2000-07-29 03:09:02 +04:00
|
|
|
/*
|
|
|
|
|
* The contents of this file are subject to the Mozilla Public
|
|
|
|
|
* License Version 1.1 (the "License"); you may not use this file
|
|
|
|
|
* except in compliance with the License. You may obtain a copy of
|
|
|
|
|
* the License at http://www.mozilla.org/MPL/
|
|
|
|
|
*
|
|
|
|
|
* Software distributed under the License is distributed on an "AS
|
|
|
|
|
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
|
|
|
|
|
* implied. See the License for the specific language governing
|
|
|
|
|
* rights and limitations under the License.
|
|
|
|
|
*
|
|
|
|
|
* The Original Code is the Netscape security libraries.
|
|
|
|
|
*
|
|
|
|
|
* The Initial Developer of the Original Code is Netscape
|
|
|
|
|
* Communications Corporation. Portions created by Netscape are
|
|
|
|
|
* Copyright (C) 2000 Netscape Communications Corporation. All
|
|
|
|
|
* Rights Reserved.
|
|
|
|
|
*
|
|
|
|
|
* Contributor(s):
|
|
|
|
|
*
|
|
|
|
|
* Alternatively, the contents of this file may be used under the
|
|
|
|
|
* terms of the GNU General Public License Version 2 or later (the
|
|
|
|
|
* "GPL"), in which case the provisions of the GPL are applicable
|
|
|
|
|
* instead of those above. If you wish to allow use of your
|
|
|
|
|
* version of this file only under the terms of the GPL and not to
|
|
|
|
|
* allow others to use your version of this file under the MPL,
|
|
|
|
|
* indicate your decision by deleting the provisions above and
|
|
|
|
|
* replace them with the notice and other provisions required by
|
|
|
|
|
* the GPL. If you do not delete the provisions above, a recipient
|
|
|
|
|
* may use your version of this file under either the MPL or the
|
|
|
|
|
* GPL.
|
2000-08-08 07:20:35 +04:00
|
|
|
* $Id: mpmontg.c,v 1.6 2000/08/08 03:20:35 nelsonb%netscape.com Exp $
|
2000-07-29 03:09:02 +04:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* This file implements moduluar exponentiation using Montgomery's
|
|
|
|
|
* method for modular reduction. This file implements the method
|
|
|
|
|
* described as "Improvement 1" in the paper "A Cryptogrpahic Library for
|
|
|
|
|
* the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
|
|
|
|
|
* published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
|
|
|
|
|
* "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
|
|
|
|
|
* published by Springer Verlag.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include "mpi-priv.h"
|
|
|
|
|
#include "mplogic.h"
|
|
|
|
|
#include "mpprime.h"
|
|
|
|
|
|
|
|
|
|
#define MP_CHECKOK(x) if (MP_OKAY != (rv = (x))) goto loser
|
2000-07-30 10:37:14 +04:00
|
|
|
#define MP_CHECKERR(x) if (0 > (rv = (x))) goto loser
|
2000-07-29 03:09:02 +04:00
|
|
|
#define STATIC
|
|
|
|
|
/* #define DEBUG 1 */
|
|
|
|
|
|
2000-07-30 10:37:14 +04:00
|
|
|
#define WINDOW_BITS 5
|
|
|
|
|
#define ODD_INTS 16 /* 2 ** (WINDOW_BITS - 1) */
|
|
|
|
|
|
2000-07-29 03:09:02 +04:00
|
|
|
typedef struct {
|
2000-08-04 23:58:20 +04:00
|
|
|
mp_int N; /* modulus N */
|
2000-07-29 03:09:02 +04:00
|
|
|
mp_digit n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */
|
|
|
|
|
mp_size b; /* R == 2 ** b, also b = # significant bits in N */
|
|
|
|
|
} mp_mont_modulus;
|
|
|
|
|
|
|
|
|
|
/* computes T = REDC(T), 2^b == R */
|
|
|
|
|
STATIC
|
|
|
|
|
mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
|
|
|
|
|
{
|
|
|
|
|
mp_err rv;
|
|
|
|
|
int i;
|
2000-08-04 23:58:20 +04:00
|
|
|
#ifdef DEBUG
|
|
|
|
|
mp_int m;
|
|
|
|
|
#endif
|
2000-07-29 03:09:02 +04:00
|
|
|
|
2000-08-04 23:58:20 +04:00
|
|
|
MP_CHECKOK( s_mp_pad(T, MP_USED(T) + MP_USED(&mmm->N) + 2) );
|
|
|
|
|
for (i = 0; i < MP_USED(&mmm->N); ++i ) {
|
|
|
|
|
mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime;
|
2000-07-29 03:09:02 +04:00
|
|
|
/* T += N * m_i * (MP_RADIX ** i); */
|
|
|
|
|
MP_CHECKOK( s_mp_mul_d_add_offset(&mmm->N, m_i, T, i) );
|
|
|
|
|
}
|
2000-08-02 05:03:14 +04:00
|
|
|
s_mp_clamp(T);
|
2000-07-29 03:09:02 +04:00
|
|
|
|
|
|
|
|
/* T /= R */
|
|
|
|
|
#ifdef DEBUG
|
2000-08-02 05:03:14 +04:00
|
|
|
MP_CHECKOK( mp_init(&m) );
|
2000-07-29 03:09:02 +04:00
|
|
|
MP_CHECKOK( mp_div_2d(T, mmm->b, T, &m));
|
|
|
|
|
/* here, remainder m should be equal to zero */
|
|
|
|
|
if (mp_cmp_z(&m) != 0) {
|
|
|
|
|
rv = MP_UNDEF;
|
|
|
|
|
goto loser;
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
s_mp_div_2d(T, mmm->b);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if ((rv = s_mp_cmp(T, &mmm->N)) >= 0) {
|
|
|
|
|
/* T = T - N */
|
|
|
|
|
MP_CHECKOK( s_mp_sub(T, &mmm->N) );
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
|
if ((rv = mp_cmp(T, &mmm->N)) >= 0) {
|
|
|
|
|
rv = MP_UNDEF;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
rv = MP_OKAY;
|
|
|
|
|
loser:
|
2000-08-02 05:03:14 +04:00
|
|
|
#ifdef DEBUG
|
2000-07-29 03:09:02 +04:00
|
|
|
mp_clear(&m);
|
2000-08-02 05:03:14 +04:00
|
|
|
#endif
|
2000-07-29 03:09:02 +04:00
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
2000-08-01 05:38:30 +04:00
|
|
|
mp_err mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
|
2000-07-29 03:09:02 +04:00
|
|
|
{
|
|
|
|
|
mp_err rv;
|
|
|
|
|
|
|
|
|
|
/* xMont = x * R mod N where N is modulus */
|
|
|
|
|
MP_CHECKOK( mpl_lsh(x, xMont, mmm->b) ); /* xMont = x << b */
|
2000-08-02 05:03:14 +04:00
|
|
|
MP_CHECKOK( mp_div(xMont, &mmm->N, 0, xMont) ); /* mod N */
|
2000-07-29 03:09:02 +04:00
|
|
|
loser:
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2000-08-01 05:38:30 +04:00
|
|
|
mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent,
|
|
|
|
|
const mp_int *modulus, mp_int *result)
|
2000-07-29 03:09:02 +04:00
|
|
|
{
|
2000-08-01 05:38:30 +04:00
|
|
|
const mp_int *base;
|
2000-07-29 03:09:02 +04:00
|
|
|
mp_size bits_in_exponent;
|
|
|
|
|
mp_size i;
|
|
|
|
|
mp_err rv;
|
2000-08-02 05:03:14 +04:00
|
|
|
mp_int square, accum, goodBase, tmp;
|
2000-07-29 03:09:02 +04:00
|
|
|
mp_mont_modulus mmm;
|
|
|
|
|
|
|
|
|
|
/* function for computing n0prime only works if n0 is odd */
|
|
|
|
|
if (!mp_isodd(modulus))
|
|
|
|
|
return s_mp_exptmod(inBase, exponent, modulus, result);
