5 * Generalized exponentiation
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
31 # error "Multiple inclusion of <catacomb/exp.h>"
34 #define CATACOMB_EXP_H
40 /*----- Header files ------------------------------------------------------*/
44 #include <mLib/alloc.h>
50 /*----- Data structures ---------------------------------------------------*/
52 typedef struct exp_simulscan {
58 typedef struct exp_simul {
64 /*----- Macros provided ---------------------------------------------------*/
66 /* --- Parameters --- */
68 #ifndef EXP_WINSZ /* Sliding window size */
69 # define EXP_WINSZ 4 /* Predefine if you need to */
72 /* --- These are determined from the window size --- *
74 * Given a %$k$%-bit exponent, I expect to do %$k/2$% multiplies if I use the
75 * simple way. If I use an n-bit sliding window, then I do %$2^n$%
76 * multiplies up front, but I only do %$(2^n - 1)/2^n k/n$% multiplies for
77 * the exponentiation. This is a win when
79 * %$k \ge \frac{n 2^{n+1}}{n - 2}$%
82 #define EXP_TABSZ (1 << EXP_WINSZ)
84 ((EXP_WINSZ * (2 << EXP_WINSZ))/((EXP_WINSZ - 2) * MPW_BITS))
86 /* --- Required operations --- *
88 * The macros here are independent of the underlying group elements. You
89 * must provide the necessary group operations and other definitions. The
90 * group operation is assumed to be written multiplicatively.
92 * @EXP_TYPE@ The type of a group element, e.g., @mp *@.
94 * @EXP_COPY(d, x)@ Makes @d@ be a copy of @x@.
96 * @EXP_DROP(x)@ Discards the element @x@, reclaiming any
99 * @EXP_MUL(a, x)@ Multiplies @a@ by @x@ (writing the result
102 * @EXP_FIX(x)@ Makes @x@ be a canonical representation of
103 * its value. All multiplications have the
104 * right argument canonical.
106 * @EXP_SQR(a)@ Multiplies @a@ by itself.
108 * @EXP_SETMUL(d, x, y)@ Sets @d@ to be the product of @x@ and @y@.
109 * The value @d@ has not been initialized.
111 * @EXP_SETSQR(d, x)@ Sets @d@ to be the square of @x@.
113 * Only @EXP_TYPE@, @EXP_MUL@ and @EXP_SQR@ are required for simple
114 * exponentation. Sliding window and simultaneous exponentation require all
119 # error "EXP_TYPE not defined for <catacomb/exp.h>"
122 /* --- @EXP_SIMPLE@ --- *
124 * Arguments: @a@ = the result object, initially a multiplicative identity
125 * @g@ = the object to exponentiate
126 * @x@ = the exponent, as a multiprecision integer
128 * Use: Performs a simple left-to-right exponentiation. At the end
129 * of the code, the answer is left in @a@; @g@ and @x@ are
133 #define EXP_SIMPLE(a, g, x) do { \
137 /* --- Begin scanning --- */ \
140 if (!MP_RSTEP(&sc)) \
141 goto exp_simple_exit; \
142 while (!MP_RBIT(&sc)) \
145 /* --- Do the main body of the work --- */ \
152 if (!MP_RSTEP(&sc)) \
153 goto exp_simple_done; \
158 while (sq--) EXP_SQR(a); \
161 /* --- Do a final round of squaring --- */ \
164 while (sq--) EXP_SQR(a); \
168 /* --- @EXP_WINDOW@ --- *
170 * Arguments: @a@ = the result object, initially a multiplicative identity
171 * @g@ = the object to exponentiate
172 * @x@ = the exponent, as a multiprecision integer
174 * Use: Performs a sliding-window exponentiation. At the end of the
175 * code, the answer is left in @a@; @g@ and @x@ are unchanged.
