/** * Constructs a new bignum from another bignum, a number or a hex string. * @constructor */ sjcl.bn = function(it) { this.initWith(it); }; sjcl.bn.prototype = { radix: 24, maxMul: 8, _class: sjcl.bn, copy: function() { return new this._class(this); }, /** * Initializes this with it, either as a bn, a number, or a hex string. */ initWith: function(it) { var i=0, k; switch(typeof it) { case "object": this.limbs = it.limbs.slice(0); break; case "number": this.limbs = [it]; this.normalize(); break; case "string": it = it.replace(/^0x/, ''); this.limbs = []; // hack k = this.radix / 4; for (i=0; i < it.length; i+=k) { this.limbs.push(parseInt(it.substring(Math.max(it.length - i - k, 0), it.length - i),16)); } break; default: this.limbs = [0]; } return this; }, /** * Returns true if "this" and "that" are equal. Calls fullReduce(). * Equality test is in constant time. */ equals: function(that) { if (typeof that === "number") { that = new this._class(that); } var difference = 0, i; this.fullReduce(); that.fullReduce(); for (i = 0; i < this.limbs.length || i < that.limbs.length; i++) { difference |= this.getLimb(i) ^ that.getLimb(i); } return (difference === 0); }, /** * Get the i'th limb of this, zero if i is too large. */ getLimb: function(i) { return (i >= this.limbs.length) ? 0 : this.limbs[i]; }, /** * Constant time comparison function. * Returns 1 if this >= that, or zero otherwise. */ greaterEquals: function(that) { if (typeof that === "number") { that = new this._class(that); } var less = 0, greater = 0, i, a, b; i = Math.max(this.limbs.length, that.limbs.length) - 1; for (; i>= 0; i--) { a = this.getLimb(i); b = that.getLimb(i); greater |= (b - a) & ~less; less |= (a - b) & ~greater; } return (greater | ~less) >>> 31; }, /** * Convert to a hex string. */ toString: function() { this.fullReduce(); var out="", i, s, l = this.limbs; for (i=0; i < this.limbs.length; i++) { s = l[i].toString(16); while (i < this.limbs.length - 1 && s.length < 6) { s = "0" + s; } out = s + out; } return "0x"+out; }, /** this += that. Does not normalize. */ addM: function(that) { if (typeof(that) !== "object") { that = new this._class(that); } var i, l=this.limbs, ll=that.limbs; for (i=l.length; i> r; } if (carry) { l.push(carry); } return this; }, /** this /= 2, rounded down. Requires normalized; ends up normalized. */ halveM: function() { var i, carry=0, tmp, r=this.radix, l=this.limbs; for (i=l.length-1; i>=0; i--) { tmp = l[i]; l[i] = (tmp+carry)>>1; carry = (tmp&1) << r; } if (!l[l.length-1]) { l.pop(); } return this; }, /** this -= that. Does not normalize. */ subM: function(that) { if (typeof(that) !== "object") { that = new this._class(that); } var i, l=this.limbs, ll=that.limbs; for (i=l.length; i 0; ci--) { that.halveM(); if (out.greaterEquals(that)) { out.subM(that).normalize(); } } return out.trim(); }, /** return inverse mod prime p. p must be odd. Binary extended Euclidean algorithm mod p. */ inverseMod: function(p) { var a = new sjcl.bn(1), b = new sjcl.bn(0), x = new sjcl.bn(this), y = new sjcl.bn(p), tmp, i, nz=1; if (!(p.limbs[0] & 1)) { throw (new sjcl.exception.invalid("inverseMod: p must be odd")); } // invariant: y is odd do { if (x.limbs[0] & 1) { if (!x.greaterEquals(y)) { // x < y; swap everything tmp = x; x = y; y = tmp; tmp = a; a = b; b = tmp; } x.subM(y); x.normalize(); if (!a.greaterEquals(b)) { a.addM(p); } a.subM(b); } // cut everything in half x.halveM(); if (a.limbs[0] & 1) { a.addM(p); } a.normalize(); a.halveM(); // check for termination: x ?= 0 for (i=nz=0; i>(j + 1) == 0) { break; } pow = pow.square(); } } return out; }, /** this * that mod N */ mulmod: function(that, N) { return this.mod(N).mul(that.mod(N)).mod(N); }, /** this ^ x mod N */ powermod: function(x, N) { x = new sjcl.bn(x); N = new sjcl.bn(N); // Jump to montpowermod if possible. if ((N.limbs[0] & 1) == 1) { var montOut = this.montpowermod(x, N); if (montOut != false) { return montOut; } // else go to slow powermod } var i, j, l = x.normalize().trim().limbs, out = new this._class(1), pow = this; for (i=0; i>(j + 1) == 0) { break; } pow = pow.mulmod(pow, N); } } return out; }, /** this ^ x mod N with Montomery reduction */ montpowermod: function(x, N) { x = new sjcl.bn(x).normalize().trim(); N = new sjcl.bn(N); var i, j, radix = this.radix, out = new this._class(1), pow = this.copy(); // Generate R as a cap of N. var R, s, wind, bitsize = x.bitLength(); R = new sjcl.bn({ limbs: N.copy().normalize().trim().limbs.map(function() { return 0; }) }); for (s = this.radix; s > 0; s--) { if (((N.limbs[N.limbs.length - 1] >> s) & 1) == 1) { R.limbs[R.limbs.length - 1] = 1 << s; break; } } // Calculate window size as a function of the exponent's size. if (bitsize == 0) { return this; } else if (bitsize < 18) { wind = 1; } else if (bitsize < 48) { wind = 3; } else if (bitsize < 144) { wind = 4; } else if (bitsize < 768) { wind = 5; } else { wind = 6; } // Find R' and N' such that R * R' - N * N' = 1. var RR = R.copy(), NN = N.copy(), RP = new sjcl.bn(1), NP = new sjcl.bn(0), RT = R.copy(); while (RT.greaterEquals(1)) { RT.halveM(); if ((RP.limbs[0] & 1) == 0) { RP.halveM(); NP.halveM(); } else { RP.addM(NN); RP.halveM(); NP.halveM(); NP.addM(RR); } } RP = RP.normalize(); NP = NP.normalize(); RR.doubleM(); var R2 = RR.mulmod(RR, N); // Check whether the invariant holds. // If it doesn't, we can't use Montgomery reduction on this modulus. if (!RR.mul(RP).sub(N.mul(NP)).equals(1)) { return false; } var montIn = function(c) { return montMul(c, R2); }, montMul = function(a, b) { // Standard Montgomery reduction var k, carry, ab, right, abBar, mask = (1 << (s + 1)) - 1; ab = a.mul(b); right = ab.mul(NP); right.limbs = right.limbs.slice(0, R.limbs.length); if (right.limbs.length == R.limbs.length) { right.limbs[R.limbs.length - 1] &= mask; } right = right.mul(N); abBar = ab.add(right).normalize().trim(); abBar.limbs = abBar.limbs.slice(R.limbs.length - 1); // Division. Equivelent to calling *.halveM() s times. for (k=0; k < abBar.limbs.length; k++) { if (k > 0) { abBar.limbs[k - 1] |= (abBar.limbs[k] & mask) << (radix - s - 1); } abBar.limbs[k] = abBar.limbs[k] >> (s + 1); } if (abBar.greaterEquals(N)) { abBar.subM(N); } return abBar; }, montOut = function(c) { return montMul(c, 1); }; pow = montIn(pow); out = montIn(out); // Sliding-Window Exponentiation (HAC 14.85) var h, precomp = {}, cap = (1 << (wind - 1)) - 1; precomp[1] = pow.copy(); precomp[2] = montMul(pow, pow); for (h=1; h<=cap; h++) { precomp[(2 * h) + 1] = montMul(precomp[(2 * h) - 1], precomp[2]); } var getBit = function(exp, i) { // Gets ith bit of exp. var off = i % exp.radix; return (exp.limbs[Math.floor(i / exp.radix)] & (1 << off)) >> off; }; for (i = x.bitLength() - 1; i >= 0; ) { if (getBit(x, i) == 0) { // If the next bit is zero: // Square, move forward one bit. out = montMul(out, out); i = i - 1; } else { // If the next bit is one: // Find the longest sequence of bits after this one, less than `wind` // bits long, that ends with a 1. Convert the sequence into an // integer and look up the pre-computed value to add. var l = i - wind + 1; while (getBit(x, l) == 0) { l++; } var indx = 0; for (j = l; j <= i; j++) { indx += getBit(x, j) << (j - l); out = montMul(out, out); } out = montMul(out, precomp[indx]); i = l - 1; } } return montOut(out); }, trim: function() { var l = this.limbs, p; do { p = l.pop(); } while (l.length && p === 0); l.push(p); return this; }, /** Reduce mod a modulus. Stubbed for subclassing. */ reduce: function() { return this; }, /** Reduce and normalize. */ fullReduce: function() { return this.normalize(); }, /** Propagate carries. */ normalize: function() { var carry=0, i, pv = this.placeVal, ipv = this.ipv, l, m, limbs = this.limbs, ll = limbs.length, mask = this.radixMask; for (i=0; i < ll || (carry !== 0 && carry !== -1); i++) { l = (limbs[i]||0) + carry; m = limbs[i] = l & mask; carry = (l-m)*ipv; } if (carry === -1) { limbs[i-1] -= pv; } this.trim(); return this; }, /** Constant-time normalize. Does not allocate additional space. */ cnormalize: function() { var carry=0, i, ipv = this.ipv, l, m, limbs = this.limbs, ll = limbs.length, mask = this.radixMask; for (i=0; i < ll-1; i++) { l = limbs[i] + carry; m = limbs[i] = l & mask; carry = (l-m)*ipv; } limbs[i] += carry; return this; }, /** Serialize to a bit array */ toBits: function(len) { this.fullReduce(); len = len || this.exponent || this.bitLength(); var i = Math.floor((len-1)/24), w=sjcl.bitArray, e = (len + 7 & -8) % this.radix || this.radix, out = [w.partial(e, this.getLimb(i))]; for (i--; i >= 0; i--) { out = w.concat(out, [w.partial(Math.min(this.radix,len), this.getLimb(i))]); len -= this.radix; } return out; }, /** Return the length in bits, rounded up to the nearest byte. */ bitLength: function() { this.fullReduce(); var out = this.radix * (this.limbs.length - 1), b = this.limbs[this.limbs.length - 1]; for (; b; b >>>= 1) { out ++; } return out+7 & -8; } }; /** @memberOf sjcl.bn * @this { sjcl.bn } */ sjcl.bn.fromBits = function(bits) { var Class = this, out = new Class(), words=[], w=sjcl.bitArray, t = this.prototype, l = Math.min(this.bitLength || 0x100000000, w.bitLength(bits)), e = l % t.radix || t.radix; words[0] = w.extract(bits, 0, e); for (; e < l; e += t.radix) { words.unshift(w.extract(bits, e, t.radix)); } out.limbs = words; return out; }; sjcl.bn.prototype.ipv = 1 / (sjcl.bn.prototype.placeVal = Math.pow(2,sjcl.bn.prototype.radix)); sjcl.bn.prototype.radixMask = (1 << sjcl.bn.prototype.radix) - 1; /** * Creates a new subclass of bn, based on reduction modulo a pseudo-Mersenne prime, * i.e. a prime of the form 2^e + sum(a * 2^b),where the sum is negative and sparse. */ sjcl.bn.pseudoMersennePrime = function(exponent, coeff) { /** @constructor * @private */ function p(it) { this.initWith(it); /*if (this.limbs[this.modOffset]) { this.reduce(); }*/ } var ppr = p.prototype = new sjcl.bn(), i, tmp, mo; mo = ppr.modOffset = Math.ceil(tmp = exponent / ppr.radix); ppr.exponent = exponent; ppr.offset = []; ppr.factor = []; ppr.minOffset = mo; ppr.fullMask = 0; ppr.fullOffset = []; ppr.fullFactor = []; ppr.modulus = p.modulus = new sjcl.bn(Math.pow(2,exponent)); ppr.fullMask = 0|-Math.pow(2, exponent % ppr.radix); for (i=0; i mo) { l = limbs.pop(); ll = limbs.length; for (k=0; k