_int *p, int *c)
29 {
30 mp_int a1, p1, r;
31
32 int e = MP_OKAY;
33 int v, k;
34
35 static const int table[8] = {0, 1, 0, -1, 0, -1, 0, 1};
36
37 if (mp_iszero(p) != MP_NO) {
38 if ((a->used == 1) && (a->dp[0] == 1u)) {
39 *c = 1;
40 return e;
41 } else {
42 *c = 0;
43 return e;
44 }
45 }
46
47 if ((mp_iseven(a) != MP_NO) && (mp_iseven(p) != MP_NO)) {
48 *c = 0;
49 return e;
50 }
51
52 if ((e = mp_init_copy(&a1, a)) != MP_OKAY) {
53 return e;
54 }
55 if ((e = mp_init_copy(&p1, p)) != MP_OKAY) {
56 goto LBL_KRON_0;
57 }
58
59 v = mp_cnt_lsb(&p1);
60 if ((e = mp_div_2d(&p1, v, &p1, NULL)) != MP_OKAY) {
61 goto LBL_KRON_1;
62 }
63
64 if ((v & 0x1) == 0) {
65 k = 1;
66 } else {
67 k = table[a->dp[0] & 7u];
68 }
69
70 if (p1.sign == MP_NEG) {
71 p1.sign = MP_ZPOS;
72 if (a1.sign == MP_NEG) {
73 k = -k;
74 }
75 }
76
77 if ((e = mp_init(&r)) != MP_OKAY) {
78 goto LBL_KRON_1;
79 }
80
81 for (;;) {
82 if (mp_iszero(&a1) != MP_NO) {
83 if (mp_cmp_d(&p1, 1uL) == MP_EQ) {
84 *c = k;
85 goto LBL_KRON;
86 } else {
87 *c = 0;
88 goto LBL_KRON;
89 }
90 }
91
92 v = mp_cnt_lsb(&a1);
93 if ((e = mp_div_2d(&a1, v, &a1, NULL)) != MP_OKAY) {
94 goto LBL_KRON;
95 }
96
97 if ((v & 0x1) == 1) {
98 k = k * table[p1.dp[0] & 7u];
99 }
100
101 if (a1.sign == MP_NEG) {
102 /*
103 * Compute k = (-1)^((a1)*(p1-1)/4) * k
104 * a1.dp[0] + 1 cannot overflow because the MSB
105 * of the type mp_digit is not set by definition
106 */
107 if (((a1.dp[0] + 1u) & p1.dp[0] & 2u) != 0u) {
108 k = -k;
109 }
110 } else {
111 /* compute k = (-1)^((a1-1)*(p1-1)/4) * k */
112 if ((a1.dp[0] & p1.dp[0] & 2u) != 0u) {
113 k = -k;
114 }
115 }
116
117 if ((e = mp_copy(&a1, &r)) != MP_OKAY) {
118 goto LBL_KRON;
119 }
120 r.sign = MP_ZPOS;
121 if ((e = mp_mod(&p1, &r, &a1)) != MP_OKAY) {
122 goto LBL_KRON;
123 }
124 if ((e = mp_copy(&r, &p1)) != MP_OKAY) {
125 goto LBL_KRON;
126 }
127 }
128
129 LBL_KRON:
130 mp_clear(&r);
131 LBL_KRON_1:
132 mp_clear(&p1);
133 LBL_KRON_0:
134 mp_clear(&a1);
135
136 return e;
137 }
138
139 #endif
140
141 /* ref: $Format:%D$ */
142 /* git commit: $Format:%H$ */
143 /* commit time: $Format:%ai$ */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes least common multiple as |a*b|/(a, b) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* shift left a certain amount of digits */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* c = a mod b, 0 <= c < b if b > 0, b < c <= 0 if b < 0 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* calc a value mod 2**b */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 int mp_mod_d(const mp_int *a, mp_digit b, mp_digit *c)
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /*
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes xR**-1 == x (mod N) via Montgomery Reduction */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* setups the montgomery reduction stuff */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* high level multiplication (handles sign) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* b = a*2 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* shift left by a certain bit count */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* multiply by a digit */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* d = a * b (mod c) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* wrapper function for mp_n_root_ex()
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* find the n'th root of an integer
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* b = -a */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* OR two ints together */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* performs one Fermat test.
0 #include "tommath_private.h"
1 #ifdef BN_MP_PRIME_FROBENIUS_UNDERWOOD_C
2
3 /* LibTomMath, multiple-precision integer library -- Tom St Denis
4 *
5 * LibTomMath is a library that provides multiple-precision
6 * integer arithmetic as well as number theoretic functionality.
7 *
8 * The library was designed directly after the MPI library by
9 * Michael Fromberger but has been written from scratch with
10 * additional optimizations in place.
11 *
12 * SPDX-License-Identifier: Unlicense
13 */
14
15 /*
16 * See file bn_mp_prime_is_prime.c or the documentation in doc/bn.tex for the details
17 */
18 #ifndef LTM_USE_FIPS_ONLY
19
20 #ifdef MP_8BIT
21 /*
22 * floor of positive solution of
23 * (2^16)-1 = (a+4)*(2*a+5)
24 * TODO: Both values are smaller than N^(1/4), would have to use a bigint
25 * for a instead but any a biger than about 120 are already so rare that
26 * it is possible to ignore them and still get enough pseudoprimes.
27 * But it is still a restriction of the set of available pseudoprimes
28 * which makes this implementation less secure if used stand-alone.
