2 * Multi-precision integer library
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 * This MPI implementation is based on:
38 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
39 * http://www.stillhq.com/extracted/gnupg-api/mpi/
40 * http://math.libtomcrypt.com/files/tommath.pdf
43 #include "polarssl/config.h"
45 #if defined(POLARSSL_BIGNUM_C)
47 #include "polarssl/bignum.h"
48 #include "polarssl/bn_mul.h"
54 #define ciL ((int) sizeof(t_int)) /* chars in limb */
55 #define biL (ciL << 3) /* bits in limb */
56 #define biH (ciL << 2) /* half limb size */
59 * Convert between bits/chars and number of limbs
61 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
62 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
65 * Initialize one or more mpi
67 void mpi_init( mpi *X, ... )
79 X = va_arg( args, mpi* );
86 * Unallocate one or more mpi
88 void mpi_free( mpi *X, ... )
98 memset( X->p, 0, X->n * ciL );
106 X = va_arg( args, mpi* );
113 * Enlarge to the specified number of limbs
115 int mpi_grow( mpi *X, int nblimbs )
121 if( ( p = (t_int *) malloc( nblimbs * ciL ) ) == NULL )
124 memset( p, 0, nblimbs * ciL );
128 memcpy( p, X->p, X->n * ciL );
129 memset( X->p, 0, X->n * ciL );
141 * Copy the contents of Y into X
143 int mpi_copy( mpi *X, mpi *Y )
150 for( i = Y->n - 1; i > 0; i-- )
157 MPI_CHK( mpi_grow( X, i ) );
159 memset( X->p, 0, X->n * ciL );
160 memcpy( X->p, Y->p, i * ciL );
168 * Swap the contents of X and Y
170 void mpi_swap( mpi *X, mpi *Y )
174 memcpy( &T, X, sizeof( mpi ) );
175 memcpy( X, Y, sizeof( mpi ) );
176 memcpy( Y, &T, sizeof( mpi ) );
180 * Set value from integer
182 int mpi_lset( mpi *X, int z )
186 MPI_CHK( mpi_grow( X, 1 ) );
187 memset( X->p, 0, X->n * ciL );
189 X->p[0] = ( z < 0 ) ? -z : z;
190 X->s = ( z < 0 ) ? -1 : 1;
198 * Return the number of least significant bits
200 int mpi_lsb( mpi *X )
204 for( i = 0; i < X->n; i++ )
205 for( j = 0; j < (int) biL; j++, count++ )
206 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
213 * Return the number of most significant bits
215 int mpi_msb( mpi *X )
219 for( i = X->n - 1; i > 0; i-- )
223 for( j = biL - 1; j >= 0; j-- )
224 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
227 return( ( i * biL ) + j + 1 );
231 * Return the total size in bytes
233 int mpi_size( mpi *X )
235 return( ( mpi_msb( X ) + 7 ) >> 3 );
239 * Convert an ASCII character to digit value
241 static int mpi_get_digit( t_int *d, int radix, char c )
245 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
246 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
247 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
249 if( *d >= (t_int) radix )
250 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
256 * Import from an ASCII string
258 int mpi_read_string( mpi *X, int radix, char *s )
264 if( radix < 2 || radix > 16 )
265 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
267 mpi_init( &T, NULL );
271 n = BITS_TO_LIMBS( strlen( s ) << 2 );
273 MPI_CHK( mpi_grow( X, n ) );
274 MPI_CHK( mpi_lset( X, 0 ) );
276 for( i = strlen( s ) - 1, j = 0; i >= 0; i--, j++ )
278 if( i == 0 && s[i] == '-' )
284 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
285 X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
290 MPI_CHK( mpi_lset( X, 0 ) );
292 for( i = 0; i < (int) strlen( s ); i++ )
294 if( i == 0 && s[i] == '-' )
300 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
301 MPI_CHK( mpi_mul_int( &T, X, radix ) );
302 MPI_CHK( mpi_add_int( X, &T, d ) );
308 mpi_free( &T, NULL );
314 * Helper to write the digits high-order first
