2008-11-17 18:29:00 -05:00
|
|
|
// ----------------------------------------------------------------------------
|
2008-03-05 09:52:00 -05:00
|
|
|
//
|
|
|
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
|
|
|
//
|
2008-11-17 18:29:00 -05:00
|
|
|
// ----------------------------------------------------------------------------
|
2008-03-05 09:52:00 -05:00
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Diagnostics;
|
|
|
|
|
|
2008-11-17 18:29:00 -05:00
|
|
|
namespace Microsoft.Singularity.Crypto.PublicKey
|
|
|
|
|
{
|
|
|
|
|
class Modulus
|
|
|
|
|
{
|
2008-03-05 09:52:00 -05:00
|
|
|
internal readonly int _digitN;
|
|
|
|
|
readonly int _scaleBitN;
|
|
|
|
|
readonly bool _fromRight;
|
|
|
|
|
readonly Reciprocal _leftRecip;
|
|
|
|
|
readonly Digit _rightRecip;
|
|
|
|
|
internal readonly Digits _mod;
|
|
|
|
|
readonly Digits _multiplier1;
|
|
|
|
|
readonly Digits _multiplier2;
|
|
|
|
|
internal readonly Digits _one;
|
|
|
|
|
MulAlgorithm _algorithm;
|
|
|
|
|
internal Modulus(Digits mod, int digitN, bool fromRight) {
|
|
|
|
|
if (digitN == 0 || mod[digitN - 1] == 0) {
|
|
|
|
|
throw new ArgumentException();
|
|
|
|
|
}
|
|
|
|
|
_mod = mod;
|
|
|
|
|
_digitN = digitN;
|
|
|
|
|
_fromRight = fromRight;
|
|
|
|
|
_one = new Digits(digitN);
|
|
|
|
|
_multiplier1 = new Digits(digitN);
|
|
|
|
|
_multiplier2 = new Digits(digitN);
|
|
|
|
|
// this.mod.Set(this.mod, _digitN);
|
|
|
|
|
_leftRecip = new Reciprocal();
|
|
|
|
|
Digits.DivPrecondition(mod, digitN, _leftRecip);
|
|
|
|
|
Digit mod0inv = 0;
|
2008-11-17 18:29:00 -05:00
|
|
|
if ((mod[0] & 1) != 0) {
|
|
|
|
|
mod0inv = Digit.TwoAdicInverse(mod[0]);
|
|
|
|
|
}
|
2008-03-05 09:52:00 -05:00
|
|
|
_rightRecip = mod0inv;
|
|
|
|
|
int digitN2 = (digitN + 1) / 2;
|
|
|
|
|
Digits temp = new Digits(digitN + digitN2);
|
|
|
|
|
if (!fromRight) {
|
|
|
|
|
_algorithm = new MulAlgorithm(_MulFromLeft);
|
|
|
|
|
int dividendN = digitN + digitN2;
|
|
|
|
|
_scaleBitN = 0;
|
|
|
|
|
for (int i = 0; i != dividendN; i++) {
|
|
|
|
|
temp[i] = Digit.MaxValue;
|
|
|
|
|
}
|
|
|
|
|
temp[dividendN - 1] = Digit.MaxValue >> _leftRecip._shiftBitN;
|
|
|
|
|
Digits q = new Digits(digitN2 + 1);
|
|
|
|
|
Digits r = new Digits(digitN);
|
|
|
|
|
Digits.Div(temp, dividendN, mod, digitN, _leftRecip, q, r);
|
|
|
|
|
Debug.Assert(q[digitN2] == 1, "internal error");
|
|
|
|
|
Digits.Add(r, 1U, r, digitN);
|
|
|
|
|
Digits.Sub(mod, r, r, digitN);
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
_algorithm = new MulAlgorithm(_MulFromRight);
|
|
|
|
|
_scaleBitN = Digit.BitN * digitN;
|
2008-11-17 18:29:00 -05:00
|
|
|
if (mod0inv == 0) {
|
|
|
|
|
throw new ArgumentException();
|
|
|
|
|
}
|
2008-03-05 09:52:00 -05:00
|
|
|
_multiplier2[0] = mod0inv;
|
|
|
|
|
temp[digitN] = Digits.Mul(mod, mod0inv, temp, digitN);
|
|
|
|
|
Debug.Assert(temp[0] == 1, "internal error");
|
|
|
|
|
for (int i = 1; i != digitN2; i++) {
|
|
|
|
|
Digit mul = unchecked(0 - mod0inv * temp[i]);
|
|
|
|
|
_multiplier2[i] = mul;
|
|
|
|
|
temp[i + digitN]
|
|
|
|
|
= Digits.Accumulate(mod, mul, temp + i, digitN);
|
|
|
|
|
Debug.Assert(temp[i] == 0, "internal error");
|
|
|
|
|
}
|
|
|
|
|
_multiplier1._Set(temp + digitN2, digitN);
|
|
|
|
|
}
|
|
|
|
|
_ToModular(new Digits(new Digit[] { 1 }), 1, _one);
|
|
|
|
|
}
|
|
|
|
|
void _BasePowerSquaring(Digits basepower) {
|
|
|
|
|
_Mul(basepower, basepower, basepower);
|
|
|
|
|
}
|
2008-11-17 18:29:00 -05:00
|
|
|
class Temps2000
|
|
|
|
|
{
|
2008-03-05 09:52:00 -05:00
|
|
|
internal Modulus _modulus;
|
|
|
|
|
internal Digits[] _bucket = new Digits[1L << 5];
|
|
|
|
|
internal bool[] _bucketBusy = new bool[1L << 5];
|
|
|
|
|
}
|
|
|
|
|
void _BucketMul(UInt32 ibucket, Digits mult, Temps2000 temps) {
|
|
|
|
|
Digits bloc = temps._bucket[ibucket];
|
|
|
|
|
if (temps._bucketBusy[ibucket]) {
|
|
|
|
|
_Mul(bloc, mult, bloc);
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
temps._bucketBusy[ibucket] = true;
|
|
|
|
|
bloc._Set(mult, _digitN);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
internal void
|
|
|
|
|
_Exp(Digits @base, Digits exp, int expDigitN, Digits answer) {
|
|
|
|
|
int expBitNUsed = Digits.SigBitN(exp, expDigitN);
|
|
|
|
|
ushort[] widthCutoffs = new ushort[] { 6, 24, 80, 240, 672 };
|
|
|
|
|
Digits basepower = answer;
|
|
|
|
|
int bucketWidth = 1;
|
|
|
|
|
while (
|
|
|
|
|
bucketWidth < 5 && widthCutoffs[bucketWidth - 1] < expBitNUsed
|
|
|
|
|
) {
|
|
|
|
|
bucketWidth++;
|
|
|
|
|
}
|
|
|
|
|
Modular.ValidateData(@base, _mod, _digitN);
|
|
|
|
|
UInt32 bucketMask = (1U << bucketWidth) - 1;
|
|
|
|
|
UInt32 maxBucket = bucketMask;
|
|
|
|
|
Digits bucketData = new Digits((int)(_digitN * maxBucket));
|
|
|
|
|
Temps2000 temps = new Temps2000();
|
|
|
|
|
temps._modulus = this;
|
|
|
|
|
temps._bucket[0] = null;
|
|
|
|
|
Modular.Add(_one, _one, bucketData, _mod, _digitN);
|
|
|
|
|
bool base2 = Digits.Compare(@base, bucketData, _digitN) == 0;
|
|
|
|
|
if (base2 && expBitNUsed != 0) {
|
|
|
|
|
int shiftMax
|
|
|
|
|
= Digit.BitN * _digitN > 1024 ? 1024 : Digit.BitN * _digitN;
|
|
|
|
|
int highExponBitN = 0;
|
|
|
|
|
bool bighBitNProcessed = false;
|
|
|
|
|
Digits temp = bucketData;
|
2008-11-17 18:29:00 -05:00
|
|
|
for (int i = expBitNUsed; i-- != 0;) {
|
2008-03-05 09:52:00 -05:00
|
|
|
Digit expBit = Digits.GetBit(exp, i);
|
|
|
|
|
if (bighBitNProcessed) {
|
|
|
|
|
_Mul(temp, temp, temp);
|
|
|
|
|
if (expBit != 0) {
|
|
|
|
|
Modular.Add(temp, temp, temp, _mod, _digitN);
|
|
|
|
|
}
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
highExponBitN = (int)(2 * highExponBitN + expBit);
|
|
|
|
|
if (i == 0 || 2 * highExponBitN >= shiftMax) {
|
|
|
|
|
bighBitNProcessed = true;
|
|
|
|
|
_Shift(_one, highExponBitN, temp);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
temps._bucket[1] = temp;
|
|
|
|
|
Debug.Assert(bighBitNProcessed, "internal error");
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
UInt32 ibucket;
|
|
|
|
|
for (ibucket = 1; ibucket <= maxBucket; ibucket++) {
|
|
|
|
|
Digits bloc = bucketData
|
|
|
|
|
+ (int)(_digitN
|
|
|
|
|
* (ibucket
|
|
|
|
|
- 1
|
|
|
|
|
+ ((ibucket & 1) == 0 ? maxBucket : 0))
|
|
|
|
|
/ 2);
|
|
|
|
|
temps._bucket[ibucket] = bloc;
|
|
|
|
|
temps._bucketBusy[ibucket] = false;
|
|
|
|
|
bloc._Set(_one, _digitN);
|
|
|
|
|
}
|
|
|
|
|
basepower._Set(@base, _digitN);
|
|
|
|
|
Digit carried = 0;
|
|
|
|
|
int ndoubling = 0;
|
|
|
|
|
for (int i = 0; i != expBitNUsed; i++) {
|
|
|
|
|
Digit bitNow = Digits.GetBit(exp, i);
|
|
|
|
|
Debug.Assert(carried >> bucketWidth + 2 == 0
|
|
|
|
|
, "internal error");
|
|
|
|
|
if (bitNow != 0) {
|
|
|
|
|
while (ndoubling >= bucketWidth + 1) {
|
|
|
|
|
if ((carried & 1) != 0) {
|
|
|
|
|
ibucket = carried & bucketMask;
|
|
|
|
|
carried -= ibucket;
|
|
|
|
|
temps._modulus
|
|
|
|
|
._BucketMul(ibucket, basepower, temps);
|
|
|
|
|
}
|
|
|
|
|
temps._modulus._BasePowerSquaring(basepower);
|
|
|
|
|
carried /= 2;
|
|
|
|
|
ndoubling--;
|
|
|
|
|
}
|
|
|
|
|
carried |= 1U << ndoubling;
|
|
|
|
|
}
|
|
|
|
|
ndoubling++;
|
|
|
|
|
}
|
|
|
|
|
while (carried != 0) {
|
|
|
|
|
bool squareNow = false;
|
|
|
|
|
if (carried <= maxBucket) {
|
|
|
|
|
ibucket = carried;
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else if ((carried & 1) == 0) {
|
2008-03-05 09:52:00 -05:00
|
|
|
squareNow = true;
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else if (carried <= 3 * maxBucket) {
|
2008-03-05 09:52:00 -05:00
|
|
|
ibucket = maxBucket;
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
Debug.Assert(false, "untested code");
|
|
|
|
|
ibucket = carried & bucketMask;
|
|
|
|
|
}
|
|
|
|
|
if (squareNow) {
|
|
|
|
|
carried /= 2;
|
|
|
|
|
temps._modulus._BasePowerSquaring(basepower);
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
carried -= ibucket;
|
|
|
|
|
temps._modulus._BucketMul(ibucket, basepower, temps);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
for (ibucket = maxBucket; ibucket >= 2; ibucket--) {
|
|
|
|
|
if (temps._bucketBusy[ibucket]) {
|
|
|
|
|
bool found = false;
|
|
|
|
|
UInt32 jbucket, jbucketMax, kbucket;
|
|
|
|
|
Digits bloci;
|
|
|
|
|
if ((ibucket & 1) == 0) {
|
|
|
|
|
jbucketMax = ibucket / 2;
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
jbucketMax = 1;
|
|
|
|
|
}
|
|
|
|
|
for (
|
|
|
|
|
jbucket = ibucket >> 1;
|
|
|
|
|
jbucket != ibucket && !found;
|
|
|
|
|
jbucket++
|
|
|
|
|
) {
|
|
|
|
|
if (temps._bucketBusy[jbucket]) {
|
|
|
|
|
jbucketMax = jbucket;
|
|
|
|
|
found = temps._bucketBusy[ibucket - jbucket];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
jbucket = jbucketMax;
|
|
|
|
|
kbucket = ibucket - jbucket;
|
|
|
|
|
bloci = temps._bucket[ibucket];
|
|
|
|
|
temps._modulus._BucketMul(jbucket, bloci, temps);
|
|
|
|
|
temps._modulus._BucketMul(kbucket, bloci, temps);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
answer._Set(temps._bucket[1], _digitN);
|
|
|
|
|
}
|
|
|
|
|
void _MulFromLeft(Digits a, Digits b, Digits c) {
|
|
|
|
|
Digits product = new Digits(2 * _digitN);
|
|
|
|
|
Digits.Mul(a, _digitN, b, _digitN, product);
|
|
|
|
|
Digits
|
|
|
|
|
.Div(product, 2 * _digitN, _mod, _digitN, _leftRecip, null, c);
|
|
|
|
|
}
|
|
|
|
|
void _MulFromRight(Digits a, Digits b, Digits c) {
|
|
|
|
|
Digit minv = _rightRecip
|
|
|
|
|
, minva0 = unchecked(minv * a[0])
|
|
|
|
|
, mul1 = b[0]
|
|
|
|
|
, mul2 = unchecked(minva0 * mul1)
|
|
|
|
|
, carry1 = Digit2.Hi((UInt64)mul1 * a[0])
|
|
|
|
|
, carry2 = Digit2.Hi((UInt64)mul2 * _mod[0]);
|
|
|
|
|
UInt64 prod1, prod2;
|
|
|
|
|
Debug.Assert(unchecked(mul1 * a[0]) == unchecked(mul2 * _mod[0])
|
|
|
|
|
, "internal error");
|
|
|
|
|
Digits temp1 = new Digits(_digitN), temp2 = new Digits(_digitN);
|
|
|
|
|
for (int i = 1; i != _digitN; i++) {
|
|
|
|
|
prod1 = (UInt64)mul1 * a[i] + carry1;
|
|
|
|
|
prod2 = (UInt64)mul2 * _mod[i] + carry2;
|
|
|
|
|
temp1[i - 1] = Digit2.Lo(prod1);
|
|
|
|
|
temp2[i - 1] = Digit2.Lo(prod2);
|
|
|
|
|
carry1 = Digit2.Hi(prod1);
|
|
|
|
|
carry2 = Digit2.Hi(prod2);
|
|
|
|
|
}
|
|
|
|
|
temp1[_digitN - 1] = carry1;
|
|
|
|
|
temp2[_digitN - 1] = carry2;
|
|
|
|
|
for (int j = 1; j != _digitN; j++) {
|
|
|
|
|
mul1 = b[j];
|
|
|
|
|
mul2 = unchecked(minva0 * mul1 + minv * (temp1[0] - temp2[0]));
|
|
|
|
|
prod1 = (UInt64)mul1 * a[0] + temp1[0];
|
|
|
|
|
prod2 = (UInt64)mul2 * _mod[0] + temp2[0];
|
|
|
|
|
Debug.Assert(Digit2.Lo(prod1) == Digit2.Lo(prod2)
|
|
|
|
|
, "internal error");
|
|
|
|
|
carry1 = Digit2.Hi(prod1);
|
|
|
|
|
carry2 = Digit2.Hi(prod2);
|
|
|
|
|
for (int i = 1; i != _digitN; i++) {
|
|
|
|
|
prod1 = (UInt64)mul1 * a[i] + temp1[i] + carry1;
|
|
|
|
|
prod2 = (UInt64)mul2 * _mod[i] + temp2[i] + carry2;
|
|
|
|
|
temp1[i - 1] = Digit2.Lo(prod1);
|
|
|
|
|
temp2[i - 1] = Digit2.Lo(prod2);
|
|
|
|
|
carry1 = Digit2.Hi(prod1);
|
|
|
|
|
carry2 = Digit2.Hi(prod2);
|
|
|
|
|
}
|
|
|
|
|
temp1[_digitN - 1] = carry1;
|
|
|
|
|
temp2[_digitN - 1] = carry2;
|
|
|
|
|
}
|
|
|
|
|
Modular.Sub(temp1, temp2, c, _mod, _digitN);
|
|
|
|
|
}
|
|
|
|
|
internal void _FromModular(Digits a, Digits b) {
|
|
|
|
|
Modular.ValidateData(a, _mod, _digitN);
|
|
|
|
|
_Shift(a, -_scaleBitN, b);
|
|
|
|
|
}
|
|
|
|
|
internal void _Mul(Digits a, Digits b, Digits c) {
|
|
|
|
|
Modular.ValidateData(a, _mod, _digitN);
|
2008-11-17 18:29:00 -05:00
|
|
|
if (a != b) {
|
|
|
|
|
Modular.ValidateData(b, _mod, _digitN);
|
|
|
|
|
}
|
2008-03-05 09:52:00 -05:00
|
|
|
_algorithm(a, b, c);
|
|
|
|
|
}
|
|
|
|
|
void _Shift(Digits a, int n, Digits b) {
|
2008-11-17 18:29:00 -05:00
|
|
|
if (a != b) {
|
|
|
|
|
b._Set(a, _digitN);
|
|
|
|
|
}
|
2008-03-05 09:52:00 -05:00
|
|
|
Modular.ValidateData(a, _mod, _digitN);
|
2008-11-17 18:29:00 -05:00
|
|
|
if (n < 0 && (_mod[0] & 1) == 0) {
|
|
|
|
|
throw new ArgumentException();
|
|
|
|
|
}
|
2008-03-05 09:52:00 -05:00
|
|
|
while (n > 0) {
|
|
|
|
|
int shiftNow = n > Digit.BitN ? Digit.BitN : n;
|
|
|
|
|
Digit carryOut = Digits.ShiftLost(b, shiftNow, b, _digitN)
|
|
|
|
|
, qest = _leftRecip
|
|
|
|
|
.EstQuotient(carryOut
|
|
|
|
|
, b[_digitN - 1]
|
|
|
|
|
, _digitN >= 2 ? b[_digitN - 2] : 0);
|
|
|
|
|
carryOut -= Digits.Decumulate(_mod, qest, b, _digitN);
|
|
|
|
|
if (carryOut != 0 || Digits.Compare(b, _mod, _digitN) >= 0) {
|
|
|
|
|
carryOut -= Digits.Sub(b, _mod, b, _digitN);
|
|
|
|
|
}
|
|
|
|
|
Debug.Assert(carryOut == 0, "internal error");
|
|
|
|
|
n -= shiftNow;
|
|
|
|
|
}
|
|
|
|
|
while (n < 0) {
|
|
|
|
|
int shiftNow = -n > Digit.BitN ? Digit.BitN : -n;
|
|
|
|
|
Digit mul = unchecked(0 - _rightRecip * b[0])
|
|
|
|
|
& Digit.MaxValue >> Digit.BitN - shiftNow
|
|
|
|
|
, carry = Digits.Accumulate(_mod, mul, b, _digitN)
|
|
|
|
|
, lowBitNLost = Digits.ShiftLost(b, -shiftNow, b, _digitN);
|
|
|
|
|
b[_digitN - 1] |= carry << Digit.BitN - shiftNow;
|
|
|
|
|
Debug.Assert(lowBitNLost == 0, "internal error");
|
|
|
|
|
n += shiftNow;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
internal void _ToModular(Digits a, int aDigitN, Digits b) {
|
|
|
|
|
Digits aR;
|
|
|
|
|
int aRDigitN;
|
|
|
|
|
if (Digits.Compare(a, aDigitN, _mod, _digitN) >= 0) {
|
|
|
|
|
aR = new Digits(_digitN);
|
|
|
|
|
Digits.Div(a, aDigitN, _mod, _digitN, _leftRecip, null, aR);
|
|
|
|
|
aRDigitN = _digitN;
|
2008-11-17 18:29:00 -05:00
|
|
|
}
|
|
|
|
|
else {
|
2008-03-05 09:52:00 -05:00
|
|
|
aR = a;
|
|
|
|
|
aRDigitN = aDigitN;
|
|
|
|
|
}
|
|
|
|
|
aRDigitN = Digits.SigDigitN(aR, aRDigitN);
|
|
|
|
|
Digits.Set(aR, aRDigitN, b, _digitN);
|
|
|
|
|
_Shift(b, _scaleBitN, b);
|
|
|
|
|
}
|
|
|
|
|
delegate void MulAlgorithm(Digits arg0, Digits arg1, Digits arg2);
|
|
|
|
|
}
|
|
|
|
|
}
|
