3 This file is part of the ARM-Crypto-Lib.
4 Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de)
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * \license GPLv3 or later
30 #define STRING(x) STRING2(x)
31 #define STR_LINE STRING(__LINE__)
41 #include "bigint_io.h"
46 #define MAX(a,b) (((a)>(b))?(a):(b))
50 #define MIN(a,b) (((a) < (b)) ? (a) : (b))
53 #define SET_FBS(a, v) do{(a)->info &= ~BIGINT_FBS_MASK; (a)->info |= (v);} while(0)
54 #define GET_FBS(a) ((a)->info&BIGINT_FBS_MASK)
55 #define SET_NEG(a) (a)->info |= BIGINT_NEG_MASK
56 #define SET_POS(a) (a)->info &= ~BIGINT_NEG_MASK
57 #define XCHG(a,b) do{(a) ^= (b); (b) ^= (a); (a) ^= (b);} while(0)
58 #define XCHG_PTR(a,b) do{ a = (void*)(((intptr_t)(a)) ^ ((intptr_t)(b))); \
59 b = (void*)(((intptr_t)(a)) ^ ((intptr_t)(b))); \
60 a = (void*)(((intptr_t)(a)) ^ ((intptr_t)(b)));} while(0)
62 #define GET_SIGN(a) ((a)->info & BIGINT_NEG_MASK)
64 /******************************************************************************/
65 void bigint_adjust(bigint_t *a){
66 while(a->length_W!=0 && a->wordv[a->length_W-1]==0){
74 uint8_t i = BIGINT_WORD_SIZE-1;
75 t = a->wordv[a->length_W-1];
76 while((t&(1L<<(BIGINT_WORD_SIZE-1)))==0 && i){
83 /******************************************************************************/
85 bigint_length_t bigint_length_b(const bigint_t *a){
86 if(!a->length_W || a->length_W==0){
89 return (a->length_W-1) * BIGINT_WORD_SIZE + GET_FBS(a);
92 /******************************************************************************/
94 bigint_length_t bigint_length_B(const bigint_t *a){
95 return a->length_W * sizeof(bigint_word_t);
98 /******************************************************************************/
100 uint32_t bigint_get_first_set_bit(const bigint_t *a){
102 return (uint32_t)(-1);
104 return (a->length_W-1)*sizeof(bigint_word_t)*8+GET_FBS(a);
108 /******************************************************************************/
110 uint32_t bigint_get_last_set_bit(const bigint_t *a){
115 return (uint32_t)(-1);
117 while(a->wordv[r]==0 && r<a->length_W){
120 if(a->wordv[r] == 0){
121 return (uint32_t)(-1);
123 while((x&a->wordv[r])==0){
127 return r*BIGINT_WORD_SIZE+b;
130 /******************************************************************************/
132 void bigint_copy(bigint_t *dest, const bigint_t *src){
133 if(dest->wordv != src->wordv){
134 memcpy(dest->wordv, src->wordv, src->length_W * sizeof(bigint_word_t));
136 dest->length_W = src->length_W;
137 dest->info = src->info;
140 /******************************************************************************/
142 /* this should be implemented in assembly */
143 void bigint_add_u(bigint_t *dest, const bigint_t *a, const bigint_t *b){
145 bigint_wordplus_t t = 0LL;
146 if (a->length_W < b->length_W) {
149 for(i = 0; i < b->length_W; ++i) {
152 dest->wordv[i] = (bigint_word_t)t;
153 t >>= BIGINT_WORD_SIZE;
155 for(; i < a->length_W; ++i){
157 dest->wordv[i] = (bigint_word_t)t;
158 t >>= BIGINT_WORD_SIZE;
161 dest->wordv[i++] = (bigint_word_t)t;
168 /******************************************************************************/
170 /* this should be implemented in assembly */
171 void bigint_add_scale_u(bigint_t *dest, const bigint_t *a, bigint_length_t scale){
172 if(a->length_W == 0){
176 bigint_add_u(dest, dest, a);
180 #if BIGINT_WORD_SIZE == 8
181 memset(dest->wordv + dest->length_W, 0, MAX(dest->length_W, a->length_W + scale) - dest->length_W);
182 x.wordv = dest->wordv + scale;
183 x.length_W = dest->length_W - scale;
184 if((int16_t)x.length_W < 0){
190 bigint_add_u(&x, &x, a);
191 dest->length_W = x.length_W + scale;
196 bigint_length_t word_shift = scale / sizeof(bigint_word_t), byte_shift = scale % sizeof(bigint_word_t);
197 bigint_word_t bv[a->length_W + 1];
199 bv[0] = bv[a->length_W] = 0;
200 memcpy((uint8_t*)bv + byte_shift, a->wordv, a->length_W * sizeof(bigint_word_t));
201 s.length_W = a->length_W + 1;
203 memset(dest->wordv + dest->length_W, 0, (MAX(dest->length_W, s.length_W + word_shift) - dest->length_W) * sizeof(bigint_word_t));
204 x.wordv = dest->wordv + word_shift;
205 x.length_W = dest->length_W - word_shift;
206 if((int16_t)x.length_W < 0){
212 bigint_add_u(&x, &x, &s);
213 dest->length_W = x.length_W + word_shift;
219 /******************************************************************************/
221 /* this should be implemented in assembly */
222 void bigint_sub_u(bigint_t *dest, const bigint_t *a, const bigint_t *b){
225 bigint_wordplus_signed_t t = 0LL;
227 if(b->length_W == 0){
228 bigint_copy(dest, a);
232 if(a->length_W == 0){
233 bigint_copy(dest, b);
237 r = bigint_cmp_u(a,b);
239 bigint_set_zero(dest);
243 bigint_sub_u(dest, b, a);
247 for(i = 0; i < a->length_W; ++i){
253 dest->wordv[i] = (bigint_word_t)t;
265 /******************************************************************************/
267 int8_t bigint_cmp_u(const bigint_t *a, const bigint_t *b){
268 if(a->length_W > b->length_W){
271 if(a->length_W < b->length_W){
274 if(a->length_W == 0){
280 if(a->wordv[i] != b->wordv[i]){
281 if(a->wordv[i] > b->wordv[i]){
291 /******************************************************************************/
293 void bigint_add_s(bigint_t *dest, const bigint_t *a, const bigint_t *b){
296 s |= GET_SIGN(b)?1:0;
298 case 0: /* both positive */
299 bigint_add_u(dest, a,b);
302 case 1: /* a positive, b negative */
303 bigint_sub_u(dest, a, b);
305 case 2: /* a negative, b positive */
306 bigint_sub_u(dest, b, a);
308 case 3: /* both negative */
309 bigint_add_u(dest, a, b);
312 default: /* how can this happen?*/
317 /******************************************************************************/
319 void bigint_sub_s(bigint_t *dest, const bigint_t *a, const bigint_t *b){
322 s |= GET_SIGN(b)?1:0;
324 case 0: /* both positive */
325 bigint_sub_u(dest, a,b);
327 case 1: /* a positive, b negative */
328 bigint_add_u(dest, a, b);
331 case 2: /* a negative, b positive */
332 bigint_add_u(dest, a, b);
335 case 3: /* both negative */
336 bigint_sub_u(dest, b, a);
338 default: /* how can this happen?*/
344 /******************************************************************************/
346 int8_t bigint_cmp_s(const bigint_t *a, const bigint_t *b){
