2 * Multi-precision integer library
4 * Copyright (C) 2006-2010, Brainspark B.V.
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 * This MPI implementation is based on:
28 * http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
29 * http://www.stillhq.com/extracted/gnupg-api/mpi/
30 * http://math.libtomcrypt.com/files/tommath.pdf
33 #include "polarssl/config.h"
35 #if defined(POLARSSL_BIGNUM_C)
37 #include "polarssl/bignum.h"
38 #include "polarssl/bn_mul.h"
44 #define ciL ((int) sizeof(t_int)) /* chars in limb */
45 #define biL (ciL << 3) /* bits in limb */
46 #define biH (ciL << 2) /* half limb size */
49 * Convert between bits/chars and number of limbs
51 #define BITS_TO_LIMBS(i) (((i) + biL - 1) / biL)
52 #define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
55 * Initialize one or more mpi
57 void mpi_init( mpi *X, ... )
69 X = va_arg( args, mpi* );
76 * Unallocate one or more mpi
78 void mpi_free( mpi *X, ... )
88 memset( X->p, 0, X->n * ciL );
96 X = va_arg( args, mpi* );
103 * Enlarge to the specified number of limbs
105 int mpi_grow( mpi *X, int nblimbs )
111 if( ( p = (t_int *) malloc( nblimbs * ciL ) ) == NULL )
114 memset( p, 0, nblimbs * ciL );
118 memcpy( p, X->p, X->n * ciL );
119 memset( X->p, 0, X->n * ciL );
131 * Copy the contents of Y into X
133 int mpi_copy( mpi *X, const mpi *Y )
140 for( i = Y->n - 1; i > 0; i-- )
147 MPI_CHK( mpi_grow( X, i ) );
149 memset( X->p, 0, X->n * ciL );
150 memcpy( X->p, Y->p, i * ciL );
158 * Swap the contents of X and Y
160 void mpi_swap( mpi *X, mpi *Y )
164 memcpy( &T, X, sizeof( mpi ) );
165 memcpy( X, Y, sizeof( mpi ) );
166 memcpy( Y, &T, sizeof( mpi ) );
170 * Set value from integer
172 int mpi_lset( mpi *X, int z )
176 MPI_CHK( mpi_grow( X, 1 ) );
177 memset( X->p, 0, X->n * ciL );
179 X->p[0] = ( z < 0 ) ? -z : z;
180 X->s = ( z < 0 ) ? -1 : 1;
188 * Return the number of least significant bits
190 int mpi_lsb( const mpi *X )
194 for( i = 0; i < X->n; i++ )
195 for( j = 0; j < (int) biL; j++, count++ )
196 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
203 * Return the number of most significant bits
205 int mpi_msb( const mpi *X )
209 for( i = X->n - 1; i > 0; i-- )
213 for( j = biL - 1; j >= 0; j-- )
214 if( ( ( X->p[i] >> j ) & 1 ) != 0 )
217 return( ( i * biL ) + j + 1 );
221 * Return the total size in bytes
223 int mpi_size( const mpi *X )
225 return( ( mpi_msb( X ) + 7 ) >> 3 );
229 * Convert an ASCII character to digit value
231 static int mpi_get_digit( t_int *d, int radix, char c )
235 if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
236 if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
237 if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
239 if( *d >= (t_int) radix )
240 return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
246 * Import from an ASCII string
248 int mpi_read_string( mpi *X, int radix, const char *s )
250 int ret, i, j, n, slen;
254 if( radix < 2 || radix > 16 )
255 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
257 mpi_init( &T, NULL );
263 n = BITS_TO_LIMBS( slen << 2 );
265 MPI_CHK( mpi_grow( X, n ) );
266 MPI_CHK( mpi_lset( X, 0 ) );
268 for( i = slen - 1, j = 0; i >= 0; i--, j++ )
270 if( i == 0 && s[i] == '-' )
276 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
277 X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
282 MPI_CHK( mpi_lset( X, 0 ) );
284 for( i = 0; i < slen; i++ )
286 if( i == 0 && s[i] == '-' )
292 MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
293 MPI_CHK( mpi_mul_int( &T, X, radix ) );
297 MPI_CHK( mpi_add_int( X, &T, d ) );
301 MPI_CHK( mpi_sub_int( X, &T, d ) );
308 mpi_free( &T, NULL );
314 * Helper to write the digits high-order first
316 static int mpi_write_hlp( mpi *X, int radix, char **p )
321 if( radix < 2 || radix > 16 )
322 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
324 MPI_CHK( mpi_mod_int( &r, X, radix ) );
325 MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
327 if( mpi_cmp_int( X, 0 ) != 0 )
328 MPI_CHK( mpi_write_hlp( X, radix, p ) );
331 *(*p)++ = (char)( r + 0x30 );
333 *(*p)++ = (char)( r + 0x37 );
