/* this is a shell function that calls either the normal or Montgomery
* exptmod functions. Originally the call to the montgomery code was
* embedded in the normal function but that wasted alot of stack space
* for nothing (since 99% of the time the Montgomery code would be called)
*/
int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
{
int dr;
/* modulus P must be positive */
if (P->sign == MP_NEG) {
return MP_VAL;
}
/* if exponent X is negative we have to recurse */
if (X->sign == MP_NEG) {
mp_int tmpG, tmpX;
int err;
/* first compute 1/G mod P */
if ((err = mp_init(&tmpG)) != MP_OKAY) {
return err;
}
if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) {
mp_clear(&tmpG);
return err;
}
/* now get |X| */
if ((err = mp_init(&tmpX)) != MP_OKAY) {
mp_clear(&tmpG);
return err;
}
if ((err = mp_abs(X, &tmpX)) != MP_OKAY) {
mp_clear_multi(&tmpG, &tmpX, NULL);
return err;
}
/* and now compute (1/G)**|X| instead of G**X [X < 0] */
err = mp_exptmod(&tmpG, &tmpX, P, Y);
mp_clear_multi(&tmpG, &tmpX, NULL);
return err;
}
/* is it a DR modulus? */
dr = mp_dr_is_modulus(P);
/* if not, is it a uDR modulus? */
if (dr == 0) {
dr = mp_reduce_is_2k(P) << 1;
}
/* if the modulus is odd or dr != 0 use the fast method */
#ifndef NO_FAST_EXPTMOD
if (mp_isodd (P) == 1 || dr != 0) {
return mp_exptmod_fast (G, X, P, Y, dr);
}
else
#endif
{
/* otherwise use the generic Barrett reduction technique */
return s_mp_exptmod (G, X, P, Y);
}
}
/* this is a shell function that calls either the normal or Montgomery
* exptmod functions. Originally the call to the montgomery code was
* embedded in the normal function but that wasted alot of stack space
* for nothing (since 99% of the time the Montgomery code would be called)
*/
int mp_exptmod(const mp_int *G, const mp_int *X, const mp_int *P, mp_int *Y)
{
int dr;
/* modulus P must be positive */
if (P->sign == MP_NEG) {
return MP_VAL;
}
/* if exponent X is negative we have to recurse */
if (X->sign == MP_NEG) {
#ifdef BN_MP_INVMOD_C
mp_int tmpG, tmpX;
int err;
/* first compute 1/G mod P */
if ((err = mp_init(&tmpG)) != MP_OKAY) {
return err;
}
if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) {
mp_clear(&tmpG);
return err;
}
/* now get |X| */
if ((err = mp_init(&tmpX)) != MP_OKAY) {
mp_clear(&tmpG);
return err;
}
if ((err = mp_abs(X, &tmpX)) != MP_OKAY) {
mp_clear_multi(&tmpG, &tmpX, NULL);
return err;
}
/* and now compute (1/G)**|X| instead of G**X [X < 0] */
err = mp_exptmod(&tmpG, &tmpX, P, Y);
mp_clear_multi(&tmpG, &tmpX, NULL);
return err;
#else
/* no invmod */
return MP_VAL;
#endif
}
/* modified diminished radix reduction */
#if defined(BN_MP_REDUCE_IS_2K_L_C) && defined(BN_MP_REDUCE_2K_L_C) && defined(BN_S_MP_EXPTMOD_C)
if (mp_reduce_is_2k_l(P) == MP_YES) {
return s_mp_exptmod(G, X, P, Y, 1);
}
#endif
#ifdef BN_MP_DR_IS_MODULUS_C
/* is it a DR modulus? */
dr = mp_dr_is_modulus(P);
#else
/* default to no */
dr = 0;
#endif
#ifdef BN_MP_REDUCE_IS_2K_C
/* if not, is it a unrestricted DR modulus? */
if (dr == 0) {
dr = mp_reduce_is_2k(P) << 1;
}
#endif
/* if the modulus is odd or dr != 0 use the montgomery method */
#ifdef BN_MP_EXPTMOD_FAST_C
if ((mp_isodd(P) == MP_YES) || (dr != 0)) {
return mp_exptmod_fast(G, X, P, Y, dr);
} else {
#endif
#ifdef BN_S_MP_EXPTMOD_C
/* otherwise use the generic Barrett reduction technique */
return s_mp_exptmod(G, X, P, Y, 0);
#else
/* no exptmod for evens */
return MP_VAL;
#endif
#ifdef BN_MP_EXPTMOD_FAST_C
}
#endif
}
mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent,
const mp_int *modulus, mp_int *result)
{
const mp_int *base;
mp_size bits_in_exponent, i, window_bits, odd_ints;
mp_err res;
int nLen;
mp_int montBase, goodBase;
mp_mont_modulus mmm;
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
static unsigned int max_window_bits;
#endif
/* function for computing n0prime only works if n0 is odd */
if (!mp_isodd(modulus))
return s_mp_exptmod(inBase, exponent, modulus, result);
MP_DIGITS(&montBase) = 0;
MP_DIGITS(&goodBase) = 0;
if (mp_cmp(inBase, modulus) < 0) {
base = inBase;
} else {
MP_CHECKOK( mp_init(&goodBase) );
base = &goodBase;
MP_CHECKOK( mp_mod(inBase, modulus, &goodBase) );
}
nLen = MP_USED(modulus);
MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) );
mmm.N = *modulus; /* a copy of the mp_int struct */
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
** where n0 = least significant mp_digit of N, the modulus.
*/
mmm.n0prime = 0 - s_mp_invmod_radix( MP_DIGIT(modulus, 0) );
MP_CHECKOK( s_mp_to_mont(base, &mmm, &montBase) );
bits_in_exponent = mpl_significant_bits(exponent);
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
if (mp_using_cache_safe_exp) {
if (bits_in_exponent > 780)
window_bits = 6;
else if (bits_in_exponent > 256)
window_bits = 5;
else if (bits_in_exponent > 20)
window_bits = 4;
/* RSA public key exponents are typically under 20 bits (common values
* are: 3, 17, 65537) and a 4-bit window is inefficient
*/
else
window_bits = 1;
} else
#endif
if (bits_in_exponent > 480)
window_bits = 6;
else if (bits_in_exponent > 160)
window_bits = 5;
else if (bits_in_exponent > 20)
window_bits = 4;
/* RSA public key exponents are typically under 20 bits (common values
* are: 3, 17, 65537) and a 4-bit window is inefficient
*/
else
window_bits = 1;
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
/*
* clamp the window size based on
* the cache line size.
*/
if (!max_window_bits) {
unsigned long cache_size = s_mpi_getProcessorLineSize();
/* processor has no cache, use 'fast' code always */
if (cache_size == 0) {
mp_using_cache_safe_exp = 0;
}
if ((cache_size == 0) || (cache_size >= 64)) {
max_window_bits = 6;
} else if (cache_size >= 32) {
max_window_bits = 5;
} else if (cache_size >= 16) {
max_window_bits = 4;
} else max_window_bits = 1; /* should this be an assert? */
}
/* clamp the window size down before we caclulate bits_in_exponent */
if (mp_using_cache_safe_exp) {
if (window_bits > max_window_bits) {
window_bits = max_window_bits;
}
}
#endif
odd_ints = 1 << (window_bits - 1);
i = bits_in_exponent % window_bits;
if (i != 0) {
bits_in_exponent += window_bits - i;
}
#ifdef MP_USING_MONT_MULF
if (mp_using_mont_mulf) {
MP_CHECKOK( s_mp_pad(&montBase, nLen) );
res = mp_exptmod_f(&montBase, exponent, modulus, result, &mmm, nLen,
bits_in_exponent, window_bits, odd_ints);
} else
#endif
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
if (mp_using_cache_safe_exp) {
res = mp_exptmod_safe_i(&montBase, exponent, modulus, result, &mmm, nLen,
bits_in_exponent, window_bits, 1 << window_bits);
} else
#endif
res = mp_exptmod_i(&montBase, exponent, modulus, result, &mmm, nLen,
bits_in_exponent, window_bits, odd_ints);
CLEANUP:
mp_clear(&montBase);
mp_clear(&goodBase);
/* Don't mp_clear mmm.N because it is merely a copy of modulus.
** Just zap it.
*/
memset(&mmm, 0, sizeof mmm);
return res;
}