348 if(a->length_W==0 && b->length_W==0){
352 s |= GET_SIGN(b)?1:0;
354 case 0: /* both positive */
355 return bigint_cmp_u(a, b);
357 case 1: /* a positive, b negative */
360 case 2: /* a negative, b positive */
363 case 3: /* both negative */
364 return bigint_cmp_u(b, a);
366 default: /* how can this happen?*/
369 return 0; /* just to satisfy the compiler */
372 /******************************************************************************/
374 void bigint_shiftleft(bigint_t *a, bigint_length_t shift){
375 bigint_length_t byteshift, words_to_shift;
379 bigint_wordplus_t t = 0;
383 byteshift = shift / 8;
384 bitshift = shift & 7;
387 memmove(((uint8_t*)a->wordv) + byteshift, a->wordv, a->length_W * sizeof(bigint_word_t));
388 memset(a->wordv, 0, byteshift);
391 a->length_W += (byteshift + sizeof(bigint_word_t) - 1) / sizeof(bigint_word_t);
395 p = a->wordv + byteshift / sizeof(bigint_word_t);
396 words_to_shift = a->length_W + (byteshift % sizeof(bigint_word_t)?1:0);
397 for(i=0; i < words_to_shift; ++i){
398 t |= ((bigint_wordplus_t)p[i]) << bitshift;
399 p[i] = (bigint_word_t)t;
400 t >>= BIGINT_WORD_SIZE;
403 p[i] = (bigint_word_t)t;
406 a->length_W += (byteshift + sizeof(bigint_word_t) - 1) / sizeof(bigint_word_t);
410 /******************************************************************************/
412 void bigint_shiftright(bigint_t *a, bigint_length_t shift){
413 bigint_length_t byteshift;
416 bigint_wordplus_t t = 0;
417 byteshift = shift / 8;
418 bitshift = shift & 7;
420 if(byteshift >= a->length_W * sizeof(bigint_word_t)){ /* we would shift out more than we have */
424 if(byteshift == a->length_W * sizeof(bigint_word_t) - 1 && bitshift > GET_FBS(a)){
430 memmove(a->wordv, (uint8_t*)a->wordv + byteshift, a->length_W * sizeof(bigint_word_t) - byteshift);
433 byteshift /= sizeof(bigint_word_t); /* byteshift is now wordshift */
434 a->length_W -= byteshift;
435 if(bitshift != 0 && a->length_W){
436 /* shift to the right */
439 t |= ((bigint_wordplus_t)(a->wordv[i])) << (BIGINT_WORD_SIZE - bitshift);
440 a->wordv[i] = (bigint_word_t)(t >> BIGINT_WORD_SIZE);
441 t <<= BIGINT_WORD_SIZE;
447 /******************************************************************************/
449 void bigint_xor(bigint_t *dest, const bigint_t *a){
451 for(i=0; i<a->length_W; ++i){
452 dest->wordv[i] ^= a->wordv[i];
457 /******************************************************************************/
459 void bigint_set_zero(bigint_t *a){
463 /******************************************************************************/
465 /* using the Karatsuba-Algorithm */
466 /* x*y = (xh*yh)*b**2n + ((xh+xl)*(yh+yl) - xh*yh - xl*yl)*b**n + yh*yl */
467 void bigint_mul_u(bigint_t *dest, const bigint_t *a, const bigint_t *b){
468 if(a->length_W == 0 || b->length_W == 0){
469 bigint_set_zero(dest);
472 if(dest == a || dest == b){
474 bigint_word_t d_b[a->length_W + b->length_W];
476 bigint_mul_u(&d, a, b);
477 bigint_copy(dest, &d);
480 if(a->length_W == 1 || b->length_W == 1){
481 if(a->length_W != 1){
484 bigint_wordplus_t t = 0;
486 bigint_word_t x = a->wordv[0];