178 #define EXP_WINDOW(a, g, x) do { \
181 unsigned i, sq = 0; \
184 /* --- Get going --- */ \
187 if (!MP_RSTEP(&sc)) \
188 goto exp_window_exit; \
190 /* --- Do the precomputation --- */ \
195 v = xmalloc(EXP_TABSZ * sizeof(EXP_TYPE)); \
197 for (i = 1; i < EXP_TABSZ; i++) { \
198 EXP_SETMUL(v[i], v[i - 1], g2); \
203 /* --- Skip top-end zero bits --- * \
205 * If the initial step worked, there must be a set bit somewhere, so \
206 * keep stepping until I find it. \
209 while (!MP_RBIT(&sc)) \
212 /* --- Now for the main work --- */ \
218 /* --- The next bit is set, so read a window index --- * \
220 * Reset @i@ to zero and increment @sq@. Then, until either I read \
221 * @WINSZ@ bits or I run out of bits, scan in a bit: if it's clear, \
222 * bump the @z@ counter; if it's set, push a set bit into @i@, \
223 * shift it over by @z@ bits, bump @sq@ by @z + 1@ and clear @z@. \
224 * By the end of this palaver, @i@ is an index to the precomputed \
230 while (l < EXP_WINSZ && MP_RSTEP(&sc)) { \
235 i = ((i << 1) | 1) << z; \
241 /* --- Do the squaring --- * \
243 * Remember that @sq@ carries over from the zero-skipping stuff \
247 while (sq--) EXP_SQR(a); \
249 /* --- Do the multiply --- */ \
253 /* --- Now grind along through the rest of the bits --- */ \
257 if (!MP_RSTEP(&sc)) \
258 goto exp_window_done; \
265 /* --- Do a final round of squaring --- */ \
268 while (sq--) EXP_SQR(a); \
269 for (i = 0; i < EXP_TABSZ; i++) \
275 /* --- @EXP_SIMUL@ --- *
277 * Arguments: @a@ = the result object, initially a multiplicative identity
278 * @f@ = pointer to a vector of base/exp pairs
279 * @n@ = the number of base/exp pairs
281 * Use: Performs a simultaneous sliding-window exponentiation. The
282 * @f@ table is an array of structures containing members @base@
283 * of type @EXP_TYPE@, and @exp@ of type @mp *@.
286 #define EXP_SIMUL(a, f, n) do { \
287 size_t i, j, jj, k; \
288 size_t vn = 1 << (EXP_WINSZ * n), m = (1 << n) - 1; \
289 EXP_TYPE *v = xmalloc(vn * sizeof(EXP_TYPE)); \
293 /* --- Fill in the precomputed table --- */ \
296 for (i = 0; i < n; i++) { \
297 EXP_COPY(v[j], f[n - 1 - i].base); \
303 for (; i < k; i++) { \
304 EXP_SETSQR(v[j], v[jj]); \
308 for (i = 1; i < vn; i <<= 1) { \
309 for (j = 1; j < i; j++) { \
310 EXP_SETMUL(v[j + i], v[j], v[i]); \
315 /* --- Set up the bitscanners --- * \
317 * Got to use custom scanners, to keep them all in sync. \
322 e.s = xmalloc(n * sizeof(*e.s)); \
324 for (i = 0; i < n; i++) { \
325 MP_SHRINK(f[i].exp); \
326 e.s[i].len = MP_LEN(f[i].exp); \
327 e.s[i].v = f[i].exp->v; \
328 if (e.s[i].len > e.o) \
332 /* --- Skip as far as a nonzero column in the exponent matrix --- */ \
336 goto exp_simul_done; \
337 i = exp_simulnext(&e, 0); \
338 } while (!(i & m)); \
340 /* --- Now for the main work --- */ \
346 /* --- Just read a nonzero column, so read a window index --- * \
348 * Clear high bits of @i@ and increment @sq@. Then, until either I \
349 * read @WINSZ@ columns or I run out, scan in a column and append \
350 * it to @i@. If it's zero, bump the @z@ counter; if it's nonzero, \
351 * bump @sq@ by @z + 1@ and clear @z@. By the end of this palaver, \
352 * @i@ is an index to the precomputed value in @v@, followed by \
353 * @n * z@ zero bits. \
357 while (l < EXP_WINSZ && (e.o || e.b)) { \
359 i = exp_simulnext(&e, i); \
368 /* --- Do the squaring --- * \
370 * Remember that @sq@ carries over from the zero-skipping stuff \
374 while (sq--) EXP_SQR(a); \
376 /* --- Do the multiply --- */ \
381 /* --- Now grind along through the rest of the bits --- */ \
386 goto exp_simul_done; \
387 if ((i = exp_simulnext(&e, 0)) != 0) \
393 /* --- Do a final round of squaring --- */ \
396 while (sq--) EXP_SQR(a); \
397 for (i = 1; i < vn; i++) \
403 /*----- Functions provided ------------------------------------------------*/
405 /* --- @exp_simulnext@ --- *
407 * Arguments: @exp_simul *e@ = pointer to state structure
408 * @size_t x@ = a current accumulator
410 * Returns: The next column of bits.
412 * Use: Scans the next column of bits for a simultaneous
416 extern size_t exp_simulnext(exp_simul */*e*/, size_t /*x*/);
418 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob