3 * $Id: mpmont.c,v 1.9 2000/06/17 11:45:09 mdw Exp $
7 * (c) 1999 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.9 2000/06/17 11:45:09 mdw
34 * Major memory management overhaul. Added arena support. Use the secure
35 * arena for secret integers. Replace and improve the MP management macros
36 * (e.g., replace MP_MODIFY by MP_DEST).
38 * Revision 1.8 1999/12/22 15:55:00 mdw
39 * Adjust Karatsuba parameters.
41 * Revision 1.7 1999/12/11 01:51:14 mdw
42 * Use a Karatsuba-based reduction for large moduli.
44 * Revision 1.6 1999/12/10 23:18:39 mdw
45 * Change interface for suggested destinations.
47 * Revision 1.5 1999/11/22 13:58:40 mdw
48 * Add an option to disable Montgomery reduction, so that performance
49 * comparisons can be done.
51 * Revision 1.4 1999/11/21 12:27:06 mdw
52 * Remove a division from the Montgomery setup by calculating
53 * %$R^2 \bmod m$% first and then %$R \bmod m$% by Montgomery reduction of
56 * Revision 1.3 1999/11/21 11:35:10 mdw
57 * Performance improvement: use @mp_sqr@ and @mpmont_reduce@ instead of
58 * @mpmont_mul@ for squaring in exponentiation.
60 * Revision 1.2 1999/11/19 13:17:26 mdw
61 * Add extra interface to exponentiation which returns a Montgomerized
64 * Revision 1.1 1999/11/17 18:02:16 mdw
65 * New multiprecision integer arithmetic suite.
69 /*----- Header files ------------------------------------------------------*/
74 /*----- Tweakables --------------------------------------------------------*/
76 /* --- @MPMONT_DISABLE@ --- *
78 * Replace all the clever Montgomery reduction with good old-fashioned long
82 /* #define MPMONT_DISABLE */
84 /*----- Main code ---------------------------------------------------------*/
86 /* --- @mpmont_create@ --- *
88 * Arguments: @mpmont *mm@ = pointer to Montgomery reduction context
89 * @mp *m@ = modulus to use
93 * Use: Initializes a Montgomery reduction context ready for use.
94 * The argument @m@ must be a positive odd integer.
99 void mpmont_create(mpmont *mm, mp *m)
110 void mpmont_create(mpmont *mm, mp *m)
112 size_t n = MP_LEN(m);
113 mp *r2 = mp_new(2 * n + 1, 0);
116 /* --- Validate the arguments --- */
118 assert(((void)"Montgomery modulus must be positive",
119 (m->f & MP_NEG) == 0));
120 assert(((void)"Montgomery modulus must be odd", m->v[0] & 1));
122 /* --- Take a copy of the modulus --- */
127 /* --- Determine %$R^2$% --- */
130 MPX_ZERO(r2->v, r2->vl - 1);
133 /* --- Find the magic value @mi@ --- */
135 mp_build(&r, r2->v + n, r2->vl);
137 mp_gcd(0, 0, &mm->mi, &r, m);
138 mm->mi = mp_sub(mm->mi, &r, mm->mi);
140 /* --- Discover the values %$R \bmod m$% and %$R^2 \bmod m$% --- */
143 mp_div(0, &mm->r2, r2, m);
144 mm->r = mpmont_reduce(mm, MP_NEW, mm->r2);
150 /* --- @mpmont_destroy@ --- *
152 * Arguments: @mpmont *mm@ = pointer to a Montgomery reduction context
156 * Use: Disposes of a context when it's no longer of any use to
160 void mpmont_destroy(mpmont *mm)
168 /* --- @mpmont_reduce@ --- *
170 * Arguments: @mpmont *mm@ = pointer to Montgomery reduction context
171 * @mp *d@ = destination
172 * @mp *a@ = source, assumed positive
174 * Returns: Result, %$a R^{-1} \bmod m$%.