487 for(i=0; i < b->length_W; ++i){
488 t += ((bigint_wordplus_t)b->wordv[i]) * ((bigint_wordplus_t)x);
489 dest->wordv[i] = (bigint_word_t)t;
490 t >>= BIGINT_WORD_SIZE;
494 dest->wordv[i] = (bigint_word_t)t;
501 if(a->length_W * sizeof(bigint_word_t) <= 4 && b->length_W * sizeof(bigint_word_t) <= 4){
504 memcpy(&p, a->wordv, a->length_W*sizeof(bigint_word_t));
505 memcpy(&q, b->wordv, b->length_W*sizeof(bigint_word_t));
506 r = (uint64_t)p * (uint64_t)q;
507 memcpy(dest->wordv, &r, (dest->length_W = a->length_W + b->length_W)*sizeof(bigint_word_t));
511 /* split a in xh & xl; split b in yh & yl */
512 const bigint_length_t n = (MAX(a->length_W, b->length_W)+1)/2;
513 bigint_t xl, xh, yl, yh;
517 bigint_set_zero(&xh);
518 xl.length_W = a->length_W;
524 xh.wordv = &(a->wordv[n]);
525 xh.length_W = a->length_W-n;
529 bigint_set_zero(&yh);
530 yl.length_W = b->length_W;
536 yh.wordv = &(b->wordv[n]);
537 yh.length_W = b->length_W-n;
540 /* now we have split up a and b */
541 /* remember we want to do:
542 * x*y = (xh * b**n + xl) * (yh * b**n + yl)
543 * = (xh * yh) * b**2n + xh * b**n * yl + yh * b**n * xl + xl * yl
544 * = (xh * yh) * b**2n + (xh * yl + yh * xl) * b**n + xl *yl
545 * // xh * yl + yh * xl = (xh + yh) * (xl + yl) - xh * yh - xl * yl
546 * x*y = (xh * yh) * b**2n + ((xh+xl)*(yh+yl) - xh*yh - xl*yl)*b**n + xl*yl
547 * 5 9 2 4 3 7 5 6 1 8 1
549 bigint_word_t tmp_b[2 * n + 2], m_b[2 * (n + 1)];
550 bigint_t tmp, tmp2, m;
552 tmp2.wordv = &(tmp_b[n + 1]);
555 bigint_mul_u(dest, &xl, &yl); /* 1: dest <= xl*yl */
556 bigint_add_u(&tmp2, &xh, &xl); /* 2: tmp2 <= xh+xl */
557 bigint_add_u(&tmp, &yh, &yl); /* 3: tmp <= yh+yl */
558 bigint_mul_u(&m, &tmp2, &tmp); /* 4: m <= tmp2*tmp */
559 bigint_mul_u(&tmp, &xh, &yh); /* 5: tmp <= xh*yh */
560 bigint_sub_u(&m, &m, dest); /* 6: m <= m-dest */
561 bigint_sub_u(&m, &m, &tmp); /* 7: m <= m-tmp */
562 bigint_add_scale_u(dest, &m, n * sizeof(bigint_word_t)); /* 8: dest <= dest+m**n*/
563 bigint_add_scale_u(dest, &tmp, 2 * n * sizeof(bigint_word_t)); /* 9: dest <= dest+tmp**(2*n) */
566 /******************************************************************************/
568 void bigint_mul_s(bigint_t *dest, const bigint_t *a, const bigint_t *b){
571 s |= GET_SIGN(b)?1:0;
573 case 0: /* both positive */
574 bigint_mul_u(dest, a,b);
577 case 1: /* a positive, b negative */
578 bigint_mul_u(dest, a,b);
581 case 2: /* a negative, b positive */
582 bigint_mul_u(dest, a,b);
585 case 3: /* both negative */
586 bigint_mul_u(dest, a,b);
589 default: /* how can this happen?*/
594 /******************************************************************************/
598 unsigned square_depth = 0;
602 /* (xh*b^n+xl)^2 = xh^2*b^2n + 2*xh*xl*b^n + xl^2 */
603 void bigint_square(bigint_t *dest, const bigint_t *a){
604 if(a->length_W * sizeof(bigint_word_t) <= 4){
606 memcpy(&r, a->wordv, a->length_W * sizeof(bigint_word_t));
608 memcpy(dest->wordv, &r, 2 * a->length_W * sizeof(bigint_word_t));
610 dest->length_W = 2 * a->length_W;
615 if(dest->wordv == a->wordv){
617 bigint_word_t d_b[a->length_W*2];
619 bigint_square(&d, a);