341 * Export into an ASCII string
343 int mpi_write_string( const mpi *X, int radix, char *s, int *slen )
349 if( radix < 2 || radix > 16 )
350 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
353 if( radix >= 4 ) n >>= 1;
354 if( radix >= 16 ) n >>= 1;
360 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
364 mpi_init( &T, NULL );
373 for( i = X->n - 1, k = 0; i >= 0; i-- )
375 for( j = ciL - 1; j >= 0; j-- )
377 c = ( X->p[i] >> (j << 3) ) & 0xFF;
379 if( c == 0 && k == 0 && (i + j) != 0 )
382 p += sprintf( p, "%02X", c );
389 MPI_CHK( mpi_copy( &T, X ) );
394 MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
402 mpi_free( &T, NULL );
408 * Read X from an opened file
410 int mpi_read_file( mpi *X, int radix, FILE *fin )
417 memset( s, 0, sizeof( s ) );
418 if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
419 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
422 if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
423 if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
427 if( mpi_get_digit( &d, radix, *p ) != 0 )
430 return( mpi_read_string( X, radix, p + 1 ) );
434 * Write X into an opened file (or stdout if fout == NULL)
436 int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout )
447 MPI_CHK( mpi_write_string( X, radix, s, (int *) &n ) );
449 if( p == NULL ) p = "";
458 if( fwrite( p, 1, plen, fout ) != plen ||
459 fwrite( s, 1, slen, fout ) != slen )
460 return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
463 printf( "%s%s", p, s );
471 * Import X from unsigned binary data, big endian
473 int mpi_read_binary( mpi *X, const unsigned char *buf, int buflen )
477 for( n = 0; n < buflen; n++ )
481 MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
482 MPI_CHK( mpi_lset( X, 0 ) );
484 for( i = buflen - 1, j = 0; i >= n; i--, j++ )
485 X->p[j / ciL] |= ((t_int) buf[i]) << ((j % ciL) << 3);
493 * Export X into unsigned binary data, big endian
495 int mpi_write_binary( const mpi *X, unsigned char *buf, int buflen )
502 return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
504 memset( buf, 0, buflen );
506 for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
507 buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
513 * Left-shift: X <<= count
515 int mpi_shift_l( mpi *X, int count )
521 t1 = count & (biL - 1);
523 i = mpi_msb( X ) + count;
525 if( X->n * (int) biL < i )
526 MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
531 * shift by count / limb_size
535 for( i = X->n - 1; i >= v0; i-- )
536 X->p[i] = X->p[i - v0];
543 * shift by count % limb_size
547 for( i = v0; i < X->n; i++ )
549 r1 = X->p[i] >> (biL - t1);
562 * Right-shift: X >>= count
564 int mpi_shift_r( mpi *X, int count )
570 v1 = count & (biL - 1);
573 * shift by count / limb_size
577 for( i = 0; i < X->n - v0; i++ )
578 X->p[i] = X->p[i + v0];
580 for( ; i < X->n; i++ )
585 * shift by count % limb_size
589 for( i = X->n - 1; i >= 0; i-- )
591 r1 = X->p[i] << (biL - v1);
602 * Compare unsigned values
604 int mpi_cmp_abs( const mpi *X, const mpi *Y )
608 for( i = X->n - 1; i >= 0; i-- )
612 for( j = Y->n - 1; j >= 0; j-- )
619 if( i > j ) return( 1 );
620 if( j > i ) return( -1 );
624 if( X->p[i] > Y->p[i] ) return( 1 );
625 if( X->p[i] < Y->p[i] ) return( -1 );
632 * Compare signed values
634 int mpi_cmp_mpi( const mpi *X, const mpi *Y )
638 for( i = X->n - 1; i >= 0; i-- )
642 for( j = Y->n - 1; j >= 0; j-- )
649 if( i > j ) return( X->s );
650 if( j > i ) return( -X->s );
652 if( X->s > 0 && Y->s < 0 ) return( 1 );
653 if( Y->s > 0 && X->s < 0 ) return( -1 );
657 if( X->p[i] > Y->p[i] ) return( X->s );
658 if( X->p[i] < Y->p[i] ) return( -X->s );
665 * Compare signed values
667 int mpi_cmp_int( const mpi *X, int z )
672 *p = ( z < 0 ) ? -z : z;
673 Y.s = ( z < 0 ) ? -1 : 1;
677 return( mpi_cmp_mpi( X, &Y ) );
681 * Unsigned addition: X = |A| + |B| (HAC 14.7)
683 int mpi_add_abs( mpi *X, const mpi *A, const mpi *B )
690 const mpi *T = A; A = X; B = T;
694 MPI_CHK( mpi_copy( X, A ) );
697 * X should always be positive as a result of unsigned additions.
701 for( j = B->n - 1; j >= 0; j-- )
705 MPI_CHK( mpi_grow( X, j + 1 ) );
707 o = B->p; p = X->p; c = 0;
709 for( i = 0; i <= j; i++, o++, p++ )
711 *p += c; c = ( *p < c );
712 *p += *o; c += ( *p < *o );
719 MPI_CHK( mpi_grow( X, i + 1 ) );
723 *p += c; c = ( *p < c ); i++;
732 * Helper for mpi substraction
734 static void mpi_sub_hlp( int n, t_int *s, t_int *d )
739 for( i = c = 0; i < n; i++, s++, d++ )
741 z = ( *d < c ); *d -= c;
742 c = ( *d < *s ) + z; *d -= *s;
747 z = ( *d < c ); *d -= c;
753 * Unsigned substraction: X = |A| - |B| (HAC 14.9)
755 int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B )
760 if( mpi_cmp_abs( A, B ) < 0 )
761 return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
763 mpi_init( &TB, NULL );
767 MPI_CHK( mpi_copy( &TB, B ) );
772 MPI_CHK( mpi_copy( X, A ) );
775 * X should always be positive as a result of unsigned substractions.
781 for( n = B->n - 1; n >= 0; n-- )
785 mpi_sub_hlp( n + 1, B->p, X->p );
789 mpi_free( &TB, NULL );
795 * Signed addition: X = A + B
797 int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B )
801 if( A->s * B->s < 0 )
803 if( mpi_cmp_abs( A, B ) >= 0 )
805 MPI_CHK( mpi_sub_abs( X, A, B ) );
810 MPI_CHK( mpi_sub_abs( X, B, A ) );
816 MPI_CHK( mpi_add_abs( X, A, B ) );
826 * Signed substraction: X = A - B
828 int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B )
832 if( A->s * B->s > 0 )
834 if( mpi_cmp_abs( A, B ) >= 0 )
836 MPI_CHK( mpi_sub_abs( X, A, B ) );
841 MPI_CHK( mpi_sub_abs( X, B, A ) );
847 MPI_CHK( mpi_add_abs( X, A, B ) );
857 * Signed addition: X = A + b
859 int mpi_add_int( mpi *X, const mpi *A, int b )
864 p[0] = ( b < 0 ) ? -b : b;
865 _B.s = ( b < 0 ) ? -1 : 1;
869 return( mpi_add_mpi( X, A, &_B ) );
873 * Signed substraction: X = A - b
875 int mpi_sub_int( mpi *X, const mpi *A, int b )
880 p[0] = ( b < 0 ) ? -b : b;
881 _B.s = ( b < 0 ) ? -1 : 1;
885 return( mpi_sub_mpi( X, A, &_B ) );
889 * Helper for mpi multiplication
891 static void mpi_mul_hlp( int i, t_int *s, t_int *d, t_int b )
895 #if defined(MULADDC_HUIT)
896 for( ; i >= 8; i -= 8 )
910 for( ; i >= 16; i -= 16 )
913 MULADDC_CORE MULADDC_CORE
914 MULADDC_CORE MULADDC_CORE
915 MULADDC_CORE MULADDC_CORE
916 MULADDC_CORE MULADDC_CORE
918 MULADDC_CORE MULADDC_CORE
919 MULADDC_CORE MULADDC_CORE
920 MULADDC_CORE MULADDC_CORE
921 MULADDC_CORE MULADDC_CORE
925 for( ; i >= 8; i -= 8 )
928 MULADDC_CORE MULADDC_CORE
929 MULADDC_CORE MULADDC_CORE
931 MULADDC_CORE MULADDC_CORE
932 MULADDC_CORE MULADDC_CORE
947 *d += c; c = ( *d < c ); d++;
953 * Baseline multiplication: X = A * B (HAC 14.12)
955 int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B )
960 mpi_init( &TA, &TB, NULL );
962 if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
963 if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
965 for( i = A->n - 1; i >= 0; i-- )
969 for( j = B->n - 1; j >= 0; j-- )
973 MPI_CHK( mpi_grow( X, i + j + 2 ) );
974 MPI_CHK( mpi_lset( X, 0 ) );
976 for( i++; j >= 0; j-- )
977 mpi_mul_hlp( i, A->p, X->p + j, B->p[j] );
983 mpi_free( &TB, &TA, NULL );
989 * Baseline multiplication: X = A * b
991 int mpi_mul_int( mpi *X, const mpi *A, t_int b )
1001 return( mpi_mul_mpi( X, A, &_B ) );
1005 * Division by mpi: A = Q * B + R (HAC 14.20)
1007 int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
1009 int ret, i, n, t, k;
1010 mpi X, Y, Z, T1, T2;
1012 if( mpi_cmp_int( B, 0 ) == 0 )
1013 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1015 mpi_init( &X, &Y, &Z, &T1, &T2, NULL );
1017 if( mpi_cmp_abs( A, B ) < 0 )
1019 if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
1020 if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
1024 MPI_CHK( mpi_copy( &X, A ) );
1025 MPI_CHK( mpi_copy( &Y, B ) );
1028 MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
1029 MPI_CHK( mpi_lset( &Z, 0 ) );
1030 MPI_CHK( mpi_grow( &T1, 2 ) );
1031 MPI_CHK( mpi_grow( &T2, 3 ) );
1033 k = mpi_msb( &Y ) % biL;
1034 if( k < (int) biL - 1 )
1037 MPI_CHK( mpi_shift_l( &X, k ) );
1038 MPI_CHK( mpi_shift_l( &Y, k ) );
1044 mpi_shift_l( &Y, biL * (n - t) );
1046 while( mpi_cmp_mpi( &X, &Y ) >= 0 )
1049 mpi_sub_mpi( &X, &X, &Y );
1051 mpi_shift_r( &Y, biL * (n - t) );
1053 for( i = n; i > t ; i-- )
1055 if( X.p[i] >= Y.p[t] )
1056 Z.p[i - t - 1] = ~0;
1059 #if defined(POLARSSL_HAVE_LONGLONG)
1062 r = (t_dbl) X.p[i] << biL;
1063 r |= (t_dbl) X.p[i - 1];
1065 if( r > ((t_dbl) 1 << biL) - 1)
1066 r = ((t_dbl) 1 << biL) - 1;
1068 Z.p[i - t - 1] = (t_int) r;
1071 * __udiv_qrnnd_c, from gmp/longlong.h
1073 t_int q0, q1, r0, r1;
1077 d0 = ( d << biH ) >> biH;
1081 r1 = X.p[i] - d1 * q1;
1083 r1 |= ( X.p[i - 1] >> biH );
1089 while( r1 >= d && r1 < m )
1097 r0 |= ( X.p[i - 1] << biH ) >> biH;
1103 while( r0 >= d && r0 < m )
1108 Z.p[i - t - 1] = ( q1 << biH ) | q0;
1117 MPI_CHK( mpi_lset( &T1, 0 ) );
1118 T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
1120 MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
1122 MPI_CHK( mpi_lset( &T2, 0 ) );
1123 T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
1124 T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
1127 while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
1129 MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
1130 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1131 MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
1133 if( mpi_cmp_int( &X, 0 ) < 0 )
1135 MPI_CHK( mpi_copy( &T1, &Y ) );
1136 MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
1137 MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
1150 mpi_shift_r( &X, k );
1154 if( mpi_cmp_int( R, 0 ) == 0 )
1160 mpi_free( &X, &Y, &Z, &T1, &T2, NULL );
1166 * Division by int: A = Q * b + R
1168 * Returns 0 if successful
1169 * 1 if memory allocation failed
1170 * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
1172 int mpi_div_int( mpi *Q, mpi *R, const mpi *A, int b )
1177 p[0] = ( b < 0 ) ? -b : b;
1178 _B.s = ( b < 0 ) ? -1 : 1;
1182 return( mpi_div_mpi( Q, R, A, &_B ) );
1186 * Modulo: R = A mod B
1188 int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B )
1192 if( mpi_cmp_int( B, 0 ) < 0 )
1193 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1195 MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
1197 while( mpi_cmp_int( R, 0 ) < 0 )
1198 MPI_CHK( mpi_add_mpi( R, R, B ) );
1200 while( mpi_cmp_mpi( R, B ) >= 0 )
1201 MPI_CHK( mpi_sub_mpi( R, R, B ) );
1209 * Modulo: r = A mod b
1211 int mpi_mod_int( t_int *r, const mpi *A, int b )
1217 return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
1220 return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
1223 * handle trivial cases
1240 for( i = A->n - 1, y = 0; i >= 0; i-- )
1243 y = ( y << biH ) | ( x >> biH );
1248 y = ( y << biH ) | ( x >> biH );
1254 * If A is negative, then the current y represents a negative value.
1255 * Flipping it to the positive side.
1257 if( A->s < 0 && y != 0 )
1266 * Fast Montgomery initialization (thanks to Tom St Denis)
1268 static void mpi_montg_init( t_int *mm, const mpi *N )
1270 t_int x, m0 = N->p[0];
1273 x += ( ( m0 + 2 ) & 4 ) << 1;
1274 x *= ( 2 - ( m0 * x ) );
1276 if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
1277 if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
1278 if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
1284 * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
1286 static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_int mm, const mpi *T )
1291 memset( T->p, 0, T->n * ciL );
1295 m = ( B->n < n ) ? B->n : n;
1297 for( i = 0; i < n; i++ )
1300 * T = (T + u0*B + u1*N) / 2^biL
1303 u1 = ( d[0] + u0 * B->p[0] ) * mm;
1305 mpi_mul_hlp( m, B->p, d, u0 );
1306 mpi_mul_hlp( n, N->p, d, u1 );
1308 *d++ = u0; d[n + 1] = 0;
1311 memcpy( A->p, d, (n + 1) * ciL );
1313 if( mpi_cmp_abs( A, N ) >= 0 )
1314 mpi_sub_hlp( n, N->p, A->p );
1316 /* prevent timing attacks */
1317 mpi_sub_hlp( n, A->p, T->p );
1321 * Montgomery reduction: A = A * R^-1 mod N
1323 static void mpi_montred( mpi *A, const mpi *N, t_int mm, const mpi *T )
1331 mpi_montmul( A, &U, N, mm, T );
1335 * Sliding-window exponentiation: X = A^E mod N (HAC 14.85)
1337 int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
1339 int ret, i, j, wsize, wbits;
1340 int bufsize, nblimbs, nbits;
1341 t_int ei, mm, state;
1344 if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
1345 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1348 * Init temps and window size
1350 mpi_montg_init( &mm, N );
1351 mpi_init( &RR, &T, NULL );
1352 memset( W, 0, sizeof( W ) );
1356 wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
1357 ( i > 79 ) ? 4 : ( i > 23 ) ? 3 : 1;
1360 MPI_CHK( mpi_grow( X, j ) );
1361 MPI_CHK( mpi_grow( &W[1], j ) );
1362 MPI_CHK( mpi_grow( &T, j * 2 ) );
1365 * If 1st call, pre-compute R^2 mod N
1367 if( _RR == NULL || _RR->p == NULL )
1369 MPI_CHK( mpi_lset( &RR, 1 ) );
1370 MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
1371 MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
1374 memcpy( _RR, &RR, sizeof( mpi ) );
1377 memcpy( &RR, _RR, sizeof( mpi ) );
1380 * W[1] = A * R^2 * R^-1 mod N = A * R mod N
1382 if( mpi_cmp_mpi( A, N ) >= 0 )
1383 mpi_mod_mpi( &W[1], A, N );
1384 else mpi_copy( &W[1], A );
1386 mpi_montmul( &W[1], &RR, N, mm, &T );
1389 * X = R^2 * R^-1 mod N = R mod N
1391 MPI_CHK( mpi_copy( X, &RR ) );
1392 mpi_montred( X, N, mm, &T );
1397 * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
1399 j = 1 << (wsize - 1);
1401 MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
1402 MPI_CHK( mpi_copy( &W[j], &W[1] ) );
1404 for( i = 0; i < wsize - 1; i++ )
1405 mpi_montmul( &W[j], &W[j], N, mm, &T );
1408 * W[i] = W[i - 1] * W[1]
1410 for( i = j + 1; i < (1 << wsize); i++ )
1412 MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
1413 MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
1415 mpi_montmul( &W[i], &W[1], N, mm, &T );
1429 if( nblimbs-- == 0 )
1432 bufsize = sizeof( t_int ) << 3;
1437 ei = (E->p[nblimbs] >> bufsize) & 1;
1442 if( ei == 0 && state == 0 )
1445 if( ei == 0 && state == 1 )
1448 * out of window, square X
1450 mpi_montmul( X, X, N, mm, &T );
1455 * add ei to current window
1460 wbits |= (ei << (wsize - nbits));
1462 if( nbits == wsize )
1465 * X = X^wsize R^-1 mod N
1467 for( i = 0; i < wsize; i++ )
1468 mpi_montmul( X, X, N, mm, &T );
1471 * X = X * W[wbits] R^-1 mod N
1473 mpi_montmul( X, &W[wbits], N, mm, &T );
1482 * process the remaining bits
1484 for( i = 0; i < nbits; i++ )
1486 mpi_montmul( X, X, N, mm, &T );
1490 if( (wbits & (1 << wsize)) != 0 )
1491 mpi_montmul( X, &W[1], N, mm, &T );
1495 * X = A^E * R * R^-1 mod N = A^E mod N
1497 mpi_montred( X, N, mm, &T );
1501 for( i = (1 << (wsize - 1)); i < (1 << wsize); i++ )
1502 mpi_free( &W[i], NULL );
1505 mpi_free( &W[1], &T, NULL );
1506 else mpi_free( &W[1], &T, &RR, NULL );
1512 * Greatest common divisor: G = gcd(A, B) (HAC 14.54)
1514 int mpi_gcd( mpi *G, const mpi *A, const mpi *B )
1519 mpi_init( &TG, &TA, &TB, NULL );
1521 MPI_CHK( mpi_copy( &TA, A ) );
1522 MPI_CHK( mpi_copy( &TB, B ) );
1524 lz = mpi_lsb( &TA );
1525 lzt = mpi_lsb( &TB );
1530 MPI_CHK( mpi_shift_r( &TA, lz ) );
1531 MPI_CHK( mpi_shift_r( &TB, lz ) );
1535 while( mpi_cmp_int( &TA, 0 ) != 0 )
1537 MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
1538 MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
1540 if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
1542 MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
1543 MPI_CHK( mpi_shift_r( &TA, 1 ) );
1547 MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
1548 MPI_CHK( mpi_shift_r( &TB, 1 ) );
1552 MPI_CHK( mpi_shift_l( &TB, lz ) );
1553 MPI_CHK( mpi_copy( G, &TB ) );
1557 mpi_free( &TB, &TA, &TG, NULL );
1562 #if defined(POLARSSL_GENPRIME)
1565 * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
1567 int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N )
1570 mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
1572 if( mpi_cmp_int( N, 0 ) <= 0 )
1573 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1575 mpi_init( &TA, &TU, &U1, &U2, &G,
1576 &TB, &TV, &V1, &V2, NULL );
1578 MPI_CHK( mpi_gcd( &G, A, N ) );
1580 if( mpi_cmp_int( &G, 1 ) != 0 )
1582 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1586 MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
1587 MPI_CHK( mpi_copy( &TU, &TA ) );
1588 MPI_CHK( mpi_copy( &TB, N ) );
1589 MPI_CHK( mpi_copy( &TV, N ) );
1591 MPI_CHK( mpi_lset( &U1, 1 ) );
1592 MPI_CHK( mpi_lset( &U2, 0 ) );
1593 MPI_CHK( mpi_lset( &V1, 0 ) );
1594 MPI_CHK( mpi_lset( &V2, 1 ) );
1598 while( ( TU.p[0] & 1 ) == 0 )
1600 MPI_CHK( mpi_shift_r( &TU, 1 ) );
1602 if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
1604 MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
1605 MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
1608 MPI_CHK( mpi_shift_r( &U1, 1 ) );
1609 MPI_CHK( mpi_shift_r( &U2, 1 ) );
1612 while( ( TV.p[0] & 1 ) == 0 )
1614 MPI_CHK( mpi_shift_r( &TV, 1 ) );
1616 if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
1618 MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
1619 MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
1622 MPI_CHK( mpi_shift_r( &V1, 1 ) );
1623 MPI_CHK( mpi_shift_r( &V2, 1 ) );
1626 if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
1628 MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
1629 MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
1630 MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
1634 MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
1635 MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
1636 MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
1639 while( mpi_cmp_int( &TU, 0 ) != 0 );
1641 while( mpi_cmp_int( &V1, 0 ) < 0 )
1642 MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
1644 while( mpi_cmp_mpi( &V1, N ) >= 0 )
1645 MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
1647 MPI_CHK( mpi_copy( X, &V1 ) );
1651 mpi_free( &V2, &V1, &TV, &TB, &G,
1652 &U2, &U1, &TU, &TA, NULL );
1657 static const int small_prime[] =