|
|
|
|
|
|
|
|
|
|
if (mp_cmp(inBase, modulus) < 0) {
|
|
|
|
|
base = inBase;
|
2000-08-02 05:03:14 +04:00
|
|
|
MP_DIGITS(&goodBase) = 0;
|
2000-07-29 03:09:02 +04:00
|
|
|
} else {
|
2000-08-02 05:03:14 +04:00
|
|
|
mp_init(&goodBase);
|
2000-07-29 03:09:02 +04:00
|
|
|
base = &goodBase;
|
|
|
|
|
MP_CHECKOK( mp_mod(inBase, modulus, &goodBase) );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mp_init_size(&square, 2 * MP_USED(modulus) + 2);
|
2000-08-02 05:03:14 +04:00
|
|
|
mp_init_size(&accum, 3 * MP_USED(modulus) + 2);
|
|
|
|
|
mp_init_size(&tmp, 3 * MP_USED(modulus) + 2);
|
2000-07-29 03:09:02 +04:00
|
|
|
|
|
|
|
|
mmm.N = *modulus; /* a copy of the mp_int struct */
|
|
|
|
|
i = mpl_significant_bits(modulus);
|
|
|
|
|
i += MP_DIGIT_BIT - 1;
|
|
|
|
|
mmm.b = i - i % MP_DIGIT_BIT;
|
2000-08-08 07:20:35 +04:00
|
|
|
|
|
|
|
|
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
|
|
|
|
|
** where n0 = least significant mp_digit of N, the modulus.
|
|
|
|
|
*/
|
|
|
|
|
mmm.n0prime = 0 - s_mp_invmod_32b( MP_DIGIT(modulus, 0) );
|
2000-07-29 03:09:02 +04:00
|
|
|
|
|
|
|
|
MP_CHECKOK( mp_to_mont(base, &mmm, &square) );
|
|
|
|
|
|
2000-07-30 10:37:14 +04:00
|
|
|
bits_in_exponent = mpl_significant_bits(exponent);
|
|
|
|
|
i = bits_in_exponent % WINDOW_BITS;
|
|
|
|
|
if (i != 0) {
|
|
|
|
|
bits_in_exponent += WINDOW_BITS - i;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
/* oddPowers[i] = base ** (2*i + 1); */
|
|
|
|
|
/* power2 = base ** 2; */
|
|
|
|
|
int expOff;
|
|
|
|
|
mp_int power2, oddPowers[ODD_INTS];
|
|
|
|
|
|
2000-08-02 05:03:14 +04:00
|
|
|
MP_CHECKOK( mp_init_copy(oddPowers, &square) );
|
2000-07-30 10:37:14 +04:00
|
|
|
|
2000-08-02 05:03:14 +04:00
|
|
|
mp_init_size(&power2, MP_USED(modulus) + 2 * MP_USED(&square) + 2);
|
2000-07-30 10:37:14 +04:00
|
|
|
MP_CHECKOK( mp_sqr(&square, &power2) ); /* square = square ** 2 */
|
|
|
|
|
MP_CHECKOK( s_mp_redc(&power2, &mmm) );
|
|
|
|
|
|
|
|
|
|
for (i = 1; i < ODD_INTS; ++i) {
|
2000-08-02 05:03:14 +04:00
|
|
|
mp_init_size(oddPowers + i, MP_USED(modulus) + 2 * MP_USED(&power2) + 2);
|
2000-07-30 10:37:14 +04:00
|
|
|
MP_CHECKOK( mp_mul(oddPowers + (i - 1), &power2, oddPowers + i) );
|
|
|
|
|
MP_CHECKOK( s_mp_redc(oddPowers + i, &mmm) );
|
|
|
|
|
}
|
2000-07-29 03:09:02 +04:00
|
|
|
mp_set(&accum, 1);
|
|
|
|
|
MP_CHECKOK( mp_to_mont(&accum, &mmm, &accum) );
|
2000-07-30 10:37:14 +04:00
|
|
|
|
|
|
|
|
#define SQUARE \
|
2000-08-02 05:03:14 +04:00
|
|
|
MP_CHECKOK( mp_sqr(&accum, &tmp) );\
|
|
|
|
|
mp_exch(&accum, &tmp); \
|
2000-07-30 10:37:14 +04:00
|
|
|
MP_CHECKOK( s_mp_redc(&accum, &mmm) )
|
2000-08-04 23:58:20 +04:00
|
|
|
|
2000-07-30 10:37:14 +04:00
|
|
|
#define MUL(x) \
|
2000-08-02 05:03:14 +04:00
|
|
|
MP_CHECKOK( mp_mul(&accum, oddPowers + (x), &tmp) ); \
|
|
|
|
|
mp_exch(&accum, &tmp); \
|
2000-07-30 10:37:14 +04:00
|
|
|
MP_CHECKOK( s_mp_redc(&accum, &mmm))
|
|
|
|
|
|
|
|
|
|
for (expOff = bits_in_exponent - WINDOW_BITS; expOff >= 0; expOff -= WINDOW_BITS) {
|
|
|
|