620 bigint_copy(dest, &d);
623 bigint_fast_square(dest, a);
631 bigint_t xh, xl, tmp; /* x-high, x-low, temp */
632 bigint_word_t buffer[2*n+1];
636 xh.wordv = &(a->wordv[n]);
637 xh.length_W = a->length_W-n;
641 /* (xh * b**n + xl)**2 = xh**2 * b**2n + 2 * xh * xl * b**n + xl**2 */
643 if(square_depth == 1){
644 cli_putstr("\r\nDBG (a): xl: "); bigint_print_hex(&xl);
645 cli_putstr("\r\nDBG (b): xh: "); bigint_print_hex(&xh);
648 bigint_square(dest, &xl);
650 if(square_depth == 1){
651 cli_putstr("\r\nDBG (1): xl**2: "); bigint_print_hex(dest);
654 bigint_square(&tmp, &xh);
656 if(square_depth == 1){
657 cli_putstr("\r\nDBG (2): xh**2: "); bigint_print_hex(&tmp);
660 bigint_add_scale_u(dest, &tmp, 2 * n * sizeof(bigint_word_t));
662 if(square_depth == 1){
663 cli_putstr("\r\nDBG (3): xl**2 + xh**2*n**2: "); bigint_print_hex(dest);
666 bigint_mul_u(&tmp, &xl, &xh);
668 if(square_depth == 1){
669 cli_putstr("\r\nDBG (4): xl*xh: "); bigint_print_hex(&tmp);
672 bigint_shiftleft(&tmp, 1);
674 if(square_depth == 1){
675 cli_putstr("\r\nDBG (5): xl*xh*2: "); bigint_print_hex(&tmp);
678 bigint_add_scale_u(dest, &tmp, n * sizeof(bigint_word_t));
680 if(square_depth == 1){
681 cli_putstr("\r\nDBG (6): x**2: "); bigint_print_hex(dest);
690 /******************************************************************************/
692 void bigint_square(bigint_t *dest, const bigint_t *a) {
695 bigint_wordplus_t uv;
697 bigint_word_t q, c1, c2;
698 bigint_length_t i, j;
700 if(a->length_W * sizeof(bigint_word_t) <= 4){
702 memcpy(&r, a->wordv, a->length_W * sizeof(bigint_word_t));
704 memcpy(dest->wordv, &r, 2 * a->length_W * sizeof(bigint_word_t));
706 dest->length_W = 2 * a->length_W;
711 if(dest->wordv == a->wordv){
713 bigint_word_t d_b[a->length_W*2];
715 bigint_square(&d, a);
716 bigint_copy(dest, &d);
720 memset(dest->wordv, 0, a->length_W * 2 * sizeof(bigint_word_t));
722 for (i = 0; i < a->length_W; ++i) {
723 acc.uv = a->wordv[i] * a->wordv[i] + dest->wordv[2 * i];
724 dest->wordv[2 * i] = acc.u[0];
727 for (j = i + 1; j < a->length_W; ++j) {
728 acc.uv = a->wordv[i] * a->wordv[j];
729 q = acc.u[1] >> (BIGINT_WORD_SIZE - 1);
731 acc.uv += dest->wordv[i + j];
732 q += (acc.uv < dest->wordv[i + j]);
735 dest->wordv[i + j] = acc.u[0];
739 dest->wordv[i + a->length_W] += c1;
740 dest->wordv[i + a->length_W + 1] = c2 + (dest->wordv[i + a->length_W] < c1);
743 dest->length_W = 2 * a->length_W;
747 /******************************************************************************/
749 void bigint_sub_u_bitscale(bigint_t *a, const bigint_t *b, bigint_length_t bitscale){
751 bigint_word_t tmp_b[b->length_W + 1];
752 const bigint_length_t word_shift = bitscale / BIGINT_WORD_SIZE;
754 if(a->length_W < b->length_W + word_shift){
756 cli_putstr("\r\nDBG: *bang*\r\n");
762 bigint_copy(&tmp, b);
763 bigint_shiftleft(&tmp, bitscale % BIGINT_WORD_SIZE);
766 x.wordv = &(a->wordv[word_shift]);
767 x.length_W = a->length_W - word_shift;
769 bigint_sub_u(&x, &x, &tmp);
774 /******************************************************************************/
776 void bigint_reduce(bigint_t *a, const bigint_t *r){
777 uint8_t rfbs = GET_FBS(r);
778 if(r->length_W==0 || a->length_W==0){
782 if(bigint_length_b(a) + 3 > bigint_length_b(r)){
783 if((r->length_W*sizeof(bigint_word_t)<=4) && (a->length_W*sizeof(bigint_word_t)<=4)){
785 memcpy(&p, a->wordv, a->length_W*sizeof(bigint_word_t));
786 memcpy(&q, r->wordv, r->length_W*sizeof(bigint_word_t));
788 memcpy(a->wordv, &p, a->length_W*sizeof(bigint_word_t));
792 bigint_length_t shift;
793 while(a->length_W > r->length_W){
794 shift = (a->length_W - r->length_W) * 8 * sizeof(bigint_word_t) + GET_FBS(a) - rfbs - 1;
795 bigint_sub_u_bitscale(a, r, shift);
797 while((GET_FBS(a) > rfbs) && (a->length_W == r->length_W)){
798 shift = GET_FBS(a)-rfbs-1;
799 bigint_sub_u_bitscale(a, r, shift);
802 while(bigint_cmp_u(a,r)>=0){
808 /******************************************************************************/
810 /* calculate dest = a**exp % r */
811 /* using square&multiply */
812 void bigint_expmod_u_sam(bigint_t *dest, const bigint_t *a, const bigint_t *exp, const bigint_t *r){
813 if(a->length_W == 0){
814 bigint_set_zero(dest);
819 bigint_word_t t, base_w[MAX(a->length_W,r->length_W)], res_w[r->length_W*2];
822 // bigint_length_t *xaddr = &i;
823 // cli_putstr("\r\npre-alloc (");
824 // cli_hexdump_rev(&xaddr, 4);
825 // cli_putstr(") ...");
828 bigint_copy(&base, a);
829 // cli_putstr("\r\npost-copy");
830 bigint_reduce(&base, r);
835 if(exp->length_W == 0){
836 bigint_copy(dest, &res);
840 t=exp->wordv[exp->length_W - 1];
841 for(i = exp->length_W; i > 0; --i){
842 t = exp->wordv[i - 1];
843 for(j = BIGINT_WORD_SIZE; j > 0; --j){
845 if(t & (1 << (BIGINT_WORD_SIZE - 1))){
850 bigint_square(&res, &res);
851 bigint_reduce(&res, r);
852 if(t & (1 << (BIGINT_WORD_SIZE - 1))){
853 bigint_mul_u(&res, &res, &base);
854 bigint_reduce(&res, r);
863 bigint_copy(dest, &res);
866 /******************************************************************************/
867 /* gcd <-- gcd(x,y) a*x+b*y=gcd */
868 void bigint_gcdext(bigint_t *gcd, bigint_t *a, bigint_t *b, const bigint_t *x, const bigint_t *y){
869 bigint_length_t i = 0;
870 if(x->length_W == 0 || y->length_W == 0){
872 bigint_set_zero(gcd);
882 if(x->length_W == 1 && x->wordv[0] == 1){
899 if(y->length_W == 1 && y->wordv[0] == 1){
917 while(x->wordv[i] == 0 && y->wordv[i] == 0){
920 bigint_word_t g_b[i + 2], x_b[x->length_W - i], y_b[y->length_W - i];
921 bigint_word_t u_b[x->length_W - i], v_b[y->length_W - i];
922 bigint_word_t a_b[y->length_W + 2], c_b[y->length_W + 2];
923 bigint_word_t b_b[x->length_W + 2], d_b[x->length_W + 2];
924 bigint_t g, x_, y_, u, v, a_, b_, c_, d_;
929 memset(g_b, 0, i * sizeof(bigint_word_t));
933 x_.info = y_.info = 0;
934 x_.length_W = x->length_W - i;
935 y_.length_W = y->length_W - i;
936 memcpy(x_.wordv, x->wordv + i, x_.length_W * sizeof(bigint_word_t));
937 memcpy(y_.wordv, y->wordv + i, y_.length_W * sizeof(bigint_word_t));
938 for(i = 0; (x_.wordv[0] & (1 << i)) == 0 && (y_.wordv[0] & (1 << i)) == 0; ++i){
945 bigint_shiftleft(&g, i);
946 bigint_shiftright(&x_, i);
947 bigint_shiftright(&y_, i);
957 bigint_copy(&u, &x_);
958 bigint_copy(&v, &y_);
965 bigint_set_zero(&b_);
966 bigint_set_zero(&c_);
968 while((u.wordv[0] & 1) == 0){
969 bigint_shiftright(&u, 1);
970 if((a_.wordv[0] & 1) || (b_.wordv[0] & 1)){
971 bigint_add_s(&a_, &a_, &y_);
972 bigint_sub_s(&b_, &b_, &x_);
974 bigint_shiftright(&a_, 1);
975 bigint_shiftright(&b_, 1);
977 while((v.wordv[0] & 1) == 0){
978 bigint_shiftright(&v, 1);
979 if((c_.wordv[0] & 1) || (d_.wordv[0] & 1)){
980 bigint_add_s(&c_, &c_, &y_);
981 bigint_sub_s(&d_, &d_, &x_);
983 bigint_shiftright(&c_, 1);
984 bigint_shiftright(&d_, 1);
986 if(bigint_cmp_u(&u, &v) >= 0){
987 bigint_sub_u(&u, &u, &v);
988 bigint_sub_s(&a_, &a_, &c_);
989 bigint_sub_s(&b_, &b_, &d_);
991 bigint_sub_u(&v, &v, &u);
992 bigint_sub_s(&c_, &c_, &a_);
993 bigint_sub_s(&d_, &d_, &b_);
997 bigint_mul_s(gcd, &v, &g);
1000 bigint_copy(a, &c_);
1003 bigint_copy(b, &d_);
1007 /******************************************************************************/
1009 void bigint_inverse(bigint_t *dest, const bigint_t *a, const bigint_t *m){
1010 bigint_gcdext(NULL, dest, NULL, a, m);
1011 while(dest->info&BIGINT_NEG_MASK){
1012 bigint_add_s(dest, dest, m);
1016 /******************************************************************************/
1018 void bigint_changeendianess(bigint_t *a){
1020 p = (uint8_t*)(a->wordv);
1021 q = p + a->length_W * sizeof(bigint_word_t) - 1;
1030 /******************************************************************************/
1032 void bigint_mul_word_u(bigint_t *a, bigint_word_t b){
1033 bigint_wordplus_t c0 = 0, c1 = 0;
1041 for(i = 0; i < a->length_W; ++i){
1042 c1 = ((bigint_wordplus_t)(a->wordv[i])) * ((bigint_wordplus_t)b);
1044 a->wordv[i] = (bigint_word_t)c1;
1045 c0 = c1 >> BIGINT_WORD_SIZE;
1048 a->wordv[a->length_W] = (bigint_word_t)c0;
1054 /******************************************************************************/
1057 void bigint_clip(bigint_t *dest, bigint_length_t length_W){
1058 if(dest->length_W > length_W){
1059 dest->length_W = length_W;
1061 bigint_adjust(dest);
1063 /******************************************************************************/
1069 void bigint_mont_mul(bigint_t *dest, const bigint_t *a, const bigint_t *b, const bigint_t *m, const bigint_t *m_){
1070 const bigint_length_t s = MAX(MAX(a->length_W, b->length_W), m->length_W);
1072 bigint_word_t u_w[s + 2], t_w[s + 2];
1075 if (a->length_W == 0 || b->length_W == 0) {
1076 bigint_set_zero(dest);
1083 for (i = 0; i < a->length_W; ++i) {
1085 bigint_mul_word_u(&t, a->wordv[i]);
1086 bigint_add_u(&u, &u, &t);
1087 bigint_copy(&t, m_);
1088 if (u.length_W != 0) {
1089 bigint_mul_word_u(&t, u.wordv[0]);
1090 bigint_add_u(&u, &u, &t);
1092 bigint_shiftright(&u, BIGINT_WORD_SIZE);
1094 for (; i < s; ++i) {
1095 bigint_copy(&t, m_);
1096 if (u.length_W != 0) {
1097 bigint_mul_word_u(&t, u.wordv[0]);
1098 bigint_add_u(&u, &u, &t);
1100 bigint_shiftright(&u, BIGINT_WORD_SIZE);
1102 bigint_reduce(&u, m);
1103 bigint_copy(dest, &u);
1106 /******************************************************************************/
1108 void bigint_mont_red(bigint_t *dest, const bigint_t *a, const bigint_t *m, const bigint_t *m_){
1110 bigint_length_t i, s = MAX(a->length_W, m->length_W);
1111 bigint_word_t u_w[s + 2], t_w[s + 2];
1115 if (a->length_W == 0) {
1116 bigint_set_zero(dest);
1120 for (i = 0; i < m->length_W; ++i) {
1121 bigint_copy(&t, m_);
1122 if (u.length_W != 0) {
1123 bigint_mul_word_u(&t, u.wordv[0]);
1124 bigint_add_u(&u, &u, &t);
1126 bigint_shiftright(&u, BIGINT_WORD_SIZE);
1128 bigint_reduce(&u, m);
1129 bigint_copy(dest, &u);
1132 /******************************************************************************/
1134 * m_ = m * (- m0^-1 (mod 2^W))
1136 void bigint_mont_gen_m_(bigint_t* dest, const bigint_t* m){
1137 bigint_word_t x_w[2], m_w_0[1];
1139 if (m->length_W == 0) {
1140 bigint_set_zero(dest);
1143 if ((m->wordv[0] & 1) == 0) {
1144 printf_P(PSTR("ERROR: m must not be even, m = "));
1145 bigint_print_hex(m);
1158 m_0.wordv[0] = m->wordv[0];
1160 bigint_adjust(&m_0);
1161 bigint_inverse(dest, &m_0, &x);
1162 bigint_sub_s(&x, &x, dest);
1163 bigint_copy(dest, m);
1164 bigint_mul_word_u(dest, x.wordv[0]);
1167 /******************************************************************************/
1170 * dest = a * R mod m
1172 void bigint_mont_trans(bigint_t *dest, const bigint_t *a, const bigint_t *m){
1174 bigint_word_t t_w[a->length_W + m->length_W];
1177 memset(t_w, 0, m->length_W * sizeof(bigint_word_t));
1178 memcpy(t_w + m->length_W * sizeof(bigint_word_t), a->wordv, a->length_W * sizeof(bigint_word_t));
1180 t.length_W = a->length_W + m->length_W;
1181 bigint_reduce(&t, m);
1182 bigint_copy(dest, &t);
1185 /******************************************************************************/
1187 /* calculate dest = a**exp % r */
1188 /* using square&multiply */
1189 void bigint_expmod_u_mont_sam(bigint_t *dest, const bigint_t *a, const bigint_t *exp, const bigint_t *r){
1190 if(r->length_W == 0) {
1193 if(a->length_W == 0) {
1194 bigint_set_zero(dest);
1197 bigint_length_t s = r->length_W;
1198 bigint_t res, m_, ax;
1199 bigint_word_t t, res_w[r->length_W*2], ax_w[MAX(s, a->length_W)];
1200 bigint_word_t m_w_[s + 1];
1211 bigint_adjust(&res);
1212 if (exp->length_W == 0) {
1213 bigint_copy(dest, &res);
1216 bigint_copy(&ax, a);
1217 bigint_reduce(&ax, r);
1218 bigint_mont_trans(&ax, &ax, r);
1219 bigint_mont_trans(&res, &res, r);
1220 bigint_mont_gen_m_(&m_, r);
1222 t = exp->wordv[exp->length_W - 1];
1223 for (i = exp->length_W; i > 0; --i) {
1224 t = exp->wordv[i - 1];
1225 for(j = BIGINT_WORD_SIZE; j > 0; --j){
1227 if(t & (1 << (BIGINT_WORD_SIZE - 1))){
1232 bigint_square(&res, &res);
1233 bigint_mont_red(&res, &res, r, &m_);
1234 if (t & (1 << (BIGINT_WORD_SIZE - 1))) {
1235 bigint_mont_mul(&res, &res, &ax, r, &m_);
1242 bigint_mont_red(dest, &res, r, &m_);
1245 /******************************************************************************/
1249 void bigint_expmod_u(bigint_t *dest, const bigint_t *a, const bigint_t *exp, const bigint_t *r){
1250 if (r->wordv[0] & 1) {
1251 bigint_expmod_u_mont_sam(dest, a, exp, r);
1253 bigint_expmod_u_sam(dest, a, exp, r);
projects / avr-crypto-lib.git / blob