Startsida Utforska Hjälp
Logga in
8516
/
Test
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Gren: master
Grenar Taggar
Test
/
EVSE
/
GPL
/
dropbear-2017.75
/
libtommath
/
bn_mp_exptmod_fast.c

bn_mp_exptmod_fast.c 8.0 KB
Permalänk Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321 
  1. #include <tommath.h>
    2. 

  2. #ifdef BN_MP_EXPTMOD_FAST_C
    3. 

  3. /* LibTomMath, multiple-precision integer library -- Tom St Denis
    4. 

  4.  *
    5. 

  5.  * LibTomMath is a library that provides multiple-precision
    6. 

  6.  * integer arithmetic as well as number theoretic functionality.
    7. 

  7.  *
    8. 

  8.  * The library was designed directly after the MPI library by
    9. 

  9.  * Michael Fromberger but has been written from scratch with
    10. 

  10.  * additional optimizations in place.
    11. 

  11.  *
    12. 

  12.  * The library is free for all purposes without any express
    13. 

  13.  * guarantee it works.
    14. 

  14.  *
    15. 

  15.  * Tom St Denis, tomstdenis@gmail.com, http://math.libtomcrypt.com
    16. 

  16.  */
    17. 

  17. 

  18. /* computes Y == G**X mod P, HAC pp.616, Algorithm 14.85
    19. 

  19.  *
    20. 

  20.  * Uses a left-to-right k-ary sliding window to compute the modular exponentiation.
    21. 

  21.  * The value of k changes based on the size of the exponent.
    22. 

  22.  *
    23. 

  23.  * Uses Montgomery or Diminished Radix reduction [whichever appropriate]
    24. 

  24.  */
    25. 

  25. 

  26. #ifdef MP_LOW_MEM
    27. 

  27.    #define TAB_SIZE 32
    28. 

  28. #else
    29. 

  29.    #define TAB_SIZE 256
    30. 

  30. #endif
    31. 

  31. 

  32. int mp_exptmod_fast (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmode)
    33. 

  33. {
    34. 

  34.   mp_int  M[TAB_SIZE], res;
    35. 

  35.   mp_digit buf, mp;
    36. 

  36.   int     err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize;
    37. 

  37. 

  38.   /* use a pointer to the reduction algorithm.  This allows us to use
    39. 

  39.    * one of many reduction algorithms without modding the guts of
    40. 

  40.    * the code with if statements everywhere.
    41. 

  41.    */
    42. 

  42.   int     (*redux)(mp_int*,mp_int*,mp_digit);
    43. 

  43. 

  44.   /* find window size */
    45. 

  45.   x = mp_count_bits (X);
    46. 

  46.   if (x <= 7) {
    47. 

  47.     winsize = 2;
    48. 

  48.   } else if (x <= 36) {
    49. 

  49.     winsize = 3;
    50. 

  50.   } else if (x <= 140) {
    51. 

  51.     winsize = 4;
    52. 

  52.   } else if (x <= 450) {
    53. 

  53.     winsize = 5;
    54. 

  54.   } else if (x <= 1303) {
    55. 

  55.     winsize = 6;
    56. 

  56.   } else if (x <= 3529) {
    57. 

  57.     winsize = 7;
    58. 

  58.   } else {
    59. 

  59.     winsize = 8;
    60. 

  60.   }
    61. 

  61. 

  62. #ifdef MP_LOW_MEM
    63. 

  63.   if (winsize > 5) {
    64. 

  64.      winsize = 5;
    65. 

  65.   }
    66. 

  66. #endif
    67. 

  67. 

  68.   /* init M array */
    69. 

  69.   /* init first cell */
    70. 

  70.   if ((err = mp_init_size(&M[1], P->alloc)) != MP_OKAY) {
    71. 

  71.      return err;
    72. 

  72.   }
    73. 

  73. 

  74.   /* now init the second half of the array */
    75. 

  75.   for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
    76. 

  76.     if ((err = mp_init_size(&M[x], P->alloc)) != MP_OKAY) {
    77. 

  77.       for (y = 1<<(winsize-1); y < x; y++) {
    78. 

  78.         mp_clear (&M[y]);
    79. 

  79.       }
    80. 

  80.       mp_clear(&M[1]);
    81. 

  81.       return err;
    82. 

  82.     }
    83. 

  83.   }
    84. 

  84. 

  85.   /* determine and setup reduction code */
    86. 

  86.   if (redmode == 0) {
    87. 

  87. #ifdef BN_MP_MONTGOMERY_SETUP_C     
    88. 

  88.      /* now setup montgomery  */
    89. 

  89.      if ((err = mp_montgomery_setup (P, &mp)) != MP_OKAY) {
    90. 

  90.         goto LBL_M;
    91. 

  91.      }
    92. 

  92. #else
    93. 

  93.      err = MP_VAL;
    94. 

  94.      goto LBL_M;
    95. 

  95. #endif
    96. 

  96. 

  97.      /* automatically pick the comba one if available (saves quite a few calls/ifs) */
    98. 

  98. #ifdef BN_FAST_MP_MONTGOMERY_REDUCE_C
    99. 

  99.      if (((P->used * 2 + 1) < MP_WARRAY) &&
    100. 

  100.           P->used < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
    101. 

  101.         redux = fast_mp_montgomery_reduce;
    102. 

  102.      } else 
    103. 

  103. #endif
    104. 

  104.      {
    105. 

  105. #ifdef BN_MP_MONTGOMERY_REDUCE_C
    106. 

  106.         /* use slower baseline Montgomery method */
    107. 

  107.         redux = mp_montgomery_reduce;
    108. 

  108. #else
    109. 

  109.         err = MP_VAL;
    110. 

  110.         goto LBL_M;
    111. 

  111. #endif
    112. 

  112.      }
    113. 

  113.   } else if (redmode == 1) {
    114. 

  114. #if defined(BN_MP_DR_SETUP_C) && defined(BN_MP_DR_REDUCE_C)
    115. 

  115.      /* setup DR reduction for moduli of the form B**k - b */
    116. 

  116.      mp_dr_setup(P, &mp);
    117. 

  117.      redux = mp_dr_reduce;
    118. 

  118. #else
    119. 

  119.      err = MP_VAL;
    120. 

  120.      goto LBL_M;
    121. 

  121. #endif
    122. 

  122.   } else {
    123. 

  123. #if defined(BN_MP_REDUCE_2K_SETUP_C) && defined(BN_MP_REDUCE_2K_C)
    124. 

  124.      /* setup DR reduction for moduli of the form 2**k - b */
    125. 

  125.      if ((err = mp_reduce_2k_setup(P, &mp)) != MP_OKAY) {
    126. 

  126.         goto LBL_M;
    127. 

  127.      }
    128. 

  128.      redux = mp_reduce_2k;
    129. 

  129. #else
    130. 

  130.      err = MP_VAL;
    131. 

  131.      goto LBL_M;
    132. 

  132. #endif
    133. 

  133.   }
    134. 

  134. 

  135.   /* setup result */
    136. 

  136.   if ((err = mp_init_size (&res, P->alloc)) != MP_OKAY) {
    137. 

  137.     goto LBL_M;
    138. 

  138.   }
    139. 

  139. 

  140.   /* create M table
    141. 

  141.    *
    142. 

  142. 

  143.    *
    144. 

  144.    * The first half of the table is not computed though accept for M[0] and M[1]
    145. 

  145.    */
    146. 

  146. 

  147.   if (redmode == 0) {
    148. 

  148. #ifdef BN_MP_MONTGOMERY_CALC_NORMALIZATION_C
    149. 

  149.      /* now we need R mod m */
    150. 

  150.      if ((err = mp_montgomery_calc_normalization (&res, P)) != MP_OKAY) {
    151. 

  151.        goto LBL_RES;
    152. 

  152.      }
    153. 

  153. #else 
    154. 

  154.      err = MP_VAL;
    155. 

  155.      goto LBL_RES;
    156. 

  156. #endif
    157. 

  157. 

  158.      /* now set M[1] to G * R mod m */
    159. 

  159.      if ((err = mp_mulmod (G, &res, P, &M[1])) != MP_OKAY) {
    160. 

  160.        goto LBL_RES;
    161. 

  161.      }
    162. 

  162.   } else {
    163. 

  163.      mp_set(&res, 1);
    164. 

  164.      if ((err = mp_mod(G, P, &M[1])) != MP_OKAY) {
    165. 

  165.         goto LBL_RES;
    166. 

  166.      }
    167. 

  167.   }
    168. 

  168. 

  169.   /* compute the value at M[1<<(winsize-1)] by squaring M[1] (winsize-1) times */
    170. 

  170.   if ((err = mp_copy (&M[1], &M[1 << (winsize - 1)])) != MP_OKAY) {
    171. 

  171.     goto LBL_RES;
    172. 

  172.   }
    173. 

  173. 

  174.   for (x = 0; x < (winsize - 1); x++) {
    175. 

  175.     if ((err = mp_sqr (&M[1 << (winsize - 1)], &M[1 << (winsize - 1)])) != MP_OKAY) {
    176. 

  176.       goto LBL_RES;
    177. 

  177.     }
    178. 

  178.     if ((err = redux (&M[1 << (winsize - 1)], P, mp)) != MP_OKAY) {
    179. 

  179.       goto LBL_RES;
    180. 

  180.     }
    181. 

  181.   }
    182. 

  182. 

  183.   /* create upper table */
    184. 

  184.   for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) {
    185. 

  185.     if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) {
    186. 

  186.       goto LBL_RES;
    187. 

  187.     }
    188. 

  188.     if ((err = redux (&M[x], P, mp)) != MP_OKAY) {
    189. 

  189.       goto LBL_RES;
    190. 

  190.     }
    191. 

  191.   }
    192. 

  192. 

  193.   /* set initial mode and bit cnt */
    194. 

  194.   mode   = 0;
    195. 

  195.   bitcnt = 1;
    196. 

  196.   buf    = 0;
    197. 

  197.   digidx = X->used - 1;
    198. 

  198.   bitcpy = 0;
    199. 

  199.   bitbuf = 0;
    200. 

  200. 

  201.   for (;;) {
    202. 

  202.     /* grab next digit as required */
    203. 

  203.     if (--bitcnt == 0) {
    204. 

  204.       /* if digidx == -1 we are out of digits so break */
    205. 

  205.       if (digidx == -1) {
    206. 

  206.         break;
    207. 

  207.       }
    208. 

  208.       /* read next digit and reset bitcnt */
    209. 

  209.       buf    = X->dp[digidx--];
    210. 

  210.       bitcnt = (int)DIGIT_BIT;
    211. 

  211.     }
    212. 

  212. 

  213.     /* grab the next msb from the exponent */
    214. 

  214.     y     = (mp_digit)(buf >> (DIGIT_BIT - 1)) & 1;
    215. 

  215.     buf <<= (mp_digit)1;
    216. 

  216. 

  217.     /* if the bit is zero and mode == 0 then we ignore it
    218. 

  218.      * These represent the leading zero bits before the first 1 bit
    219. 

  219.      * in the exponent.  Technically this opt is not required but it
    220. 

  220.      * does lower the # of trivial squaring/reductions used
    221. 

  221.      */
    222. 

  222.     if (mode == 0 && y == 0) {
    223. 

  223.       continue;
    224. 

  224.     }
    225. 

  225. 

  226.     /* if the bit is zero and mode == 1 then we square */
    227. 

  227.     if (mode == 1 && y == 0) {
    228. 

  228.       if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
    229. 

  229.         goto LBL_RES;
    230. 

  230.       }
    231. 

  231.       if ((err = redux (&res, P, mp)) != MP_OKAY) {
    232. 

  232.         goto LBL_RES;
    233. 

  233.       }
    234. 

  234.       continue;
    235. 

  235.     }
    236. 

  236. 

  237.     /* else we add it to the window */
    238. 

  238.     bitbuf |= (y << (winsize - ++bitcpy));
    239. 

  239.     mode    = 2;
    240. 

  240. 

  241.     if (bitcpy == winsize) {
    242. 

  242.       /* ok window is filled so square as required and multiply  */
    243. 

  243.       /* square first */
    244. 

  244.       for (x = 0; x < winsize; x++) {
    245. 

  245.         if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
    246. 

  246.           goto LBL_RES;
    247. 

  247.         }
    248. 

  248.         if ((err = redux (&res, P, mp)) != MP_OKAY) {
    249. 

  249.           goto LBL_RES;
    250. 

  250.         }
    251. 

  251.       }
    252. 

  252. 

  253.       /* then multiply */
    254. 

  254.       if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) {
    255. 

  255.         goto LBL_RES;
    256. 

  256.       }
    257. 

  257.       if ((err = redux (&res, P, mp)) != MP_OKAY) {
    258. 

  258.         goto LBL_RES;
    259. 

  259.       }
    260. 

  260. 

  261.       /* empty window and reset */
    262. 

  262.       bitcpy = 0;
    263. 

  263.       bitbuf = 0;
    264. 

  264.       mode   = 1;
    265. 

  265.     }
    266. 

  266.   }
    267. 

  267. 

  268.   /* if bits remain then square/multiply */
    269. 

  269.   if (mode == 2 && bitcpy > 0) {
    270. 

  270.     /* square then multiply if the bit is set */
    271. 

  271.     for (x = 0; x < bitcpy; x++) {
    272. 

  272.       if ((err = mp_sqr (&res, &res)) != MP_OKAY) {
    273. 

  273.         goto LBL_RES;
    274. 

  274.       }
    275. 

  275.       if ((err = redux (&res, P, mp)) != MP_OKAY) {
    276. 

  276.         goto LBL_RES;
    277. 

  277.       }
    278. 

  278. 

  279.       /* get next bit of the window */
    280. 

  280.       bitbuf <<= 1;
    281. 

  281.       if ((bitbuf & (1 << winsize)) != 0) {
    282. 

  282.         /* then multiply */
    283. 

  283.         if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) {
    284. 

  284.           goto LBL_RES;
    285. 

  285.         }
    286. 

  286.         if ((err = redux (&res, P, mp)) != MP_OKAY) {
    287. 

  287.           goto LBL_RES;
    288. 

  288.         }
    289. 

  289.       }
    290. 

  290.     }
    291. 

  291.   }
    292. 

  292. 

  293.   if (redmode == 0) {
    294. 

  294.      /* fixup result if Montgomery reduction is used
    295. 

  295.       * recall that any value in a Montgomery system is
    296. 

  296.       * actually multiplied by R mod n.  So we have
    297. 

  297.       * to reduce one more time to cancel out the factor
    298. 

  298.       * of R.
    299. 

  299.       */
    300. 

  300.      if ((err = redux(&res, P, mp)) != MP_OKAY) {
    301. 

  301.        goto LBL_RES;
    302. 

  302.      }
    303. 

  303.   }
    304. 

  304. 

  305.   /* swap res with Y */
    306. 

  306.   mp_exch (&res, Y);
    307. 

  307.   err = MP_OKAY;
    308. 

  308. LBL_RES:mp_clear (&res);
    309. 

  309. LBL_M:
    310. 

  310.   mp_clear(&M[1]);
    311. 

  311.   for (x = 1<<(winsize-1); x < (1 << winsize); x++) {
    312. 

  312.     mp_clear (&M[x]);
    313. 

  313.   }
    314. 

  314.   return err;
    315. 

  315. }
    316. 

  316. #endif
    317. 

  317. 

  318. 

  319. /* $Source: /cvs/libtom/libtommath/bn_mp_exptmod_fast.c,v $ */
    320. 

  320. /* $Revision: 1.3 $ */
    321. 

  321. /* $Date: 2006/03/31 14:18:44 $ */
    322.