316 static int mpi_write_hlp( mpi *X, int radix, char **p )
321 if( radix < 2 || radix > 16 )
322 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
324 MPI_CHK( mpi_mod_int( &r, X, radix ) );
325 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
327 if( mpi_cmp_int( X, 0 ) != 0 )
328 MPI_CHK( mpi_write_hlp( X, radix, p ) );
331 *(*p)++ = (char)( r + 0x30 );
333 *(*p)++ = (char)( r + 0x37 );
341 * Export into an ASCII string
343 int mpi_write_string( mpi *X, int radix, char *s, int *slen )
349 if( radix < 2 || radix > 16 )
350 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
353 if( radix >= 4 ) n >>= 1;
354 if( radix >= 16 ) n >>= 1;
360 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
364 mpi_init( &T, NULL );
373 for( i = X->n - 1, k = 0; i >= 0; i-- )
375 for( j = ciL - 1; j >= 0; j-- )
377 c = ( X->p[i] >> (j << 3) ) & 0xFF;
379 if( c == 0 && k == 0 && (i + j) != 0 )
382 p += sprintf( p, "%02X", c );
389 MPI_CHK( mpi_copy( &T, X ) );
390 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
398 mpi_free( &T, NULL );
404 * Read X from an opened file
406 int mpi_read_file( mpi *X, int radix, FILE *fin )
413 memset( s, 0, sizeof( s ) );
414 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
415 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
418 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
419 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
423 if( mpi_get_digit( &d, radix, *p ) != 0 )
426 return( mpi_read_string( X, radix, p + 1 ) );
430 * Write X into an opened file (or stdout if fout == NULL)
432 int mpi_write_file( char *p, mpi *X, int radix, FILE *fout )
443 MPI_CHK( mpi_write_string( X, radix, s, (int *) &n ) );
445 if( p == NULL ) p = "";
454 if( fwrite( p, 1, plen, fout ) != plen ||
455 fwrite( s, 1, slen, fout ) != slen )
456 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
459 printf( "%s%s", p, s );
467 * Import X from unsigned binary data, big endian
469 int mpi_read_binary( mpi *X, unsigned char *buf, int buflen )
473 for( n = 0; n < buflen; n++ )
477 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
478 MPI_CHK( mpi_lset( X, 0 ) );
480 for( i = buflen - 1, j = 0; i >= n; i--, j++ )
481 X->p[j / ciL] |= ((t_int) buf[i]) << ((j % ciL) << 3);
489 * Export X into unsigned binary data, big endian
491 int mpi_write_binary( mpi *X, unsigned char *buf, int buflen )
498 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
500 memset( buf, 0, buflen );
502 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
503 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
509 * Left-shift: X <<= count
511 int mpi_shift_l( mpi *X, int count )
517 t1 = count & (biL - 1);
519 i = mpi_msb( X ) + count;
521 if( X->n * (int) biL < i )
522 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
527 * shift by count / limb_size
531 for( i = X->n - 1; i >= v0; i-- )
532 X->p[i] = X->p[i - v0];
539 * shift by count % limb_size
543 for( i = v0; i < X->n; i++ )
545 r1 = X->p[i] >> (biL - t1);
558 * Right-shift: X >>= count
560 int mpi_shift_r( mpi *X, int count )
566 v1 = count & (biL - 1);
569 * shift by count / limb_size
573 for( i = 0; i < X->n - v0; i++ )
574 X->p[i] = X->p[i + v0];
576 for( ; i < X->n; i++ )
581 * shift by count % limb_size
585 for( i = X->n - 1; i >= 0; i-- )
587 r1 = X->p[i] << (biL - v1);
598 * Compare unsigned values
600 int mpi_cmp_abs( mpi *X, mpi *Y )
604 for( i = X->n - 1; i >= 0; i-- )
608 for( j = Y->n - 1; j >= 0; j-- )
615 if( i > j ) return( 1 );
616 if( j > i ) return( -1 );
620 if( X->p[i] > Y->p[i] ) return( 1 );
621 if( X->p[i] < Y->p[i] ) return( -1 );
628 * Compare signed values
630 int mpi_cmp_mpi( mpi *X, mpi *Y )
634 for( i = X->n - 1; i >= 0; i-- )
638 for( j = Y->n - 1; j >= 0; j-- )
645 if( i > j ) return( X->s );
646 if( j > i ) return( -X->s );
648 if( X->s > 0 && Y->s < 0 ) return( 1 );
649 if( Y->s > 0 && X->s < 0 ) return( -1 );
653 if( X->p[i] > Y->p[i] ) return( X->s );
654 if( X->p[i] < Y->p[i] ) return( -X->s );
661 * Compare signed values
663 int mpi_cmp_int( mpi *X, int z )
668 *p = ( z < 0 ) ? -z : z;
669 Y.s = ( z < 0 ) ? -1 : 1;
673 return( mpi_cmp_mpi( X, &Y ) );
677 * Unsigned addition: X = |A| + |B| (HAC 14.7)
679 int mpi_add_abs( mpi *X, mpi *A, mpi *B )
686 mpi *T = A; A = X; B = T;
690 MPI_CHK( mpi_copy( X, A ) );
692 for( j = B->n - 1; j >= 0; j-- )
696 MPI_CHK( mpi_grow( X, j + 1 ) );
698 o = B->p; p = X->p; c = 0;
700 for( i = 0; i <= j; i++, o++, p++ )
702 *p += c; c = ( *p < c );
703 *p += *o; c += ( *p < *o );
710 MPI_CHK( mpi_grow( X, i + 1 ) );
714 *p += c; c = ( *p < c ); i++;
723 * Helper for mpi substraction
725 static void mpi_sub_hlp( int n, t_int *s, t_int *d )
730 for( i = c = 0; i < n; i++, s++, d++ )
732 z = ( *d < c ); *d -= c;
733 c = ( *d < *s ) + z; *d -= *s;
738 z = ( *d < c ); *d -= c;
744 * Unsigned substraction: X = |A| - |B| (HAC 14.9)
746 int mpi_sub_abs( mpi *X, mpi *A, mpi *B )
751 if( mpi_cmp_abs( A, B ) < 0 )
752 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
754 mpi_init( &TB, NULL );
758 MPI_CHK( mpi_copy( &TB, B ) );
763 MPI_CHK( mpi_copy( X, A ) );
767 for( n = B->n - 1; n >= 0; n-- )
771 mpi_sub_hlp( n + 1, B->p, X->p );
775 mpi_free( &TB, NULL );
781 * Signed addition: X = A + B
783 int mpi_add_mpi( mpi *X, mpi *A, mpi *B )
787 if( A->s * B->s < 0 )
789 if( mpi_cmp_abs( A, B ) >= 0 )
791 MPI_CHK( mpi_sub_abs( X, A, B ) );
796 MPI_CHK( mpi_sub_abs( X, B, A ) );
802 MPI_CHK( mpi_add_abs( X, A, B ) );
812 * Signed substraction: X = A - B
814 int mpi_sub_mpi( mpi *X, mpi *A, mpi *B )
818 if( A->s * B->s > 0 )
820 if( mpi_cmp_abs( A, B ) >= 0 )
822 MPI_CHK( mpi_sub_abs( X, A, B ) );
827 MPI_CHK( mpi_sub_abs( X, B, A ) );
833 MPI_CHK( mpi_add_abs( X, A, B ) );
843 * Signed addition: X = A + b
845 int mpi_add_int( mpi *X, mpi *A, int b )
850 p[0] = ( b < 0 ) ? -b : b;
851 _B.s = ( b < 0 ) ? -1 : 1;
855 return( mpi_add_mpi( X, A, &_B ) );
859 * Signed substraction: X = A - b
861 int mpi_sub_int( mpi *X, mpi *A, int b )
866 p[0] = ( b < 0 ) ? -b : b;
867 _B.s = ( b < 0 ) ? -1 : 1;
871 return( mpi_sub_mpi( X, A, &_B ) );
875 * Helper for mpi multiplication
877 static void mpi_mul_hlp( int i, t_int *s, t_int *d, t_int b )
881 #if defined(MULADDC_HUIT)
882 for( ; i >= 8; i -= 8 )
896 for( ; i >= 16; i -= 16 )
899 MULADDC_CORE MULADDC_CORE
900 MULADDC_CORE MULADDC_CORE
901 MULADDC_CORE MULADDC_CORE
902 MULADDC_CORE MULADDC_CORE
904 MULADDC_CORE MULADDC_CORE
905 MULADDC_CORE MULADDC_CORE
906 MULADDC_CORE MULADDC_CORE
907 MULADDC_CORE MULADDC_CORE
911 for( ; i >= 8; i -= 8 )
914 MULADDC_CORE MULADDC_CORE
915 MULADDC_CORE MULADDC_CORE
917 MULADDC_CORE MULADDC_CORE
918 MULADDC_CORE MULADDC_CORE
933 *d += c; c = ( *d < c ); d++;
939 * Baseline multiplication: X = A * B (HAC 14.12)
941 int mpi_mul_mpi( mpi *X, mpi *A, mpi *B )
946 mpi_init( &TA, &TB, NULL );
948 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
949 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
951 for( i = A->n - 1; i >= 0; i-- )
955 for( j = B->n - 1; j >= 0; j-- )
959 MPI_CHK( mpi_grow( X, i + j + 2 ) );
960 MPI_CHK( mpi_lset( X, 0 ) );
962 for( i++; j >= 0; j-- )
963 mpi_mul_hlp( i, A->p, X->p + j, B->p[j] );
969 mpi_free( &TB, &TA, NULL );
975 * Baseline multiplication: X = A * b
977 int mpi_mul_int( mpi *X, mpi *A, t_int b )
987 return( mpi_mul_mpi( X, A, &_B ) );
991 * Division by mpi: A = Q * B + R (HAC 14.20)
993 int mpi_div_mpi( mpi *Q, mpi *R, mpi *A, mpi *B )
998 if( mpi_cmp_int( B, 0 ) == 0 )
999 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1001 mpi_init( &X, &Y, &Z, &T1, &T2, NULL );
1003 if( mpi_cmp_abs( A, B ) < 0 )
1005 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
1006 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
1010 MPI_CHK( mpi_copy( &X, A ) );
1011 MPI_CHK( mpi_copy( &Y, B ) );
1014 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
1015 MPI_CHK( mpi_lset( &Z, 0 ) );
1016 MPI_CHK( mpi_grow( &T1, 2 ) );
1017 MPI_CHK( mpi_grow( &T2, 3 ) );
1019 k = mpi_msb( &Y ) % biL;
1020 if( k < (int) biL - 1 )
1023 MPI_CHK( mpi_shift_l( &X, k ) );
1024 MPI_CHK( mpi_shift_l( &Y, k ) );
1030 mpi_shift_l( &Y, biL * (n - t) );
1032 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1035 mpi_sub_mpi( &X, &X, &Y );
1037 mpi_shift_r( &Y, biL * (n - t) );
1039 for( i = n; i > t ; i-- )
1041 if( X.p[i] >= Y.p[t] )
1042 Z.p[i - t - 1] = ~0;
1045 #if defined(POLARSSL_HAVE_LONGLONG)
1048 r = (t_dbl) X.p[i] << biL;
1049 r |= (t_dbl) X.p[i - 1];
1051 if( r > ((t_dbl) 1 << biL) - 1)
1052 r = ((t_dbl) 1 << biL) - 1;
1054 Z.p[i - t - 1] = (t_int) r;
1057 * __udiv_qrnnd_c, from gmp/longlong.h
1059 t_int q0, q1, r0, r1;
1063 d0 = ( d << biH ) >> biH;
1067 r1 = X.p[i] - d1 * q1;
1069 r1 |= ( X.p[i - 1] >> biH );
1075 while( r1 >= d && r1 < m )
1083 r0 |= ( X.p[i - 1] << biH ) >> biH;
1089 while( r0 >= d && r0 < m )
1094 Z.p[i - t - 1] = ( q1 << biH ) | q0;
1103 MPI_CHK( mpi_lset( &T1, 0 ) );
1104 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1106 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1108 MPI_CHK( mpi_lset( &T2, 0 ) );
1109 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1110 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1113 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1115 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1116 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1117 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1119 if( mpi_cmp_int( &X, 0 ) < 0 )
1121 MPI_CHK( mpi_copy( &T1, &Y ) );
1122 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1123 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1136 mpi_shift_r( &X, k );
1140 if( mpi_cmp_int( R, 0 ) == 0 )
1146 mpi_free( &X, &Y, &Z, &T1, &T2, NULL );
1152 * Division by int: A = Q * b + R
1154 * Returns 0 if successful
1155 * 1 if memory allocation failed
1156 * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
1158 int mpi_div_int( mpi *Q, mpi *R, mpi *A, int b )
1163 p[0] = ( b < 0 ) ? -b : b;
1164 _B.s = ( b < 0 ) ? -1 : 1;
1168 return( mpi_div_mpi( Q, R, A, &_B ) );
1172 * Modulo: R = A mod B
1174 int mpi_mod_mpi( mpi *R, mpi *A, mpi *B )
1178 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1180 while( mpi_cmp_int( R, 0 ) < 0 )
1181 MPI_CHK( mpi_add_mpi( R, R, B ) );
1183 while( mpi_cmp_mpi( R, B ) >= 0 )
1184 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1192 * Modulo: r = A mod b
1194 int mpi_mod_int( t_int *r, mpi *A, int b )
1200 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1206 * handle trivial cases
1223 for( i = A->n - 1, y = 0; i >= 0; i-- )
1226 y = ( y << biH ) | ( x >> biH );
1231 y = ( y << biH ) | ( x >> biH );
1242 * Fast Montgomery initialization (thanks to Tom St Denis)
1244 static void mpi_montg_init( t_int *mm, mpi *N )
1246 t_int x, m0 = N->p[0];
1249 x += ( ( m0 + 2 ) & 4 ) << 1;
1250 x *= ( 2 - ( m0 * x ) );
1252 if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
1253 if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
1254 if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
1260 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1262 static void mpi_montmul( mpi *A, mpi *B, mpi *N, t_int mm, mpi *T )
1267 memset( T->p, 0, T->n * ciL );
1271 m = ( B->n < n ) ? B->n : n;
1273 for( i = 0; i < n; i++ )
1276 * T = (T + u0*B + u1*N) / 2^biL
1279 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1281 mpi_mul_hlp( m, B->p, d, u0 );
1282 mpi_mul_hlp( n, N->p, d, u1 );
1284 *d++ = u0; d[n + 1] = 0;
1287 memcpy( A->p, d, (n + 1) * ciL );
1289 if( mpi_cmp_abs( A, N ) >= 0 )
1290 mpi_sub_hlp( n, N->p, A->p );
1292 /* prevent timing attacks */
1293 mpi_sub_hlp( n, A->p, T->p );
1297 * Montgomery reduction: A = A * R^-1 mod N
1299 static void mpi_montred( mpi *A, mpi *N, t_int mm, mpi *T )
1307 mpi_montmul( A, &U, N, mm, T );
1311 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1313 int mpi_exp_mod( mpi *X, mpi *A, mpi *E, mpi *N, mpi *_RR )
1315 int ret, i, j, wsize, wbits;
1316 int bufsize, nblimbs, nbits;
1317 t_int ei, mm, state;
1320 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
1321 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1324 * Init temps and window size
1326 mpi_montg_init( &mm, N );
1327 mpi_init( &RR, &T, NULL );
1328 memset( W, 0, sizeof( W ) );
1332 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1333 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1336 MPI_CHK( mpi_grow( X, j ) );
1337 MPI_CHK( mpi_grow( &W[1], j ) );
1338 MPI_CHK( mpi_grow( &T, j * 2 ) );
1341 * If 1st call, pre-compute R^2 mod N
1343 if( _RR == NULL || _RR->p == NULL )
1345 MPI_CHK( mpi_lset( &RR, 1 ) );
1346 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1347 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1350 memcpy( _RR, &RR, sizeof( mpi ) );
1353 memcpy( &RR, _RR, sizeof( mpi ) );
1356 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1358 if( mpi_cmp_mpi( A, N ) >= 0 )
1359 mpi_mod_mpi( &W[1], A, N );
1360 else mpi_copy( &W[1], A );
1362 mpi_montmul( &W[1], &RR, N, mm, &T );
1365 * X = R^2 * R^-1 mod N = R mod N
1367 MPI_CHK( mpi_copy( X, &RR ) );
1368 mpi_montred( X, N, mm, &T );
1373 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1375 j = 1 << (wsize - 1);
1377 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1378 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1380 for( i = 0; i < wsize - 1; i++ )
1381 mpi_montmul( &W[j], &W[j], N, mm, &T );
1384 * W[i] = W[i - 1] * W[1]
1386 for( i = j + 1; i < (1 << wsize); i++ )
1388 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1389 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1391 mpi_montmul( &W[i], &W[1], N, mm, &T );
1405 if( nblimbs-- == 0 )
1408 bufsize = sizeof( t_int ) << 3;
1413 ei = (E->p[nblimbs] >> bufsize) & 1;
1418 if( ei == 0 && state == 0 )
1421 if( ei == 0 && state == 1 )
1424 * out of window, square X
1426 mpi_montmul( X, X, N, mm, &T );
1431 * add ei to current window
1436 wbits |= (ei << (wsize - nbits));
1438 if( nbits == wsize )
1441 * X = X^wsize R^-1 mod N
1443 for( i = 0; i < wsize; i++ )
1444 mpi_montmul( X, X, N, mm, &T );
1447 * X = X * W[wbits] R^-1 mod N
1449 mpi_montmul( X, &W[wbits], N, mm, &T );
1458 * process the remaining bits
1460 for( i = 0; i < nbits; i++ )
1462 mpi_montmul( X, X, N, mm, &T );
1466 if( (wbits & (1 << wsize)) != 0 )
1467 mpi_montmul( X, &W[1], N, mm, &T );
1471 * X = A^E * R * R^-1 mod N = A^E mod N
1473 mpi_montred( X, N, mm, &T );
1477 for( i = (1 << (wsize - 1)); i < (1 << wsize); i++ )
1478 mpi_free( &W[i], NULL );
1481 mpi_free( &W[1], &T, NULL );
1482 else mpi_free( &W[1], &T, &RR, NULL );
1488 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1490 int mpi_gcd( mpi *G, mpi *A, mpi *B )
1495 mpi_init( &TG, &TA, &TB, NULL );
1497 MPI_CHK( mpi_copy( &TA, A ) );
1498 MPI_CHK( mpi_copy( &TB, B ) );
1500 lz = mpi_lsb( &TA );
1501 lzt = mpi_lsb( &TB );
1506 MPI_CHK( mpi_shift_r( &TA, lz ) );
1507 MPI_CHK( mpi_shift_r( &TB, lz ) );
1511 while( mpi_cmp_int( &TA, 0 ) != 0 )
1513 MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
1514 MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
1516 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1518 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1519 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1523 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1524 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1528 MPI_CHK( mpi_shift_l( &TB, lz ) );
1529 MPI_CHK( mpi_copy( G, &TB ) );
1533 mpi_free( &TB, &TA, &TG, NULL );
1538 #if defined(POLARSSL_GENPRIME)
1541 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1543 int mpi_inv_mod( mpi *X, mpi *A, mpi *N )
1546 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1548 if( mpi_cmp_int( N, 0 ) <= 0 )
1549 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1551 mpi_init( &TA, &TU, &U1, &U2, &G,
1552 &TB, &TV, &V1, &V2, NULL );
1554 MPI_CHK( mpi_gcd( &G, A, N ) );
1556 if( mpi_cmp_int( &G, 1 ) != 0 )
1558 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1562 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1563 MPI_CHK( mpi_copy( &TU, &TA ) );
1564 MPI_CHK( mpi_copy( &TB, N ) );
1565 MPI_CHK( mpi_copy( &TV, N ) );
1567 MPI_CHK( mpi_lset( &U1, 1 ) );
1568 MPI_CHK( mpi_lset( &U2, 0 ) );
1569 MPI_CHK( mpi_lset( &V1, 0 ) );
1570 MPI_CHK( mpi_lset( &V2, 1 ) );
1574 while( ( TU.p[0] & 1 ) == 0 )
1576 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1578 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1580 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1581 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1584 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1585 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1588 while( ( TV.p[0] & 1 ) == 0 )
1590 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1592 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1594 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1595 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1598 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1599 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1602 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1604 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1605 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1606 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1610 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1611 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1612 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1615 while( mpi_cmp_int( &TU, 0 ) != 0 );
1617 while( mpi_cmp_int( &V1, 0 ) < 0 )
1618 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1620 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1621 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1623 MPI_CHK( mpi_copy( X, &V1 ) );
1627 mpi_free( &V2, &V1, &TV, &TB, &G,
1628 &U2, &U1, &TU, &TA, NULL );
1633 static const int small_prime[] =
1635 3, 5, 7, 11, 13, 17, 19, 23,
1636 29, 31, 37, 41, 43, 47, 53, 59,
1637 61, 67, 71, 73, 79, 83, 89, 97,
1638 101, 103, 107, 109, 113, 127, 131, 137,
1639 139, 149, 151, 157, 163, 167, 173, 179,
1640 181, 191, 193, 197, 199, 211, 223, 227,
1641 229, 233, 239, 241, 251, 257, 263, 269,
1642 271, 277, 281, 283, 293, 307, 311, 313,
1643 317, 331, 337, 347, 349, 353, 359, 367,
1644 373, 379, 383, 389, 397, 401, 409, 419,
1645 421, 431, 433, 439, 443, 449, 457, 461,
1646 463, 467, 479, 487, 491, 499, 503, 509,
1647 521, 523, 541, 547, 557, 563, 569, 571,
1648 577, 587, 593, 599, 601, 607, 613, 617,
1649 619, 631, 641, 643, 647, 653, 659, 661,
1650 673, 677, 683, 691, 701, 709, 719, 727,
1651 733, 739, 743, 751, 757, 761, 769, 773,
1652 787, 797, 809, 811, 821, 823, 827, 829,
1653 839, 853, 857, 859, 863, 877, 881, 883,
1654 887, 907, 911, 919, 929, 937, 941, 947,
1655 953, 967, 971, 977, 983, 991, 997, -103
1659 * Miller-Rabin primality test (HAC 4.24)
1661 int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng )
1663 int ret, i, j, n, s, xs;
1667 if( mpi_cmp_int( X, 0 ) == 0 )
1670 mpi_init( &W, &R, &T, &A, &RR, NULL );
1672 xs = X->s; X->s = 1;
1675 * test trivial factors first
1677 if( ( X->p[0] & 1 ) == 0 )
1678 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1680 for( i = 0; small_prime[i] > 0; i++ )
1684 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
1687 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
1690 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1698 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
1699 MPI_CHK( mpi_copy( &R, &W ) );
1700 MPI_CHK( mpi_shift_r( &R, s ) );
1706 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
1707 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
1708 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
1710 for( i = 0; i < n; i++ )
1713 * pick a random A, 1 < A < |X| - 1
1715 MPI_CHK( mpi_grow( &A, X->n ) );
1717 p = (unsigned char *) A.p;
1718 for( j = 0; j < A.n * ciL; j++ )
1719 *p++ = (unsigned char) f_rng( p_rng );
1721 j = mpi_msb( &A ) - mpi_msb( &W );
1722 MPI_CHK( mpi_shift_r( &A, j + 1 ) );
1728 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
1730 if( mpi_cmp_mpi( &A, &W ) == 0 ||
1731 mpi_cmp_int( &A, 1 ) == 0 )
1735 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
1740 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
1741 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
1743 if( mpi_cmp_int( &A, 1 ) == 0 )
1750 * not prime if A != |X| - 1 or A == 1
1752 if( mpi_cmp_mpi( &A, &W ) != 0 ||
1753 mpi_cmp_int( &A, 1 ) == 0 )
1755 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1764 mpi_free( &RR, &A, &T, &R, &W, NULL );
1770 * Prime number generation
1772 int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
1773 int (*f_rng)(void *), void *p_rng )
1780 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1782 mpi_init( &Y, NULL );
1784 n = BITS_TO_LIMBS( nbits );
1786 MPI_CHK( mpi_grow( X, n ) );
1787 MPI_CHK( mpi_lset( X, 0 ) );
1789 p = (unsigned char *) X->p;
1790 for( k = 0; k < X->n * ciL; k++ )
1791 *p++ = (unsigned char) f_rng( p_rng );
1794 if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
1795 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
1801 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
1803 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1806 MPI_CHK( mpi_add_int( X, X, 2 ) );
1811 MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
1812 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1816 if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
1818 if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
1821 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1825 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1828 MPI_CHK( mpi_add_int( &Y, X, 1 ) );
1829 MPI_CHK( mpi_add_int( X, X, 2 ) );
1830 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1836 mpi_free( &Y, NULL );
1843 #if defined(POLARSSL_SELF_TEST)
1845 #define GCD_PAIR_COUNT 3
1847 static const int gcd_pairs[GCD_PAIR_COUNT][3] =
1851 { 768454923, 542167814, 1 }
1857 int mpi_self_test( int verbose )
1860 mpi A, E, N, X, Y, U, V;
1862 mpi_init( &A, &E, &N, &X, &Y, &U, &V, NULL );
1864 MPI_CHK( mpi_read_string( &A, 16,
1865 "EFE021C2645FD1DC586E69184AF4A31E" \
1866 "D5F53E93B5F123FA41680867BA110131" \
1867 "944FE7952E2517337780CB0DB80E61AA" \
1868 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
1870 MPI_CHK( mpi_read_string( &E, 16,
1871 "B2E7EFD37075B9F03FF989C7C5051C20" \
1872 "34D2A323810251127E7BF8625A4F49A5" \
1873 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
1874 "5B5C25763222FEFCCFC38B832366C29E" ) );
1876 MPI_CHK( mpi_read_string( &N, 16,
1877 "0066A198186C18C10B2F5ED9B522752A" \
1878 "9830B69916E535C8F047518A889A43A5" \
1879 "94B6BED27A168D31D4A52F88925AA8F5" ) );
1881 MPI_CHK( mpi_mul_mpi( &X, &A, &N ) );
1883 MPI_CHK( mpi_read_string( &U, 16,
1884 "602AB7ECA597A3D6B56FF9829A5E8B85" \
1885 "9E857EA95A03512E2BAE7391688D264A" \
1886 "A5663B0341DB9CCFD2C4C5F421FEC814" \
1887 "8001B72E848A38CAE1C65F78E56ABDEF" \
1888 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
1889 "ECF677152EF804370C1A305CAF3B5BF1" \
1890 "30879B56C61DE584A0F53A2447A51E" ) );
1893 printf( " MPI test #1 (mul_mpi): " );
1895 if( mpi_cmp_mpi( &X, &U ) != 0 )
1898 printf( "failed\n" );
1904 printf( "passed\n" );
1906 MPI_CHK( mpi_div_mpi( &X, &Y, &A, &N ) );
1908 MPI_CHK( mpi_read_string( &U, 16,
1909 "256567336059E52CAE22925474705F39A94" ) );
1911 MPI_CHK( mpi_read_string( &V, 16,
1912 "6613F26162223DF488E9CD48CC132C7A" \
1913 "0AC93C701B001B092E4E5B9F73BCD27B" \
1914 "9EE50D0657C77F374E903CDFA4C642" ) );
1917 printf( " MPI test #2 (div_mpi): " );
1919 if( mpi_cmp_mpi( &X, &U ) != 0 ||
1920 mpi_cmp_mpi( &Y, &V ) != 0 )
1923 printf( "failed\n" );
1929 printf( "passed\n" );
1931 MPI_CHK( mpi_exp_mod( &X, &A, &E, &N, NULL ) );
1933 MPI_CHK( mpi_read_string( &U, 16,
1934 "36E139AEA55215609D2816998ED020BB" \
1935 "BD96C37890F65171D948E9BC7CBAA4D9" \
1936 "325D24D6A3C12710F10A09FA08AB87" ) );
1939 printf( " MPI test #3 (exp_mod): " );
1941 if( mpi_cmp_mpi( &X, &U ) != 0 )
1944 printf( "failed\n" );
1950 printf( "passed\n" );
1952 MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
1954 MPI_CHK( mpi_read_string( &U, 16,
1955 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
1956 "C3DBA76456363A10869622EAC2DD84EC" \
1957 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
1960 printf( " MPI test #4 (inv_mod): " );
1962 if( mpi_cmp_mpi( &X, &U ) != 0 )
1965 printf( "failed\n" );
1971 printf( "passed\n" );
1974 printf( " MPI test #5 (simple gcd): " );
1976 for ( i = 0; i < GCD_PAIR_COUNT; i++)
1978 MPI_CHK( mpi_lset( &X, gcd_pairs[i][0] ) );
1979 MPI_CHK( mpi_lset( &Y, gcd_pairs[i][1] ) );
1981 MPI_CHK( mpi_gcd( &A, &X, &Y ) );
1983 if( mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
1986 printf( "failed at %d\n", i );
1993 printf( "passed\n" );
1997 if( ret != 0 && verbose != 0 )
1998 printf( "Unexpected error, return code = %08X\n", ret );
2000 mpi_free( &V, &U, &Y, &X, &N, &E, &A, NULL );
projects / openwrt.git / blob