1659 3, 5, 7, 11, 13, 17, 19, 23,
1660 29, 31, 37, 41, 43, 47, 53, 59,
1661 61, 67, 71, 73, 79, 83, 89, 97,
1662 101, 103, 107, 109, 113, 127, 131, 137,
1663 139, 149, 151, 157, 163, 167, 173, 179,
1664 181, 191, 193, 197, 199, 211, 223, 227,
1665 229, 233, 239, 241, 251, 257, 263, 269,
1666 271, 277, 281, 283, 293, 307, 311, 313,
1667 317, 331, 337, 347, 349, 353, 359, 367,
1668 373, 379, 383, 389, 397, 401, 409, 419,
1669 421, 431, 433, 439, 443, 449, 457, 461,
1670 463, 467, 479, 487, 491, 499, 503, 509,
1671 521, 523, 541, 547, 557, 563, 569, 571,
1672 577, 587, 593, 599, 601, 607, 613, 617,
1673 619, 631, 641, 643, 647, 653, 659, 661,
1674 673, 677, 683, 691, 701, 709, 719, 727,
1675 733, 739, 743, 751, 757, 761, 769, 773,
1676 787, 797, 809, 811, 821, 823, 827, 829,
1677 839, 853, 857, 859, 863, 877, 881, 883,
1678 887, 907, 911, 919, 929, 937, 941, 947,
1679 953, 967, 971, 977, 983, 991, 997, -103
1683 * Miller-Rabin primality test (HAC 4.24)
1685 int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng )
1687 int ret, i, j, n, s, xs;
1691 if( mpi_cmp_int( X, 0 ) == 0 ||
1692 mpi_cmp_int( X, 1 ) == 0 )
1693 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1695 if( mpi_cmp_int( X, 2 ) == 0 )
1698 mpi_init( &W, &R, &T, &A, &RR, NULL );
1700 xs = X->s; X->s = 1;
1703 * test trivial factors first
1705 if( ( X->p[0] & 1 ) == 0 )
1706 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1708 for( i = 0; small_prime[i] > 0; i++ )
1712 if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
1715 MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
1718 return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
1725 MPI_CHK( mpi_sub_int( &W, X, 1 ) );
1727 MPI_CHK( mpi_copy( &R, &W ) );
1728 MPI_CHK( mpi_shift_r( &R, s ) );
1734 n = ( ( i >= 1300 ) ? 2 : ( i >= 850 ) ? 3 :
1735 ( i >= 650 ) ? 4 : ( i >= 350 ) ? 8 :
1736 ( i >= 250 ) ? 12 : ( i >= 150 ) ? 18 : 27 );
1738 for( i = 0; i < n; i++ )
1741 * pick a random A, 1 < A < |X| - 1
1743 MPI_CHK( mpi_grow( &A, X->n ) );
1745 p = (unsigned char *) A.p;
1746 for( j = 0; j < A.n * ciL; j++ )
1747 *p++ = (unsigned char) f_rng( p_rng );
1749 j = mpi_msb( &A ) - mpi_msb( &W );
1750 MPI_CHK( mpi_shift_r( &A, j + 1 ) );
1756 MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
1758 if( mpi_cmp_mpi( &A, &W ) == 0 ||
1759 mpi_cmp_int( &A, 1 ) == 0 )
1763 while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
1768 MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
1769 MPI_CHK( mpi_mod_mpi( &A, &T, X ) );
1771 if( mpi_cmp_int( &A, 1 ) == 0 )
1778 * not prime if A != |X| - 1 or A == 1
1780 if( mpi_cmp_mpi( &A, &W ) != 0 ||
1781 mpi_cmp_int( &A, 1 ) == 0 )
1783 ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
1792 mpi_free( &RR, &A, &T, &R, &W, NULL );
1798 * Prime number generation
1800 int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
1801 int (*f_rng)(void *), void *p_rng )
1808 return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
1810 mpi_init( &Y, NULL );
1812 n = BITS_TO_LIMBS( nbits );
1814 MPI_CHK( mpi_grow( X, n ) );
1815 MPI_CHK( mpi_lset( X, 0 ) );
1817 p = (unsigned char *) X->p;
1818 for( k = 0; k < X->n * ciL; k++ )
1819 *p++ = (unsigned char) f_rng( p_rng );
1822 if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
1823 if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
1829 while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
1831 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1834 MPI_CHK( mpi_add_int( X, X, 2 ) );
1839 MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
1840 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1844 if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
1846 if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
1849 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1853 if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
1856 MPI_CHK( mpi_add_int( &Y, X, 1 ) );
1857 MPI_CHK( mpi_add_int( X, X, 2 ) );
1858 MPI_CHK( mpi_shift_r( &Y, 1 ) );
1864 mpi_free( &Y, NULL );
1871 #if defined(POLARSSL_SELF_TEST)
1873 #define GCD_PAIR_COUNT 3
1875 static const int gcd_pairs[GCD_PAIR_COUNT][3] =
1879 { 768454923, 542167814, 1 }
1885 int mpi_self_test( int verbose )
1888 mpi A, E, N, X, Y, U, V;
1890 mpi_init( &A, &E, &N, &X, &Y, &U, &V, NULL );
1892 MPI_CHK( mpi_read_string( &A, 16,
1893 "EFE021C2645FD1DC586E69184AF4A31E" \
1894 "D5F53E93B5F123FA41680867BA110131" \
1895 "944FE7952E2517337780CB0DB80E61AA" \
1896 "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
1898 MPI_CHK( mpi_read_string( &E, 16,
1899 "B2E7EFD37075B9F03FF989C7C5051C20" \
1900 "34D2A323810251127E7BF8625A4F49A5" \
1901 "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
1902 "5B5C25763222FEFCCFC38B832366C29E" ) );
1904 MPI_CHK( mpi_read_string( &N, 16,
1905 "0066A198186C18C10B2F5ED9B522752A" \
1906 "9830B69916E535C8F047518A889A43A5" \
1907 "94B6BED27A168D31D4A52F88925AA8F5" ) );
1909 MPI_CHK( mpi_mul_mpi( &X, &A, &N ) );
1911 MPI_CHK( mpi_read_string( &U, 16,
1912 "602AB7ECA597A3D6B56FF9829A5E8B85" \
1913 "9E857EA95A03512E2BAE7391688D264A" \
1914 "A5663B0341DB9CCFD2C4C5F421FEC814" \
1915 "8001B72E848A38CAE1C65F78E56ABDEF" \
1916 "E12D3C039B8A02D6BE593F0BBBDA56F1" \
1917 "ECF677152EF804370C1A305CAF3B5BF1" \
1918 "30879B56C61DE584A0F53A2447A51E" ) );
1921 printf( " MPI test #1 (mul_mpi): " );
1923 if( mpi_cmp_mpi( &X, &U ) != 0 )
1926 printf( "failed\n" );
1932 printf( "passed\n" );
1934 MPI_CHK( mpi_div_mpi( &X, &Y, &A, &N ) );
1936 MPI_CHK( mpi_read_string( &U, 16,
1937 "256567336059E52CAE22925474705F39A94" ) );
1939 MPI_CHK( mpi_read_string( &V, 16,
1940 "6613F26162223DF488E9CD48CC132C7A" \
1941 "0AC93C701B001B092E4E5B9F73BCD27B" \
1942 "9EE50D0657C77F374E903CDFA4C642" ) );
1945 printf( " MPI test #2 (div_mpi): " );
1947 if( mpi_cmp_mpi( &X, &U ) != 0 ||
1948 mpi_cmp_mpi( &Y, &V ) != 0 )
1951 printf( "failed\n" );
1957 printf( "passed\n" );
1959 MPI_CHK( mpi_exp_mod( &X, &A, &E, &N, NULL ) );
1961 MPI_CHK( mpi_read_string( &U, 16,
1962 "36E139AEA55215609D2816998ED020BB" \
1963 "BD96C37890F65171D948E9BC7CBAA4D9" \
1964 "325D24D6A3C12710F10A09FA08AB87" ) );
1967 printf( " MPI test #3 (exp_mod): " );
1969 if( mpi_cmp_mpi( &X, &U ) != 0 )
1972 printf( "failed\n" );
1978 printf( "passed\n" );
1980 MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
1982 MPI_CHK( mpi_read_string( &U, 16,
1983 "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
1984 "C3DBA76456363A10869622EAC2DD84EC" \
1985 "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
1988 printf( " MPI test #4 (inv_mod): " );
1990 if( mpi_cmp_mpi( &X, &U ) != 0 )
1993 printf( "failed\n" );
1999 printf( "passed\n" );
2002 printf( " MPI test #5 (simple gcd): " );
2004 for ( i = 0; i < GCD_PAIR_COUNT; i++)
2006 MPI_CHK( mpi_lset( &X, gcd_pairs[i][0] ) );
2007 MPI_CHK( mpi_lset( &Y, gcd_pairs[i][1] ) );
2009 MPI_CHK( mpi_gcd( &A, &X, &Y ) );
2011 if( mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
2014 printf( "failed at %d\n", i );
2021 printf( "passed\n" );
2025 if( ret != 0 && verbose != 0 )
2026 printf( "Unexpected error, return code = %08X\n", ret );
2028 mpi_free( &V, &U, &Y, &X, &N, &E, &A, NULL );
git://git.exim.org / users / heiko / exim.git / blob