|
mp_size smallExp;
|
|
|
|
|
MP_CHECKERR( mpl_get_bits(exponent, expOff, WINDOW_BITS) );
|
|
|
|
|
smallExp = (mp_size)rv;
|
|
|
|
|
|
|
|
|
|
#if WINDOW_BITS == 4
|
|
|
|
|
if (!smallExp) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 1) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; MUL(smallExp/2);
|
|
|
|
|
} else if (smallExp & 2) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; MUL(smallExp/4); SQUARE;
|
|
|
|
|
} else if (smallExp & 4) {
|
|
|
|
|
SQUARE; SQUARE; MUL(smallExp/8); SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 8) {
|
|
|
|
|
SQUARE; MUL(smallExp/16); SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else {
|
|
|
|
|
abort();
|
|
|
|
|
}
|
|
|
|
|
#elif WINDOW_BITS == 5
|
|
|
|
|
if (!smallExp) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 1) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; SQUARE; MUL(smallExp/2);
|
|
|
|
|
} else if (smallExp & 2) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; MUL(smallExp/4); SQUARE;
|
|
|
|
|
} else if (smallExp & 4) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; MUL(smallExp/8); SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 8) {
|
|
|
|
|
SQUARE; SQUARE; MUL(smallExp/16); SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 0x10) {
|
|
|
|
|
SQUARE; MUL(smallExp/32); SQUARE; SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else {
|
|
|
|
|
abort();
|
|
|
|
|
}
|
|
|
|
|
#elif WINDOW_BITS == 6
|
|
|
|
|
if (!smallExp) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 1) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; SQUARE; SQUARE; MUL(smallExp/2);
|
|
|
|
|
} else if (smallExp & 2) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; SQUARE; MUL(smallExp/4); SQUARE;
|
|
|
|
|
} else if (smallExp & 4) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; SQUARE; MUL(smallExp/8); SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 8) {
|
|
|
|
|
SQUARE; SQUARE; SQUARE; MUL(smallExp/16); SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 0x10) {
|
|
|
|
|
SQUARE; SQUARE; MUL(smallExp/32); SQUARE; SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else if (smallExp & 0x20) {
|
|
|
|
|
SQUARE; MUL(smallExp/64); SQUARE; SQUARE; SQUARE; SQUARE; SQUARE;
|
|
|
|
|
} else {
|
|
|
|
|
abort();
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
#error "Unknown value for WINDOW_BITS"
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mp_clear(&power2);
|
|
|
|
|
for (i = 0; i < ODD_INTS; ++i) {
|
|
|
|
|
mp_clear(oddPowers + i);
|
2000-07-29 03:09:02 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
rv = s_mp_redc(&accum, &mmm);
|
|
|
|
|
mp_exch(&accum, result);
|
|
|
|
|
loser:
|
|
|
|
|
mp_clear(&square);
|
|
|
|
|
mp_clear(&accum);
|
|
|
|
|
mp_clear(&goodBase);
|
2000-08-02 05:03:14 +04:00
|
|
|
mp_clear(&tmp);
|
2000-07-29 03:09:02 +04:00
|
|
|
/* Don't mp_clear mmm.N because it is merely a copy of modulus.
|
|
|
|
|
** Just zap it.
|
|
|
|
|
*/
|
|
|
|
|
memset(&mmm, 0, sizeof mmm);
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