177 #ifdef MPMONT_DISABLE
179 mp *mpmont_reduce(mpmont *mm, mp *d, mp *a)
181 mp_div(0, &d, a, mm->m);
187 mp *mpmont_reduce(mpmont *mm, mp *d, mp *a)
191 /* --- Check for serious Karatsuba reduction --- */
193 if (n > KARATSUBA_CUTOFF * 3) {
202 mp_build(&al, a->v, vl);
203 u = mp_mul(MP_NEW, &al, mm->mi);
206 u = mp_mul(u, u, mm->m);
211 /* --- Otherwise do it the hard way --- */
219 /* --- Initial conditioning of the arguments --- */
225 MP_DEST(d, 2 * n + 1, a->f);
227 dv = d->v; dvl = d->vl;
228 mv = mm->m->v; mvl = mm->m->vl;
230 /* --- Let's go to work --- */
234 mpw u = MPW(*dv * mi);
235 MPX_UMLAN(dv, dvl, mv, mvl, u);
240 /* --- Wrap everything up --- */
242 memmove(d->v, d->v + n, MPWS(MP_LEN(d) - n));
244 if (MP_CMP(d, >=, mm->m))
245 d = mp_sub(d, d, mm->m);
252 /* --- @mpmont_mul@ --- *
254 * Arguments: @mpmont *mm@ = pointer to Montgomery reduction context
255 * @mp *d@ = destination
256 * @mp *a, *b@ = sources, assumed positive
258 * Returns: Result, %$a b R^{-1} \bmod m$%.
261 #ifdef MPMONT_DISABLE
263 mp *mpmont_mul(mpmont *mm, mp *d, mp *a, mp *b)
266 mp_div(0, &d, d, mm->m);
272 mp *mpmont_mul(mpmont *mm, mp *d, mp *a, mp *b)
274 if (mm->n > KARATSUBA_CUTOFF * 3) {
276 d = mpmont_reduce(mm, d, d);
286 /* --- Initial conditioning of the arguments --- */
288 if (MP_LEN(a) > MP_LEN(b)) {
289 mp *t = a; a = b; b = t;
295 MP_DEST(d, 2 * n + 1, a->f | b->f | MP_UNDEF);
296 dv = d->v; dvl = d->vl;
298 av = a->v; avl = a->vl;
299 bv = b->v; bvl = b->vl;
300 mv = mm->m->v; mvl = mm->m->vl;
303 /* --- Montgomery multiplication phase --- */
307 while (i < n && av < avl) {
309 mpw u = MPW((*dv + x * y) * mi);
310 MPX_UMLAN(dv, dvl, bv, bvl, x);
311 MPX_UMLAN(dv, dvl, mv, mvl, u);
316 /* --- Simpler Montgomery reduction phase --- */
319 mpw u = MPW(*dv * mi);
320 MPX_UMLAN(dv, dvl, mv, mvl, u);
327 memmove(d->v, dv, MPWS(dvl - dv));
330 d->f = (a->f | b->f) & MP_BURN;
331 if (MP_CMP(d, >=, mm->m))
332 d = mp_sub(d, d, mm->m);
342 /* --- @mpmont_expr@ --- *
344 * Arguments: @mpmont *mm@ = pointer to Montgomery reduction context
345 * @mp *d@ = fake destination
349 * Returns: Result, %$a^e R \bmod m$%.
352 mp *mpmont_expr(mpmont *mm, mp *d, mp *a, mp *e)
355 mp *ar = mpmont_mul(mm, MP_NEW, a, mm->r2);
356 mp *x = MP_COPY(mm->r);
357 mp *spare = (e->f & MP_BURN) ? MP_NEWSEC : MP_NEW;
367 dd = mp_sqr(spare, ar);
368 dd = mpmont_reduce(mm, dd, dd);
372 dd = mpmont_mul(mm, spare, x, ar);
388 /* --- @mpmont_exp@ --- *
390 * Arguments: @mpmont *mm@ = pointer to Montgomery reduction context
391 * @mp *d@ = fake destination
395 * Returns: Result, %$a^e \bmod m$%.
398 mp *mpmont_exp(mpmont *mm, mp *d, mp *a, mp *e)
400 d = mpmont_expr(mm, d, a, e);
401 d = mpmont_reduce(mm, d, d);
405 /*----- Test rig ----------------------------------------------------------*/
409 static int tcreate(dstr *v)
411 mp *m = *(mp **)v[0].buf;
412 mp *mi = *(mp **)v[1].buf;
413 mp *r = *(mp **)v[2].buf;
414 mp *r2 = *(mp **)v[3].buf;
419 mpmont_create(&mm, m);
421 if (mm.mi->v[0] != mi->v[0]) {
422 fprintf(stderr, "\n*** bad mi: found %lu, expected %lu",
423 (unsigned long)mm.mi->v[0], (unsigned long)mi->v[0]);
424 fputs("\nm = ", stderr); mp_writefile(m, stderr, 10);
429 if (MP_CMP(mm.r, !=, r)) {
430 fputs("\n*** bad r", stderr);
431 fputs("\nm = ", stderr); mp_writefile(m, stderr, 10);
432 fputs("\nexpected ", stderr); mp_writefile(r, stderr, 10);
433 fputs("\n found ", stderr); mp_writefile(mm.r, stderr, 10);
438 if (MP_CMP(mm.r2, !=, r2)) {
439 fputs("\n*** bad r2", stderr);
440 fputs("\nm = ", stderr); mp_writefile(m, stderr, 10);
441 fputs("\nexpected ", stderr); mp_writefile(r2, stderr, 10);
442 fputs("\n found ", stderr); mp_writefile(mm.r2, stderr, 10);
452 assert(mparena_count(MPARENA_GLOBAL) == 0);
456 static int tmul(dstr *v)
458 mp *m = *(mp **)v[0].buf;
459 mp *a = *(mp **)v[1].buf;
460 mp *b = *(mp **)v[2].buf;
461 mp *r = *(mp **)v[3].buf;
465 mpmont_create(&mm, m);
468 mp *qr = mp_mul(MP_NEW, a, b);
469 mp_div(0, &qr, qr, m);
471 if (MP_CMP(qr, !=, r)) {
472 fputs("\n*** classical modmul failed", stderr);
473 fputs("\n m = ", stderr); mp_writefile(m, stderr, 10);
474 fputs("\n a = ", stderr); mp_writefile(a, stderr, 10);
475 fputs("\n b = ", stderr); mp_writefile(b, stderr, 10);
476 fputs("\n r = ", stderr); mp_writefile(r, stderr, 10);
477 fputs("\nqr = ", stderr); mp_writefile(qr, stderr, 10);
486 mp *ar = mpmont_mul(&mm, MP_NEW, a, mm.r2);
487 mp *br = mpmont_mul(&mm, MP_NEW, b, mm.r2);
488 mp *mr = mpmont_mul(&mm, MP_NEW, ar, br);
489 mr = mpmont_reduce(&mm, mr, mr);
490 if (MP_CMP(mr, !=, r)) {
491 fputs("\n*** montgomery modmul failed", stderr);
492 fputs("\n m = ", stderr); mp_writefile(m, stderr, 10);
493 fputs("\n a = ", stderr); mp_writefile(a, stderr, 10);
494 fputs("\n b = ", stderr); mp_writefile(b, stderr, 10);
495 fputs("\n r = ", stderr); mp_writefile(r, stderr, 10);
496 fputs("\nmr = ", stderr); mp_writefile(mr, stderr, 10);
500 MP_DROP(ar); MP_DROP(br);
510 assert(mparena_count(MPARENA_GLOBAL) == 0);
514 static int texp(dstr *v)
516 mp *m = *(mp **)v[0].buf;
517 mp *a = *(mp **)v[1].buf;
518 mp *b = *(mp **)v[2].buf;
519 mp *r = *(mp **)v[3].buf;
524 mpmont_create(&mm, m);
526 mr = mpmont_exp(&mm, MP_NEW, a, b);
528 if (MP_CMP(mr, !=, r)) {
529 fputs("\n*** montgomery modexp failed", stderr);
530 fputs("\n m = ", stderr); mp_writefile(m, stderr, 10);
531 fputs("\n a = ", stderr); mp_writefile(a, stderr, 10);
532 fputs("\n e = ", stderr); mp_writefile(b, stderr, 10);
533 fputs("\n r = ", stderr); mp_writefile(r, stderr, 10);
534 fputs("\nmr = ", stderr); mp_writefile(mr, stderr, 10);
545 assert(mparena_count(MPARENA_GLOBAL) == 0);
550 static test_chunk tests[] = {
551 { "create", tcreate, { &type_mp, &type_mp, &type_mp, &type_mp, 0 } },
552 { "mul", tmul, { &type_mp, &type_mp, &type_mp, &type_mp, 0 } },
553 { "exp", texp, { &type_mp, &type_mp, &type_mp, &type_mp, 0 } },
557 int main(int argc, char *argv[])
560 test_run(argc, argv, tests, SRCDIR "/tests/mpmont");
566 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob