Skip to main content

num_bigint/biguint/
monty.rs

1use alloc::vec::Vec;
2use core::mem;
3use core::ops::Shl;
4
5use crate::big_digit::{self, BigDigit, BigDigits, DoubleBigDigit};
6use crate::biguint::BigUint;
7
8struct MontyReducer {
9    n0inv: BigDigit,
10}
11
12// k0 = -m**-1 mod 2**BITS. Algorithm from: Dumas, J.G. "On Newton–Raphson
13// Iteration for Multiplicative Inverses Modulo Prime Powers".
14fn inv_mod_alt(b: BigDigit) -> BigDigit {
15    assert_ne!(b & 1, 0);
16
17    let mut k0 = BigDigit::wrapping_sub(2, b);
18    let mut t = b - 1;
19    let mut i = 1;
20    while i < big_digit::BITS {
21        t = t.wrapping_mul(t);
22        k0 = k0.wrapping_mul(t + 1);
23
24        i <<= 1;
25    }
26    debug_assert_eq!(k0.wrapping_mul(b), 1);
27    k0.wrapping_neg()
28}
29
30impl MontyReducer {
31    fn new(n: &BigUint) -> Self {
32        let n0inv = inv_mod_alt(n.data[0]);
33        MontyReducer { n0inv }
34    }
35}
36
37/// Computes z mod m = x * y * 2 ** (-n*_W) mod m
38/// assuming k = -1/m mod 2**_W
39/// See Gueron, "Efficient Software Implementations of Modular Exponentiation".
40/// <https://eprint.iacr.org/2011/239.pdf>
41/// In the terminology of that paper, this is an "Almost Montgomery Multiplication":
42/// x and y are required to satisfy 0 <= z < 2**(n*_W) and then the result
43/// z is guaranteed to satisfy 0 <= z < 2**(n*_W), but it may not be < m.
44#[allow(clippy::many_single_char_names)]
45fn montgomery(x: &BigUint, y: &BigUint, m: &BigUint, k: BigDigit, n: usize) -> BigUint {
46    // This code assumes x, y, m are all the same length, n.
47    // (required by addMulVVW and the for loop).
48    // It also assumes that x, y are already reduced mod m,
49    // or else the result will not be properly reduced.
50    assert!(
51        x.data.len() == n && y.data.len() == n && m.data.len() == n,
52        "{:?} {:?} {:?} {}",
53        x,
54        y,
55        m,
56        n
57    );
58
59    let (x, y, m) = (&*x.data, &*y.data, &*m.data);
60
61    let mut z = vec![0; n * 2];
62
63    let mut c: BigDigit = 0;
64    for i in 0..n {
65        let z = &mut z[i..];
66        let c2 = add_mul_vvw(&mut z[..n], x, y[i]);
67        let t = z[0].wrapping_mul(k);
68        let c3 = add_mul_vvw(&mut z[..n], m, t);
69        let cx = c.wrapping_add(c2);
70        let cy = cx.wrapping_add(c3);
71        z[n] = cy;
72        if cx < c2 || cy < c3 {
73            c = 1;
74        } else {
75            c = 0;
76        }
77    }
78
79    let data = if c == 0 {
80        BigDigits::from_slice(&z[n..])
81    } else {
82        let (first, second) = z.split_at_mut(n);
83        sub_vv(first, second, m);
84        BigDigits::from_slice(first)
85    };
86    BigUint { data }
87}
88
89#[inline(always)]
90fn add_mul_vvw(z: &mut [BigDigit], x: &[BigDigit], y: BigDigit) -> BigDigit {
91    let mut c = 0;
92    for (zi, xi) in z.iter_mut().zip(x.iter()) {
93        let (z1, z0) = mul_add_www(*xi, y, *zi);
94        let (c_, zi_) = add_ww(z0, c, 0);
95        *zi = zi_;
96        c = c_ + z1;
97    }
98
99    c
100}
101
102/// The resulting carry c is either 0 or 1.
103#[inline(always)]
104fn sub_vv(z: &mut [BigDigit], x: &[BigDigit], y: &[BigDigit]) -> BigDigit {
105    let mut c = 0;
106    for (i, (xi, yi)) in x.iter().zip(y.iter()).enumerate().take(z.len()) {
107        let zi = xi.wrapping_sub(*yi).wrapping_sub(c);
108        z[i] = zi;
109        // see "Hacker's Delight", section 2-12 (overflow detection)
110        c = ((yi & !xi) | ((yi | !xi) & zi)) >> (big_digit::BITS - 1)
111    }
112
113    c
114}
115
116/// z1<<_W + z0 = x+y+c, with c == 0 or 1
117#[inline(always)]
118fn add_ww(x: BigDigit, y: BigDigit, c: BigDigit) -> (BigDigit, BigDigit) {
119    let yc = y.wrapping_add(c);
120    let z0 = x.wrapping_add(yc);
121    let z1 = if z0 < x || yc < y { 1 } else { 0 };
122
123    (z1, z0)
124}
125
126/// z1 << _W + z0 = x * y + c
127#[inline(always)]
128fn mul_add_www(x: BigDigit, y: BigDigit, c: BigDigit) -> (BigDigit, BigDigit) {
129    let z = x as DoubleBigDigit * y as DoubleBigDigit + c as DoubleBigDigit;
130    ((z >> big_digit::BITS) as BigDigit, z as BigDigit)
131}
132
133/// Calculates x ** y mod m using a fixed, 4-bit window.
134#[allow(clippy::many_single_char_names)]
135pub(super) fn monty_modpow(x: &BigUint, y: &BigUint, m: &BigUint) -> BigUint {
136    assert!(m.data[0] & 1 == 1);
137    let mr = MontyReducer::new(m);
138    let num_words = m.data.len();
139
140    let mut x = x.clone();
141
142    // We want the lengths of x and m to be equal.
143    // It is OK if x >= m as long as len(x) == len(m).
144    if x.data.len() > num_words {
145        x %= m;
146        // Note: now len(x) <= numWords, not guaranteed ==.
147    }
148    if x.data.len() < num_words {
149        x.data.resize(num_words, 0);
150    }
151
152    // rr = 2**(2*_W*len(m)) mod m
153    let mut rr = BigUint::ONE;
154    rr = (rr.shl(2 * num_words as u64 * u64::from(big_digit::BITS))) % m;
155    if rr.data.len() < num_words {
156        rr.data.resize(num_words, 0);
157    }
158    // one = 1, with equal length to that of m
159    let mut one = BigUint::ONE;
160    one.data.resize(num_words, 0);
161
162    let n = 4;
163    // powers[i] contains x^i
164    let mut powers = Vec::with_capacity(1 << n);
165    powers.push(montgomery(&one, &rr, m, mr.n0inv, num_words));
166    powers.push(montgomery(&x, &rr, m, mr.n0inv, num_words));
167    for i in 2..1 << n {
168        let r = montgomery(&powers[i - 1], &powers[1], m, mr.n0inv, num_words);
169        powers.push(r);
170    }
171
172    // initialize z = 1 (Montgomery 1)
173    let mut z = powers[0].clone();
174    z.data.resize(num_words, 0);
175    let mut zz = BigUint::ZERO;
176    zz.data.resize(num_words, 0);
177
178    // same windowed exponent, but with Montgomery multiplications
179    let y = &*y.data;
180    for i in (0..y.len()).rev() {
181        let mut yi = y[i];
182        let mut j = 0;
183        while j < big_digit::BITS {
184            if i != y.len() - 1 || j != 0 {
185                zz = montgomery(&z, &z, m, mr.n0inv, num_words);
186                z = montgomery(&zz, &zz, m, mr.n0inv, num_words);
187                zz = montgomery(&z, &z, m, mr.n0inv, num_words);
188                z = montgomery(&zz, &zz, m, mr.n0inv, num_words);
189            }
190            zz = montgomery(
191                &z,
192                &powers[(yi >> (big_digit::BITS - n)) as usize],
193                m,
194                mr.n0inv,
195                num_words,
196            );
197            mem::swap(&mut z, &mut zz);
198            yi <<= n;
199            j += n;
200        }
201    }
202
203    // convert to regular number
204    zz = montgomery(&z, &one, m, mr.n0inv, num_words);
205
206    zz.data.normalize();
207    // One last reduction, just in case.
208    // See golang.org/issue/13907.
209    if zz >= *m {
210        // Common case is m has high bit set; in that case,
211        // since zz is the same length as m, there can be just
212        // one multiple of m to remove. Just subtract.
213        // We think that the subtract should be sufficient in general,
214        // so do that unconditionally, but double-check,
215        // in case our beliefs are wrong.
216        // The div is not expected to be reached.
217        zz -= m;
218        if zz >= *m {
219            zz %= m;
220        }
221    }
222
223    zz.data.normalize();
224    zz
225}