29 */
30 #define LTM_FROBENIUS_UNDERWOOD_A 177
31 #else
32 #define LTM_FROBENIUS_UNDERWOOD_A 32764
33 #endif
34 int mp_prime_frobenius_underwood(const mp_int *N, int *result)
35 {
36 mp_int T1z, T2z, Np1z, sz, tz;
37
38 int a, ap2, length, i, j, isset;
39 int e;
40
41 *result = MP_NO;
42
43 if ((e = mp_init_multi(&T1z, &T2z, &Np1z, &sz, &tz, NULL)) != MP_OKAY) {
44 return e;
45 }
46
47 for (a = 0; a < LTM_FROBENIUS_UNDERWOOD_A; a++) {
48 /* TODO: That's ugly! No, really, it is! */
49 if ((a==2) || (a==4) || (a==7) || (a==8) || (a==10) ||
50 (a==14) || (a==18) || (a==23) || (a==26) || (a==28)) {
51 continue;
52 }
53 /* (32764^2 - 4) < 2^31, no bigint for >MP_8BIT needed) */
54 if ((e = mp_set_long(&T1z, (unsigned long)a)) != MP_OKAY) {
55 goto LBL_FU_ERR;
56 }
57
58 if ((e = mp_sqr(&T1z, &T1z)) != MP_OKAY) {
59 goto LBL_FU_ERR;
60 }
61
62 if ((e = mp_sub_d(&T1z, 4uL, &T1z)) != MP_OKAY) {
63 goto LBL_FU_ERR;
64 }
65
66 if ((e = mp_kronecker(&T1z, N, &j)) != MP_OKAY) {
67 goto LBL_FU_ERR;
68 }
69
70 if (j == -1) {
71 break;
72 }
73
74 if (j == 0) {
75 /* composite */
76 goto LBL_FU_ERR;
77 }
78 }
79 /* Tell it a composite and set return value accordingly */
80 if (a >= LTM_FROBENIUS_UNDERWOOD_A) {
81 e = MP_ITER;
82 goto LBL_FU_ERR;
83 }
84 /* Composite if N and (a+4)*(2*a+5) are not coprime */
85 if ((e = mp_set_long(&T1z, (unsigned long)((a+4)*((2*a)+5)))) != MP_OKAY) {
86 goto LBL_FU_ERR;
87 }
88
89 if ((e = mp_gcd(N, &T1z, &T1z)) != MP_OKAY) {
90 goto LBL_FU_ERR;
91 }
92
93 if (!((T1z.used == 1) && (T1z.dp[0] == 1u))) {
94 goto LBL_FU_ERR;
95 }
96
97 ap2 = a + 2;
98 if ((e = mp_add_d(N, 1uL, &Np1z)) != MP_OKAY) {
99 goto LBL_FU_ERR;
100 }
101
102 mp_set(&sz, 1uL);
103 mp_set(&tz, 2uL);
104 length = mp_count_bits(&Np1z);
105
106 for (i = length - 2; i >= 0; i--) {
107 /*
108 * temp = (sz*(a*sz+2*tz))%N;
109 * tz = ((tz-sz)*(tz+sz))%N;
110 * sz = temp;
111 */
112 if ((e = mp_mul_2(&tz, &T2z)) != MP_OKAY) {
113 goto LBL_FU_ERR;
114 }
115
116 /* a = 0 at about 50% of the cases (non-square and odd input) */
117 if (a != 0) {
118 if ((e = mp_mul_d(&sz, (mp_digit)a, &T1z)) != MP_OKAY) {
119 goto LBL_FU_ERR;
120 }
121 if ((e = mp_add(&T1z, &T2z, &T2z)) != MP_OKAY) {
122 goto LBL_FU_ERR;
123 }
124 }
125
126 if ((e = mp_mul(&T2z, &sz, &T1z)) != MP_OKAY) {
127 goto LBL_FU_ERR;
128 }
129 if ((e = mp_sub(&tz, &sz, &T2z)) != MP_OKAY) {
130 goto LBL_FU_ERR;
131 }
132 if ((e = mp_add(&sz, &tz, &sz)) != MP_OKAY) {
133 goto LBL_FU_ERR;
134 }
135 if ((e = mp_mul(&sz, &T2z, &tz)) != MP_OKAY) {
136 goto LBL_FU_ERR;
137 }
138 if ((e = mp_mod(&tz, N, &tz)) != MP_OKAY) {
139 goto LBL_FU_ERR;
140 }
141 if ((e = mp_mod(&T1z, N, &sz)) != MP_OKAY) {
142 goto LBL_FU_ERR;
143 }
144 if ((isset = mp_get_bit(&Np1z, i)) == MP_VAL) {
145 e = isset;
146 goto LBL_FU_ERR;
147 }
148 if (isset == MP_YES) {
149 /*
150 * temp = (a+2) * sz + tz
151 * tz = 2 * tz - sz
152 * sz = temp
153 */
154 if (a == 0) {
155 if ((e = mp_mul_2(&sz, &T1z)) != MP_OKAY) {
156 goto LBL_FU_ERR;
157 }
158 } else {
159 if ((e = mp_mul_d(&sz, (mp_digit)ap2, &T1z)) != MP_OKAY) {
160 goto LBL_FU_ERR;
161 }
162 }
163 if ((e = mp_add(&T1z, &tz, &T1z)) != MP_OKAY) {
164 goto LBL_FU_ERR;
165 }
166 if ((e = mp_mul_2(&tz, &T2z)) != MP_OKAY) {
167 goto LBL_FU_ERR;
168 }
169 if ((e = mp_sub(&T2z, &sz, &tz)) != MP_OKAY) {
170 goto LBL_FU_ERR;
171 }
172 mp_exch(&sz, &T1z);
173 }
174 }
175
176 if ((e = mp_set_long(&T1z, (unsigned long)((2 * a) + 5))) != MP_OKAY) {
177 goto LBL_FU_ERR;
178 }
179 if ((e = mp_mod(&T1z, N, &T1z)) != MP_OKAY) {
180 goto LBL_FU_ERR;
181 }
182 if ((mp_iszero(&sz) != MP_NO) && (mp_cmp(&tz, &T1z) == MP_EQ)) {
183 *result = MP_YES;
184 goto LBL_FU_ERR;
185 }
186
187 LBL_FU_ERR:
188 mp_clear_multi(&tz, &sz, &Np1z, &T2z, &T1z, NULL);
189 return e;
190 }
191
192 #endif
193 #endif
194
195 /* ref: $Format:%D$ */
196 /* git commit: $Format:%H$ */
197 /* commit time: $Format:%ai$ */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines if an integers is divisible by one
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
15 /* performs a variable number of rounds of Miller-Rabin
16 *
17 * Probability of error after t rounds is no more than
18
19 *
20 * Sets result to 1 if probably prime, 0 otherwise
21 */
14 /* portable integer log of two with small footprint */
15 static unsigned int s_floor_ilog2(int value)
16 {
17 unsigned int r = 0;
18 while ((value >>= 1) != 0) {
19 r++;
20 }
21 return r;
22 }
23
24
2225 int mp_prime_is_prime(const mp_int *a, int t, int *result)
2326 {
2427 mp_int b;
25 int ix, err, res;
28 int ix, err, res, p_max = 0, size_a, len;
29 unsigned int fips_rand, mask;
2630
2731 /* default to no */
2832 *result = MP_NO;
2933
3034 /* valid value of t? */
31 if ((t <= 0) || (t > PRIME_SIZE)) {
35 if (t > PRIME_SIZE) {
3236 return MP_VAL;
37 }
38
39 /* Some shortcuts */
40 /* N > 3 */
41 if (a->used == 1) {
42 if ((a->dp[0] == 0u) || (a->dp[0] == 1u)) {
43 *result = 0;
44 return MP_OKAY;
45 }
46 if (a->dp[0] == 2u) {
47 *result = 1;
48 return MP_OKAY;
49 }
50 }
51
52 /* N must be odd */
53 if (mp_iseven(a) == MP_YES) {
54 return MP_OKAY;
55 }
56 /* N is not a perfect square: floor(sqrt(N))^2 != N */
57 if ((err = mp_is_square(a, &res)) != MP_OKAY) {
58 return err;
59 }
60 if (res != 0) {
61 return MP_OKAY;
3362 }
3463
3564 /* is the input equal to one of the primes in the table? */
3665 for (ix = 0; ix < PRIME_SIZE; ix++) {
3766 if (mp_cmp_d(a, ltm_prime_tab[ix]) == MP_EQ) {
38 *result = 1;
67 *result = MP_YES;
3968 return MP_OKAY;
4069 }
4170 }
71 #ifdef MP_8BIT
72 /* The search in the loop above was exhaustive in this case */
73 if (a->used == 1 && PRIME_SIZE >= 31) {
74 return MP_OKAY;
75 }
76 #endif
4277
4378 /* first perform trial division */
4479 if ((err = mp_prime_is_divisible(a, &res)) != MP_OKAY) {
5085 return MP_OKAY;
5186 }
5287
53 /* now perform the miller-rabin rounds */
54 if ((err = mp_init(&b)) != MP_OKAY) {
88 /*
89 Run the Miller-Rabin test with base 2 for the BPSW test.
90 */
91 if ((err = mp_init_set(&b, 2uL)) != MP_OKAY) {
5592 return err;
5693 }
5794
58 for (ix = 0; ix < t; ix++) {
59 /* set the prime */
60 mp_set(&b, ltm_prime_tab[ix]);
61
62 if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
63 goto LBL_B;
64 }
65
95 if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
96 goto LBL_B;
97 }
98 if (res == MP_NO) {
99 goto LBL_B;
100 }
101 /*
102 Rumours have it that Mathematica does a second M-R test with base 3.
103 Other rumours have it that their strong L-S test is slightly different.
104 It does not hurt, though, beside a bit of extra runtime.
105 */
106 b.dp[0]++;
107 if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
108 goto LBL_B;
109 }
110 if (res == MP_NO) {
111 goto LBL_B;
112 }
113
114 /*
115 * Both, the Frobenius-Underwood test and the the Lucas-Selfridge test are quite
116 * slow so if speed is an issue, define LTM_USE_FIPS_ONLY to use M-R tests with
117 * bases 2, 3 and t random bases.
118 */
119 #ifndef LTM_USE_FIPS_ONLY
120 if (t >= 0) {
121 /*
122 * Use a Frobenius-Underwood test instead of the Lucas-Selfridge test for
123 * MP_8BIT (It is unknown if the Lucas-Selfridge test works with 16-bit
124 * integers but the necesssary analysis is on the todo-list).
125 */
126 #if defined (MP_8BIT) || defined (LTM_USE_FROBENIUS_TEST)
127 err = mp_prime_frobenius_underwood(a, &res);
128 if (err != MP_OKAY && err != MP_ITER) {
129 goto LBL_B;
130 }
66131 if (res == MP_NO) {
67132 goto LBL_B;
133 }
134 #else
135 if ((err = mp_prime_strong_lucas_selfridge(a, &res)) != MP_OKAY) {
136 goto LBL_B;
137 }
138 if (res == MP_NO) {
139 goto LBL_B;
140 }
141 #endif
142 }
143 #endif
144
145 /* run at least one Miller-Rabin test with a random base */
146 if (t == 0) {
147 t = 1;
148 }
149
150 /*
151 abs(t) extra rounds of M-R to extend the range of primes it can find if t < 0.
152 Only recommended if the input range is known to be < 3317044064679887385961981
153
154 It uses the bases for a deterministic M-R test if input < 3317044064679887385961981
155 The caller has to check the size.
156
157 Not for cryptographic use because with known bases strong M-R pseudoprimes can
158 be constructed. Use at least one M-R test with a random base (t >= 1).
159
160 The 1119 bit large number
161
162 80383745745363949125707961434194210813883768828755814583748891752229742737653\
163 33652186502336163960045457915042023603208766569966760987284043965408232928738\
164 79185086916685732826776177102938969773947016708230428687109997439976544144845\
165 34115587245063340927902227529622941498423068816854043264575340183297861112989\
166 60644845216191652872597534901
167
168 has been constructed by F. Arnault (F. Arnault, "Rabin-Miller primality test:
169 composite numbers which pass it.", Mathematics of Computation, 1995, 64. Jg.,
170 Nr. 209, S. 355-361), is a semiprime with the two factors
171
172 40095821663949960541830645208454685300518816604113250877450620473800321707011\
173 96242716223191597219733582163165085358166969145233813917169287527980445796800\
174 452592031836601
175
176 20047910831974980270915322604227342650259408302056625438725310236900160853505\
177 98121358111595798609866791081582542679083484572616906958584643763990222898400\
178 226296015918301
179
180 and it is a strong pseudoprime to all forty-six prime M-R bases up to 200
181
182 It does not fail the strong Bailley-PSP test as implemented here, it is just
183 given as an example, if not the reason to use the BPSW-test instead of M-R-tests
184 with a sequence of primes 2...n.
185
186 */
187 if (t < 0) {
188 t = -t;
189 /*
190 Sorenson, Jonathan; Webster, Jonathan (2015).
191 "Strong Pseudoprimes to Twelve Prime Bases".
192 */
193 /* 0x437ae92817f9fc85b7e5 = 318665857834031151167461 */
194 if ((err = mp_read_radix(&b, "437ae92817f9fc85b7e5", 16)) != MP_OKAY) {
195 goto LBL_B;
196 }
197
198 if (mp_cmp(a, &b) == MP_LT) {
199 p_max = 12;
200 } else {
201 /* 0x2be6951adc5b22410a5fd = 3317044064679887385961981 */
202 if ((err = mp_read_radix(&b, "2be6951adc5b22410a5fd", 16)) != MP_OKAY) {
203 goto LBL_B;
204 }
205
206 if (mp_cmp(a, &b) == MP_LT) {
207 p_max = 13;
208 } else {
209 err = MP_VAL;
210 goto LBL_B;
211 }
212 }
213
214 /* for compatibility with the current API (well, compatible within a sign's width) */
215 if (p_max < t) {
216 p_max = t;
217 }
218
219 if (p_max > PRIME_SIZE) {
220 err = MP_VAL;
221 goto LBL_B;
222 }
223 /* we did bases 2 and 3 already, skip them */
224 for (ix = 2; ix < p_max; ix++) {
225 mp_set(&b, ltm_prime_tab[ix]);
226 if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
227 goto LBL_B;
228 }
229 if (res == MP_NO) {
230 goto LBL_B;
231 }
232 }
233 }
234 /*
235 Do "t" M-R tests with random bases between 3 and "a".
236 See Fips 186.4 p. 126ff
237 */
238 else if (t > 0) {
239 /*
240 * The mp_digit's have a defined bit-size but the size of the
241 * array a.dp is a simple 'int' and this library can not assume full
242 * compliance to the current C-standard (ISO/IEC 9899:2011) because
243 * it gets used for small embeded processors, too. Some of those MCUs
244 * have compilers that one cannot call standard compliant by any means.
245 * Hence the ugly type-fiddling in the following code.
246 */
247 size_a = mp_count_bits(a);
248 mask = (1u << s_floor_ilog2(size_a)) - 1u;
249 /*
250 Assuming the General Rieman hypothesis (never thought to write that in a
251 comment) the upper bound can be lowered to 2*(log a)^2.
252 E. Bach, "Explicit bounds for primality testing and related problems,"
253 Math. Comp. 55 (1990), 355-380.
254
255 size_a = (size_a/10) * 7;
256 len = 2 * (size_a * size_a);
257
258 E.g.: a number of size 2^2048 would be reduced to the upper limit
259
260 floor(2048/10)*7 = 1428
261 2 * 1428^2 = 4078368
262
263 (would have been ~4030331.9962 with floats and natural log instead)
264 That number is smaller than 2^28, the default bit-size of mp_digit.
265 */
266
267 /*
268 How many tests, you might ask? Dana Jacobsen of Math::Prime::Util fame
269 does exactly 1. In words: one. Look at the end of _GMP_is_prime() in
270 Math-Prime-Util-GMP-0.50/primality.c if you do not believe it.
271
272 The function mp_rand() goes to some length to use a cryptographically
273 good PRNG. That also means that the chance to always get the same base
274 in the loop is non-zero, although very low.
275 If the BPSW test and/or the addtional Frobenious test have been
276 performed instead of just the Miller-Rabin test with the bases 2 and 3,
277 a single extra test should suffice, so such a very unlikely event
278 will not do much harm.
279
280 To preemptivly answer the dangling question: no, a witness does not
281 need to be prime.
282 */
283 for (ix = 0; ix < t; ix++) {
284 /* mp_rand() guarantees the first digit to be non-zero */
285 if ((err = mp_rand(&b, 1)) != MP_OKAY) {
286 goto LBL_B;
287 }
288 /*
289 * Reduce digit before casting because mp_digit might be bigger than
290 * an unsigned int and "mask" on the other side is most probably not.
291 */
292 fips_rand = (unsigned int)(b.dp[0] & (mp_digit) mask);
293 #ifdef MP_8BIT
294 /*
295 * One 8-bit digit is too small, so concatenate two if the size of
296 * unsigned int allows for it.
297 */
298 if ((sizeof(unsigned int) * CHAR_BIT)/2 >= (sizeof(mp_digit) * CHAR_BIT)) {
299 if ((err = mp_rand(&b, 1)) != MP_OKAY) {
300 goto LBL_B;
301 }
302 fips_rand <<= sizeof(mp_digit) * CHAR_BIT;
303 fips_rand |= (unsigned int) b.dp[0];
304 fips_rand &= mask;
305 }
306 #endif
307 /* Ceil, because small numbers have a right to live, too, */
308 len = (((int)fips_rand + DIGIT_BIT) / DIGIT_BIT);
309 /* Unlikely. */
310 if (len < 0) {
311 ix--;
312 continue;
313 }
314 /*
315 * As mentioned above, one 8-bit digit is too small and
316 * although it can only happen in the unlikely case that
317 * an "unsigned int" is smaller than 16 bit a simple test
318 * is cheap and the correction even cheaper.
319 */
320 #ifdef MP_8BIT
321 /* All "a" < 2^8 have been caught before */
322 if (len == 1) {
323 len++;
324 }
325 #endif
326 if ((err = mp_rand(&b, len)) != MP_OKAY) {
327 goto LBL_B;
328 }
329 /*
330 * That number might got too big and the witness has to be
331 * smaller than or equal to "a"
332 */
333 len = mp_count_bits(&b);
334 if (len > size_a) {
335 len = len - size_a;
336 if ((err = mp_div_2d(&b, len, &b, NULL)) != MP_OKAY) {
337 goto LBL_B;
338 }
339 }
340
341 /* Although the chance for b <= 3 is miniscule, try again. */
342 if (mp_cmp_d(&b, 3uL) != MP_GT) {
343 ix--;
344 continue;
345 }
346 if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
347 goto LBL_B;
348 }
349 if (res == MP_NO) {
350 goto LBL_B;
351 }
68352 }
69353 }
70354
74358 mp_clear(&b);
75359 return err;
76360 }
361
77362 #endif
78363
79364 /* ref: $Format:%D$ */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Miller-Rabin test of "a" to the base of "b" as described in
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* finds the next prime after the number "a" using "t" trials
2221 int err, res = MP_NO, x, y;
2322 mp_digit res_tab[PRIME_SIZE], step, kstep;
2423 mp_int b;
25
26 /* ensure t is valid */
27 if ((t <= 0) || (t > PRIME_SIZE)) {
28 return MP_VAL;
29 }
3024
3125 /* force positive */
3226 a->sign = MP_ZPOS;
140134 continue;
141135 }
142136
143 /* is this prime? */
144 for (x = 0; x < t; x++) {
145 mp_set(&b, ltm_prime_tab[x]);
146 if ((err = mp_prime_miller_rabin(a, &b, &res)) != MP_OKAY) {
147 goto LBL_ERR;
148 }
149 if (res == MP_NO) {
150 break;
151 }
137 if ((err = mp_prime_is_prime(a, t, &res)) != MP_OKAY) {
138 goto LBL_ERR;
152139 }
153
154140 if (res == MP_YES) {
155141 break;
156142 }
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514
1615 static const struct {
1716 int k, t;
1817 } sizes[] = {
19 { 128, 28 },
18 { 80, -1 }, /* Use deterministic algorithm for size <= 80 bits */
19 { 81, 39 },
20 { 96, 37 },
21 { 128, 32 },
22 { 160, 27 },
23 { 192, 21 },
2024 { 256, 16 },
2125 { 384, 10 },
2226 { 512, 7 },
2327 { 640, 6 },
2428 { 768, 5 },
2529 { 896, 4 },
26 { 1024, 4 }
30 { 1024, 4 },
31 { 2048, 2 },
32 { 4096, 1 },
2733 };
2834
29 /* returns # of RM trials required for a given bit size */
35 /* returns # of RM trials required for a given bit size and max. error of 2^(-96)*/
3036 int mp_prime_rabin_miller_trials(int size)
3137 {
3238 int x;
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* makes a truly random prime of a given size (bits),
0 #include "tommath_private.h"
1 #ifdef BN_MP_PRIME_STRONG_LUCAS_SELFRIDGE_C
2
3 /* LibTomMath, multiple-precision integer library -- Tom St Denis
4 *
5 * LibTomMath is a library that provides multiple-precision
6 * integer arithmetic as well as number theoretic functionality.
7 *
8 * The library was designed directly after the MPI library by
9 * Michael Fromberger but has been written from scratch with
10 * additional optimizations in place.
11 *
12 * SPDX-License-Identifier: Unlicense
13 */
14
15 /*
16 * See file bn_mp_prime_is_prime.c or the documentation in doc/bn.tex for the details
17 */
18 #ifndef LTM_USE_FIPS_ONLY
19
20 /*
21 * 8-bit is just too small. You can try the Frobenius test
22 * but that frobenius test can fail, too, for the same reason.
23 */
24 #ifndef MP_8BIT
25
26 /*
27 * multiply bigint a with int d and put the result in c
28 * Like mp_mul_d() but with a signed long as the small input
29 */
30 static int s_mp_mul_si(const mp_int *a, long d, mp_int *c)
31 {
32 mp_int t;
33 int err, neg = 0;
34
35 if ((err = mp_init(&t)) != MP_OKAY) {
36 return err;
37 }
38 if (d < 0) {
39 neg = 1;
40 d = -d;
41 }
42
43 /*
44 * mp_digit might be smaller than a long, which excludes
45 * the use of mp_mul_d() here.
46 */
47 if ((err = mp_set_long(&t, (unsigned long) d)) != MP_OKAY) {
48 goto LBL_MPMULSI_ERR;
49 }
50 if ((err = mp_mul(a, &t, c)) != MP_OKAY) {
51 goto LBL_MPMULSI_ERR;
52 }
53 if (neg == 1) {
54 c->sign = (a->sign == MP_NEG) ? MP_ZPOS: MP_NEG;
55 }
56 LBL_MPMULSI_ERR:
57 mp_clear(&t);
58 return err;
59 }
60
61
62
63 /*
64 Strong Lucas-Selfridge test.
65 returns MP_YES if it is a strong L-S prime, MP_NO if it is composite
66
67 Code ported from Thomas Ray Nicely's implementation of the BPSW test
68 at http://www.trnicely.net/misc/bpsw.html
69
70 Freeware copyright (C) 2016 Thomas R. Nicely <http://www.trnicely.net>.
71 Released into the public domain by the author, who disclaims any legal
72 liability arising from its use
73
74 The multi-line comments are made by Thomas R. Nicely and are copied verbatim.
75 Additional comments marked "CZ" (without the quotes) are by the code-portist.
76
77 (If that name sounds familiar, he is the guy who found the fdiv bug in the
78 Pentium (P5x, I think) Intel processor)
79 */
80 int mp_prime_strong_lucas_selfridge(const mp_int *a, int *result)
81 {
82 /* CZ TODO: choose better variable names! */
83 mp_int Dz, gcd, Np1, Uz, Vz, U2mz, V2mz, Qmz, Q2mz, Qkdz, T1z, T2z, T3z, T4z, Q2kdz;
84 /* CZ TODO: Some of them need the full 32 bit, hence the (temporary) exclusion of MP_8BIT */
85 int32_t D, Ds, J, sign, P, Q, r, s, u, Nbits;
86 int e;
87 int isset;
88
89 *result = MP_NO;
90
91 /*
92 Find the first element D in the sequence {5, -7, 9, -11, 13, ...}
93 such that Jacobi(D,N) = -1 (Selfridge's algorithm). Theory
94 indicates that, if N is not a perfect square, D will "nearly
95 always" be "small." Just in case, an overflow trap for D is
96 included.
97 */
98
99 if ((e = mp_init_multi(&Dz, &gcd, &Np1, &Uz, &Vz, &U2mz, &V2mz, &Qmz, &Q2mz, &Qkdz, &T1z, &T2z, &T3z, &T4z, &Q2kdz,
100 NULL)) != MP_OKAY) {
101 return e;
102 }
103
104 D = 5;
105 sign = 1;
106
107 for (;;) {
108 Ds = sign * D;
109 sign = -sign;
110 if ((e = mp_set_long(&Dz, (unsigned long)D)) != MP_OKAY) {
111 goto LBL_LS_ERR;
112 }
113 if ((e = mp_gcd(a, &Dz, &gcd)) != MP_OKAY) {
114 goto LBL_LS_ERR;
115 }
116 /* if 1 < GCD < N then N is composite with factor "D", and
117 Jacobi(D,N) is technically undefined (but often returned
118 as zero). */
119 if ((mp_cmp_d(&gcd, 1uL) == MP_GT) && (mp_cmp(&gcd, a) == MP_LT)) {
120 goto LBL_LS_ERR;
121 }
122 if (Ds < 0) {
123 Dz.sign = MP_NEG;
124 }
125 if ((e = mp_kronecker(&Dz, a, &J)) != MP_OKAY) {
126 goto LBL_LS_ERR;
127 }
128
129 if (J == -1) {
130 break;
131 }
132 D += 2;
133
134 if (D > (INT_MAX - 2)) {
135 e = MP_VAL;
136 goto LBL_LS_ERR;
137 }
138 }
139
140 P = 1; /* Selfridge's choice */
141 Q = (1 - Ds) / 4; /* Required so D = P*P - 4*Q */
142
143 /* NOTE: The conditions (a) N does not divide Q, and
144 (b) D is square-free or not a perfect square, are included by
145 some authors; e.g., "Prime numbers and computer methods for
146 factorization," Hans Riesel (2nd ed., 1994, Birkhauser, Boston),
147 p. 130. For this particular application of Lucas sequences,
148 these conditions were found to be immaterial. */
149
150 /* Now calculate N - Jacobi(D,N) = N + 1 (even), and calculate the
151 odd positive integer d and positive integer s for which
152 N + 1 = 2^s*d (similar to the step for N - 1 in Miller's test).
153 The strong Lucas-Selfridge test then returns N as a strong
154 Lucas probable prime (slprp) if any of the following
155 conditions is met: U_d=0, V_d=0, V_2d=0, V_4d=0, V_8d=0,
156 V_16d=0, ..., etc., ending with V_{2^(s-1)*d}=V_{(N+1)/2}=0
157 (all equalities mod N). Thus d is the highest index of U that
158 must be computed (since V_2m is independent of U), compared
159 to U_{N+1} for the standard Lucas-Selfridge test; and no
160 index of V beyond (N+1)/2 is required, just as in the
161 standard Lucas-Selfridge test. However, the quantity Q^d must
162 be computed for use (if necessary) in the latter stages of
163 the test. The result is that the strong Lucas-Selfridge test
164 has a running time only slightly greater (order of 10 %) than
165 that of the standard Lucas-Selfridge test, while producing
166 only (roughly) 30 % as many pseudoprimes (and every strong
167 Lucas pseudoprime is also a standard Lucas pseudoprime). Thus
168 the evidence indicates that the strong Lucas-Selfridge test is
169 more effective than the standard Lucas-Selfridge test, and a
170 Baillie-PSW test based on the strong Lucas-Selfridge test
171 should be more reliable. */
172
173 if ((e = mp_add_d(a, 1uL, &Np1)) != MP_OKAY) {
174 goto LBL_LS_ERR;
175 }
176 s = mp_cnt_lsb(&Np1);
177
178 /* CZ
179 * This should round towards zero because
180 * Thomas R. Nicely used GMP's mpz_tdiv_q_2exp()
181 * and mp_div_2d() is equivalent. Additionally:
182 * dividing an even number by two does not produce
183 * any leftovers.
184 */
185 if ((e = mp_div_2d(&Np1, s, &Dz, NULL)) != MP_OKAY) {
186 goto LBL_LS_ERR;
187 }
188 /* We must now compute U_d and V_d. Since d is odd, the accumulated
189 values U and V are initialized to U_1 and V_1 (if the target
190 index were even, U and V would be initialized instead to U_0=0
191 and V_0=2). The values of U_2m and V_2m are also initialized to
192 U_1 and V_1; the FOR loop calculates in succession U_2 and V_2,
193 U_4 and V_4, U_8 and V_8, etc. If the corresponding bits
194 (1, 2, 3, ...) of t are on (the zero bit having been accounted
195 for in the initialization of U and V), these values are then
196 combined with the previous totals for U and V, using the
197 composition formulas for addition of indices. */
198
199 mp_set(&Uz, 1uL); /* U=U_1 */
200 mp_set(&Vz, (mp_digit)P); /* V=V_1 */
201 mp_set(&U2mz, 1uL); /* U_1 */
202 mp_set(&V2mz, (mp_digit)P); /* V_1 */
203
204 if (Q < 0) {
205 Q = -Q;
206 if ((e = mp_set_long(&Qmz, (unsigned long)Q)) != MP_OKAY) {
207 goto LBL_LS_ERR;
208 }
209 if ((e = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) {
210 goto LBL_LS_ERR;
211 }
212 /* Initializes calculation of Q^d */
213 if ((e = mp_set_long(&Qkdz, (unsigned long)Q)) != MP_OKAY) {
214 goto LBL_LS_ERR;
215 }
216 Qmz.sign = MP_NEG;
217 Q2mz.sign = MP_NEG;
218 Qkdz.sign = MP_NEG;
219 Q = -Q;
220 } else {
221 if ((e = mp_set_long(&Qmz, (unsigned long)Q)) != MP_OKAY) {
222 goto LBL_LS_ERR;
223 }
224 if ((e = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) {
225 goto LBL_LS_ERR;
226 }
227 /* Initializes calculation of Q^d */
228 if ((e = mp_set_long(&Qkdz, (unsigned long)Q)) != MP_OKAY) {
229 goto LBL_LS_ERR;
230 }
231 }
232
233 Nbits = mp_count_bits(&Dz);
234 for (u = 1; u < Nbits; u++) { /* zero bit off, already accounted for */
235 /* Formulas for doubling of indices (carried out mod N). Note that
236 * the indices denoted as "2m" are actually powers of 2, specifically
237 * 2^(ul-1) beginning each loop and 2^ul ending each loop.
238 *
239 * U_2m = U_m*V_m
240 * V_2m = V_m*V_m - 2*Q^m
241 */
242
243 if ((e = mp_mul(&U2mz, &V2mz, &U2mz)) != MP_OKAY) {
244 goto LBL_LS_ERR;
245 }
246 if ((e = mp_mod(&U2mz, a, &U2mz)) != MP_OKAY) {
247 goto LBL_LS_ERR;
248 }
249 if ((e = mp_sqr(&V2mz, &V2mz)) != MP_OKAY) {
250 goto LBL_LS_ERR;
251 }
252 if ((e = mp_sub(&V2mz, &Q2mz, &V2mz)) != MP_OKAY) {
253 goto LBL_LS_ERR;
254 }
255 if ((e = mp_mod(&V2mz, a, &V2mz)) != MP_OKAY) {
256 goto LBL_LS_ERR;
257 }
258 /* Must calculate powers of Q for use in V_2m, also for Q^d later */
259 if ((e = mp_sqr(&Qmz, &Qmz)) != MP_OKAY) {
260 goto LBL_LS_ERR;
261 }
262 /* prevents overflow */ /* CZ still necessary without a fixed prealloc'd mem.? */
263 if ((e = mp_mod(&Qmz, a, &Qmz)) != MP_OKAY) {
264 goto LBL_LS_ERR;
265 }
266 if ((e = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) {
267 goto LBL_LS_ERR;
268 }
269
270 if ((isset = mp_get_bit(&Dz, u)) == MP_VAL) {
271 e = isset;
272 goto LBL_LS_ERR;
273 }
274 if (isset == MP_YES) {
275 /* Formulas for addition of indices (carried out mod N);
276 *
277 * U_(m+n) = (U_m*V_n + U_n*V_m)/2
278 * V_(m+n) = (V_m*V_n + D*U_m*U_n)/2
279 *
280 * Be careful with division by 2 (mod N)!
281 */
282
283 if ((e = mp_mul(&U2mz, &Vz, &T1z)) != MP_OKAY) {
284 goto LBL_LS_ERR;
285 }
286 if ((e = mp_mul(&Uz, &V2mz, &T2z)) != MP_OKAY) {
287 goto LBL_LS_ERR;
288 }
289 if ((e = mp_mul(&V2mz, &Vz, &T3z)) != MP_OKAY) {
290 goto LBL_LS_ERR;
291 }
292 if ((e = mp_mul(&U2mz, &Uz, &T4z)) != MP_OKAY) {
293 goto LBL_LS_ERR;
294 }
295 if ((e = s_mp_mul_si(&T4z, (long)Ds, &T4z)) != MP_OKAY) {
296 goto LBL_LS_ERR;
297 }
298 if ((e = mp_add(&T1z, &T2z, &Uz)) != MP_OKAY) {
299 goto LBL_LS_ERR;
300 }
301 if (mp_isodd(&Uz) != MP_NO) {
302 if ((e = mp_add(&Uz, a, &Uz)) != MP_OKAY) {
303 goto LBL_LS_ERR;
304 }
305 }
306 /* CZ
307 * This should round towards negative infinity because
308 * Thomas R. Nicely used GMP's mpz_fdiv_q_2exp().
309 * But mp_div_2() does not do so, it is truncating instead.
310 */
311 if ((e = mp_div_2(&Uz, &Uz)) != MP_OKAY) {
312 goto LBL_LS_ERR;
313 }
314 if ((Uz.sign == MP_NEG) && (mp_isodd(&Uz) != MP_NO)) {
315 if ((e = mp_sub_d(&Uz, 1uL, &Uz)) != MP_OKAY) {
316 goto LBL_LS_ERR;
317 }
318 }
319 if ((e = mp_add(&T3z, &T4z, &Vz)) != MP_OKAY) {
320 goto LBL_LS_ERR;
321 }
322 if (mp_isodd(&Vz) != MP_NO) {
323 if ((e = mp_add(&Vz, a, &Vz)) != MP_OKAY) {
324 goto LBL_LS_ERR;
325 }
326 }
327 if ((e = mp_div_2(&Vz, &Vz)) != MP_OKAY) {
328 goto LBL_LS_ERR;
329 }
330 if ((Vz.sign == MP_NEG) && (mp_isodd(&Vz) != MP_NO)) {
331 if ((e = mp_sub_d(&Vz, 1uL, &Vz)) != MP_OKAY) {
332 goto LBL_LS_ERR;
333 }
334 }
335 if ((e = mp_mod(&Uz, a, &Uz)) != MP_OKAY) {
336 goto LBL_LS_ERR;
337 }
338 if ((e = mp_mod(&Vz, a, &Vz)) != MP_OKAY) {
339 goto LBL_LS_ERR;
340 }
341 /* Calculating Q^d for later use */
342 if ((e = mp_mul(&Qkdz, &Qmz, &Qkdz)) != MP_OKAY) {
343 goto LBL_LS_ERR;
344 }
345 if ((e = mp_mod(&Qkdz, a, &Qkdz)) != MP_OKAY) {
346 goto LBL_LS_ERR;
347 }
348 }
349 }
350
351 /* If U_d or V_d is congruent to 0 mod N, then N is a prime or a
352 strong Lucas pseudoprime. */
353 if ((mp_iszero(&Uz) != MP_NO) || (mp_iszero(&Vz) != MP_NO)) {
354 *result = MP_YES;
355 goto LBL_LS_ERR;
356 }
357
358 /* NOTE: Ribenboim ("The new book of prime number records," 3rd ed.,
359 1995/6) omits the condition V0 on p.142, but includes it on
360 p. 130. The condition is NECESSARY; otherwise the test will
361 return false negatives---e.g., the primes 29 and 2000029 will be
362 returned as composite. */
363
364 /* Otherwise, we must compute V_2d, V_4d, V_8d, ..., V_{2^(s-1)*d}
365 by repeated use of the formula V_2m = V_m*V_m - 2*Q^m. If any of
366 these are congruent to 0 mod N, then N is a prime or a strong
367 Lucas pseudoprime. */
368
369 /* Initialize 2*Q^(d*2^r) for V_2m */
370 if ((e = mp_mul_2(&Qkdz, &Q2kdz)) != MP_OKAY) {
371 goto LBL_LS_ERR;
372 }
373
374 for (r = 1; r < s; r++) {
375 if ((e = mp_sqr(&Vz, &Vz)) != MP_OKAY) {
376 goto LBL_LS_ERR;
377 }
378 if ((e = mp_sub(&Vz, &Q2kdz, &Vz)) != MP_OKAY) {
379 goto LBL_LS_ERR;
380 }
381 if ((e = mp_mod(&Vz, a, &Vz)) != MP_OKAY) {
382 goto LBL_LS_ERR;
383 }
384 if (mp_iszero(&Vz) != MP_NO) {
385 *result = MP_YES;
386 goto LBL_LS_ERR;
387 }
388 /* Calculate Q^{d*2^r} for next r (final iteration irrelevant). */
389 if (r < (s - 1)) {
390 if ((e = mp_sqr(&Qkdz, &Qkdz)) != MP_OKAY) {
391 goto LBL_LS_ERR;
392 }
393 if ((e = mp_mod(&Qkdz, a, &Qkdz)) != MP_OKAY) {
394 goto LBL_LS_ERR;
395 }
396 if ((e = mp_mul_2(&Qkdz, &Q2kdz)) != MP_OKAY) {
397 goto LBL_LS_ERR;
398 }
399 }
400 }
401 LBL_LS_ERR:
402 mp_clear_multi(&Q2kdz, &T4z, &T3z, &T2z, &T1z, &Qkdz, &Q2mz, &Qmz, &V2mz, &U2mz, &Vz, &Uz, &Np1, &gcd, &Dz, NULL);
403 return e;
404 }
405 #endif
406 #endif
407 #endif
408
409 /* ref: $Format:%D$ */
410 /* git commit: $Format:%H$ */
411 /* commit time: $Format:%ai$ */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* returns size of ASCII reprensentation */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* chars used in radix conversions */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* First the OS-specific special cases
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* read a string [ASCII] in a given radix */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* read signed bin, big endian, first byte is 0==positive or 1==negative */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* reads a unsigned char array, assumes the msb is stored first [big endian] */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* reduces x mod m, assumes 0 < x < m**2, mu is
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* reduces a modulo n where n is of the form 2**p - d */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* reduces a modulo n where n is of the form 2**p - d
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines the setup value */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines the setup value */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines if mp_reduce_2k can be used */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* determines if reduce_2k_l can be used */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* pre-calculate the value required for Barrett reduction
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* shift right a certain amount of digits */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* set to a digit */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* set a 32-bit const */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* set a platform dependent unsigned long int */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* shrink a bignum */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* get the size for an signed equivalent */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* computes b = a*a */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* c = a * a (mod b) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* this function is less generic than mp_n_root, simpler and faster */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Tonelli-Shanks algorithm
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* high level subtraction (handles signs) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* single digit subtraction */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* d = a - b (mod c) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* two complement and */
1615 int mp_tc_and(const mp_int *a, const mp_int *b, mp_int *c)
1716 {
18 int res = MP_OKAY, bits;
17 int res = MP_OKAY, bits, abits, bbits;
1918 int as = mp_isneg(a), bs = mp_isneg(b);
2019 mp_int *mx = NULL, _mx, acpy, bcpy;
2120
2221 if ((as != MP_NO) || (bs != MP_NO)) {
23 bits = MAX(mp_count_bits(a), mp_count_bits(b));
22 abits = mp_count_bits(a);
23 bbits = mp_count_bits(b);
24 bits = MAX(abits, bbits);
2425 res = mp_init_set_int(&_mx, 1uL);
2526 if (res != MP_OKAY) {
2627 goto end;
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* two complement right shift */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* two complement or */
1615 int mp_tc_or(const mp_int *a, const mp_int *b, mp_int *c)
1716 {
18 int res = MP_OKAY, bits;
17 int res = MP_OKAY, bits, abits, bbits;
1918 int as = mp_isneg(a), bs = mp_isneg(b);
2019 mp_int *mx = NULL, _mx, acpy, bcpy;
2120
2221 if ((as != MP_NO) || (bs != MP_NO)) {
23 bits = MAX(mp_count_bits(a), mp_count_bits(b));
22 abits = mp_count_bits(a);
23 bbits = mp_count_bits(b);
24 bits = MAX(abits, bbits);
2425 res = mp_init_set_int(&_mx, 1uL);
2526 if (res != MP_OKAY) {
2627 goto end;
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* two complement xor */
1615 int mp_tc_xor(const mp_int *a, const mp_int *b, mp_int *c)
1716 {
18 int res = MP_OKAY, bits;
17 int res = MP_OKAY, bits, abits, bbits;
1918 int as = mp_isneg(a), bs = mp_isneg(b);
2019 mp_int *mx = NULL, _mx, acpy, bcpy;
2120
2221 if ((as != MP_NO) || (bs != MP_NO)) {
23 bits = MAX(mp_count_bits(a), mp_count_bits(b));
22 abits = mp_count_bits(a);
23 bbits = mp_count_bits(b);
24 bits = MAX(abits, bbits);
2425 res = mp_init_set_int(&_mx, 1uL);
2526 if (res != MP_OKAY) {
2627 goto end;
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* store in signed [big endian] format */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* store in signed [big endian] format */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* store in unsigned [big endian] format */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* store in unsigned [big endian] format */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* multiplication using the Toom-Cook 3-way algorithm
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* squaring using Toom-Cook 3-way algorithm */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* stores a bignum as a ASCII string in a given radix (2..64) */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* stores a bignum as a ASCII string in a given radix (2..64)
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* get the size for an unsigned equivalent */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* XOR two ints together */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* set to zero */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 const mp_digit ltm_prime_tab[] = {
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* reverse an array, used for radix code */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* low level addition, based on HAC pp.594, Algorithm 14.7 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 #ifdef MP_LOW_MEM
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* multiplies |a| * |b| and only computes upto digs digits of result
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* multiplies |a| * |b| and does not compute the lower digs digits
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */
88 * Michael Fromberger but has been written from scratch with
99 * additional optimizations in place.
1010 *
11 * The library is free for all purposes without any express
12 * guarantee it works.
11 * SPDX-License-Identifier: Unlicense
1312 */
1413
1514 /* Known optimal configurations
66 * Michael Fromberger but has been written from scratch with
77 * additional optimizations in place.
88 *
9 * The library is free for all purposes without any express
10 * guarantee it works.
9 * SPDX-License-Identifier: Unlicense
1110 */
1211 #ifndef BN_H_
1312 #define BN_H_
117116 #define MP_MEM -2 /* out of mem */
118117 #define MP_VAL -3 /* invalid input */
119118 #define MP_RANGE MP_VAL
119 #define MP_ITER -4 /* Max. iterations reached */
120120
121121 #define MP_YES 1 /* yes response */
122122 #define MP_NO 0 /* no response */
300300 /* c = a AND b */
301301 int mp_and(const mp_int *a, const mp_int *b, mp_int *c);
302302
303 /* Checks the bit at position b and returns MP_YES
304 if the bit is 1, MP_NO if it is 0 and MP_VAL
305 in case of error */
306 int mp_get_bit(const mp_int *a, int b);
307
303308 /* c = a XOR b (two complement) */
304309 int mp_tc_xor(const mp_int *a, const mp_int *b, mp_int *c);
305310
418423
419424 /* computes the jacobi c = (a | n) (or Legendre if b is prime) */
420425 int mp_jacobi(const mp_int *a, const mp_int *n, int *c);
426
427 /* computes the Kronecker symbol c = (a | p) (like jacobi() but with {a,p} in Z */
428 int mp_kronecker(const mp_int *a, const mp_int *p, int *c);
421429
422430 /* used to setup the Barrett reduction for a given modulus b */
423431 int mp_reduce_setup(mp_int *a, const mp_int *b);
500508 */
501509 int mp_prime_rabin_miller_trials(int size);
502510
503 /* performs t rounds of Miller-Rabin on "a" using the first
504 * t prime bases. Also performs an initial sieve of trial
511 /* performs one strong Lucas-Selfridge test of "a".
512 * Sets result to 0 if composite or 1 if probable prime
513 */
514 int mp_prime_strong_lucas_selfridge(const mp_int *a, int *result);
515
516 /* performs one Frobenius test of "a" as described by Paul Underwood.
517 * Sets result to 0 if composite or 1 if probable prime
518 */
519 int mp_prime_frobenius_underwood(const mp_int *N, int *result);
520
521 /* performs t random rounds of Miller-Rabin on "a" additional to
522 * bases 2 and 3. Also performs an initial sieve of trial
505523 * division. Determines if "a" is prime with probability
506524 * of error no more than (1/4)**t.
525 * Both a strong Lucas-Selfridge to complete the BPSW test
526 * and a separate Frobenius test are available at compile time.
527 * With t<0 a deterministic test is run for primes up to
528 * 318665857834031151167461. With t<13 (abs(t)-13) additional
529 * tests with sequential small primes are run starting at 43.
530 * Is Fips 186.4 compliant if called with t as computed by
531 * mp_prime_rabin_miller_trials();
507532 *
508533 * Sets result to 1 if probably prime, 0 otherwise
509534 */
66 * Michael Fromberger but has been written from scratch with
77 * additional optimizations in place.
88 *
9 * The library is free for all purposes without any express
10 * guarantee it works.
9 * SPDX-License-Identifier: Unlicense
1110 */
11
1212 #if !(defined(LTM1) && defined(LTM2) && defined(LTM3))
1313 #if defined(LTM2)
1414 # define LTM3
5959 # define BN_MP_FREAD_C
6060 # define BN_MP_FWRITE_C
6161 # define BN_MP_GCD_C
62 # define BN_MP_GET_BIT_C
6263 # define BN_MP_GET_DOUBLE_C
6364 # define BN_MP_GET_INT_C
6465 # define BN_MP_GET_LONG_C
7778 # define BN_MP_JACOBI_C
7879 # define BN_MP_KARATSUBA_MUL_C
7980 # define BN_MP_KARATSUBA_SQR_C
81 # define BN_MP_KRONECKER_C
8082 # define BN_MP_LCM_C
8183 # define BN_MP_LSHD_C
8284 # define BN_MP_MOD_C
9597 # define BN_MP_NEG_C
9698 # define BN_MP_OR_C
9799 # define BN_MP_PRIME_FERMAT_C
100 # define BN_MP_PRIME_FROBENIUS_UNDERWOOD_C
98101 # define BN_MP_PRIME_IS_DIVISIBLE_C
99102 # define BN_MP_PRIME_IS_PRIME_C
100103 # define BN_MP_PRIME_MILLER_RABIN_C
101104 # define BN_MP_PRIME_NEXT_PRIME_C
102105 # define BN_MP_PRIME_RABIN_MILLER_TRIALS_C
103106 # define BN_MP_PRIME_RANDOM_EX_C
107 # define BN_MP_PRIME_STRONG_LUCAS_SELFRIDGE_C
104108 # define BN_MP_RADIX_SIZE_C
105109 # define BN_MP_RADIX_SMAP_C
106110 # define BN_MP_RAND_C
173177 # define BN_MP_CMP_C
174178 # define BN_MP_CMP_D_C
175179 # define BN_MP_ADD_C
180 # define BN_MP_CMP_MAG_C
176181 # define BN_MP_EXCH_C
177182 # define BN_MP_CLEAR_MULTI_C
178183 #endif
438443 # define BN_MP_CLEAR_C
439444 #endif
440445
446 #if defined(BN_MP_GET_BIT_C)
447 # define BN_MP_ISZERO_C
448 #endif
449
441450 #if defined(BN_MP_GET_DOUBLE_C)
442451 # define BN_MP_ISNEG_C
443452 #endif
526535 #endif
527536
528537 #if defined(BN_MP_JACOBI_C)
538 # define BN_MP_KRONECKER_C
529539 # define BN_MP_ISNEG_C
530540 # define BN_MP_CMP_D_C
531 # define BN_MP_ISZERO_C
532 # define BN_MP_INIT_COPY_C
533 # define BN_MP_CNT_LSB_C
534 # define BN_MP_DIV_2D_C
535 # define BN_MP_MOD_C
536 # define BN_MP_CLEAR_C
537541 #endif
538542
539543 #if defined(BN_MP_KARATSUBA_MUL_C)
555559 # define BN_S_MP_SUB_C
556560 # define BN_MP_LSHD_C
557561 # define BN_MP_ADD_C
562 # define BN_MP_CLEAR_C
563 #endif
564
565 #if defined(BN_MP_KRONECKER_C)
566 # define BN_MP_ISZERO_C
567 # define BN_MP_ISEVEN_C
568 # define BN_MP_INIT_COPY_C
569 # define BN_MP_CNT_LSB_C
570 # define BN_MP_DIV_2D_C
571 # define BN_MP_CMP_D_C
572 # define BN_MP_COPY_C
573 # define BN_MP_MOD_C
558574 # define BN_MP_CLEAR_C
559575 #endif
560576
683699 # define BN_MP_CLEAR_C
684700 #endif
685701
702 #if defined(BN_MP_PRIME_FROBENIUS_UNDERWOOD_C)
703 # define BN_MP_PRIME_IS_PRIME_C
704 # define BN_MP_INIT_MULTI_C
705 # define BN_MP_SET_LONG_C
706 # define BN_MP_SQR_C
707 # define BN_MP_SUB_D_C
708 # define BN_MP_KRONECKER_C
709 # define BN_MP_GCD_C
710 # define BN_MP_ADD_D_C
711 # define BN_MP_SET_C
712 # define BN_MP_COUNT_BITS_C
713 # define BN_MP_MUL_2_C
714 # define BN_MP_MUL_D_C
715 # define BN_MP_ADD_C
716 # define BN_MP_MUL_C
717 # define BN_MP_SUB_C
718 # define BN_MP_MOD_C
719 # define BN_MP_GET_BIT_C
720 # define BN_MP_EXCH_C
721 # define BN_MP_ISZERO_C
722 # define BN_MP_CMP_C
723 # define BN_MP_CLEAR_MULTI_C
724 #endif
725
686726 #if defined(BN_MP_PRIME_IS_DIVISIBLE_C)
687727 # define BN_MP_MOD_D_C
688728 #endif
689729
690730 #if defined(BN_MP_PRIME_IS_PRIME_C)
731 # define BN_MP_ISEVEN_C
732 # define BN_MP_IS_SQUARE_C
691733 # define BN_MP_CMP_D_C
692734 # define BN_MP_PRIME_IS_DIVISIBLE_C
693 # define BN_MP_INIT_C
694 # define BN_MP_SET_C
735 # define BN_MP_INIT_SET_C
695736 # define BN_MP_PRIME_MILLER_RABIN_C
737 # define BN_MP_PRIME_FROBENIUS_UNDERWOOD_C
738 # define BN_MP_PRIME_STRONG_LUCAS_SELFRIDGE_C
739 # define BN_MP_READ_RADIX_C
740 # define BN_MP_CMP_C
741 # define BN_MP_SET_C
742 # define BN_MP_COUNT_BITS_C
743 # define BN_MP_RAND_C
744 # define BN_MP_DIV_2D_C
696745 # define BN_MP_CLEAR_C
697746 #endif
698747
716765 # define BN_MP_MOD_D_C
717766 # define BN_MP_INIT_C
718767 # define BN_MP_ADD_D_C
719 # define BN_MP_PRIME_MILLER_RABIN_C
768 # define BN_MP_PRIME_IS_PRIME_C
720769 # define BN_MP_CLEAR_C
721770 #endif
722771
732781 # define BN_MP_ADD_D_C
733782 #endif
734783
784 #if defined(BN_MP_PRIME_STRONG_LUCAS_SELFRIDGE_C)
785 # define BN_MP_PRIME_IS_PRIME_C
786 # define BN_MP_MUL_D_C
787 # define BN_MP_MUL_SI_C
788 # define BN_MP_INIT_C
789 # define BN_MP_SET_LONG_C
790 # define BN_MP_MUL_C
791 # define BN_MP_CLEAR_C
792 # define BN_MP_INIT_MULTI_C
793 # define BN_MP_GCD_C
794 # define BN_MP_CMP_D_C
795 # define BN_MP_CMP_C
796 # define BN_MP_KRONECKER_C
797 # define BN_MP_ADD_D_C
798 # define BN_MP_CNT_LSB_C
799 # define BN_MP_DIV_2D_C
800 # define BN_MP_SET_C
801 # define BN_MP_MUL_2_C
802 # define BN_MP_COUNT_BITS_C
803 # define BN_MP_MOD_C
804 # define BN_MP_SQR_C
805 # define BN_MP_SUB_C
806 # define BN_MP_GET_BIT_C
807 # define BN_MP_ADD_C
808 # define BN_MP_ISODD_C
809 # define BN_MP_DIV_2_C
810 # define BN_MP_SUB_D_C
811 # define BN_MP_ISZERO_C
812 # define BN_MP_CLEAR_MULTI_C
813 #endif
814
735815 #if defined(BN_MP_RADIX_SIZE_C)
736816 # define BN_MP_ISZERO_C
737817 # define BN_MP_COUNT_BITS_C
11321212 # define LTM_LAST
11331213 #endif
11341214
1135 #include "tommath_superclass.h"
1136 #include "tommath_class.h"
1215 #include <tommath_superclass.h>
1216 #include <tommath_class.h>
11371217 #else
11381218 # define LTM_LAST
11391219 #endif
66 * Michael Fromberger but has been written from scratch with
77 * additional optimizations in place.
88 *
9 * The library is free for all purposes without any express
10 * guarantee it works.
9 * SPDX-License-Identifier: Unlicense
1110 */
1211 #ifndef TOMMATH_PRIV_H_
1312 #define TOMMATH_PRIV_H_
66 * Michael Fromberger but has been written from scratch with
77 * additional optimizations in place.
88 *
9 * The library is free for all purposes without any express
10 * guarantee it works.
9 * SPDX-License-Identifier: Unlicense
1110 */
1211
1312 /* super class file for PK algos */