9 #define BN_MONT_CTX_set bn_mcs
10 #define BN_from_montgomery bn_fm
11 #define BN_mod_mul_montgomery bn_mmm
12 #undef BN_to_montgomery
13 #define BN_to_montgomery(r,a,mont,ctx) bn_mmm(\
14 r,a,(mont)->RR,(mont),ctx)
18 BIGNUM prime,a,b,r,A,B,R;
25 BN_init(&a); BN_init(&b); BN_init(&r);
26 BN_init(&A); BN_init(&B); BN_init(&R);
28 BN_generate_prime(&prime,SIZE,0,NULL,NULL,NULL,NULL);
31 BN_mod(&A,&A,&prime,ctx);
32 BN_mod(&B,&B,&prime,ctx);
36 BN_mask_bits(&R,i*BN_BITS2);
39 BN_print_fp(stdout,&A); printf(" <- a\n");
40 BN_print_fp(stdout,&B); printf(" <- b\n");
41 BN_mul_high(&r,&A,&B,&R,i);
42 BN_print_fp(stdout,&r); printf(" <- high(BA*DC)\n");
44 BN_mask_bits(&A,i*32);
45 BN_mask_bits(&B,i*32);
48 BN_rshift(&R,&R,i*32);
49 BN_print_fp(stdout,&R); printf(" <- norm BA*DC\n");
51 BN_print_fp(stdout,&R); printf(" <- diff\n");
55 int bn_mul_high(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *low, int words)
58 BIGNUM t1,t2,t3,h,ah,al,bh,bl,m,s0,s1;
60 BN_init(&al); BN_init(&ah);
61 BN_init(&bl); BN_init(&bh);
62 BN_init(&t1); BN_init(&t2); BN_init(&t3);
63 BN_init(&s0); BN_init(&s1);
64 BN_init(&h); BN_init(&m);
71 ah.d= &(a->d[ah.top]);
82 bh.d= &(b->d[bh.top]);
93 s1.d= &(low->d[s1.top]);
99 al.max=al.top; ah.max=ah.top;
100 bl.max=bl.top; bh.max=bh.top;
101 s0.max=bl.top; s1.max=bh.top;
103 /* Calculate (al-ah)*(bh-bl) */
108 /* Calculate ah*bh */
112 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
113 * We know s0 and s1 so the only unknown is high(al*bl)
114 * high(al*bl) == s1 - low(ah*bh+(al-ah)*(bh-bl)+s0)
118 /* Quick and dirty mask off of high words */
120 t3.top=(t2.top > words)?words:t2.top;
123 /* BN_print_fp(stdout,&s1); printf(" s1\n"); */
124 /* BN_print_fp(stdout,&t2); printf(" middle value\n"); */
125 /* BN_print_fp(stdout,&t3); printf(" low middle value\n"); */
130 /*printf("neg fixup\n"); BN_print_fp(stdout,&t1); printf(" before\n"); */
131 BN_lshift(&t2,BN_value_one(),words*32);
133 BN_mask_bits(&t1,words*32);
134 /* BN_print_fp(stdout,&t1); printf(" after\n"); */
136 /* al*bl == high(al*bl)<<words+s0 */
137 BN_lshift(&t1,&t1,words*32);
142 * (al-ah)*(bh-bl)+ah*bh - m
146 BN_mask_bits(r,words*32*2);
148 /*BN_lshift(&m,&m,words*/
150 BN_free(&t1); BN_free(&t2);
151 BN_free(&m); BN_free(&h);
154 int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_MONT_CTX *mont,
159 tmp= &(ctx->bn[ctx->tos++]);
163 if (!BN_sqr(tmp,a,ctx)) goto err;
167 if (!BN_mul(tmp,a,b)) goto err;
169 /* reduce from aRR to aR */
170 if (!BN_from_montgomery(r,tmp,mont,ctx)) goto err;
177 int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx)
181 BN_ULONG *ap,*bp,*rp;
185 t1= &(ctx->bn[ctx->tos]);
186 t2= &(ctx->bn[ctx->tos+1]);
188 if (!BN_copy(t1,a)) goto err;
190 BN_mask_bits(t1,mont->ri);
191 if (!BN_mul(t2,t1,mont->Ni)) goto err;
192 BN_mask_bits(t2,mont->ri);
194 if (!BN_mul(t1,t2,mont->N)) goto err;
195 if (!BN_add(t2,t1,a)) goto err;
197 /* At this point, t2 has the bottom ri bits set to zero.
198 * This means that the bottom ri bits == the 1^ri minus the bottom
200 * This means that only the bits above 'ri' in a need to be added,
201 * and XXXXXXXXXXXXXXXXXXXXXXXX
203 BN_print_fp(stdout,t2); printf("\n");
204 BN_rshift(r,t2,mont->ri);
206 if (BN_ucmp(r,mont->N) >= 0)
207 BN_usub(r,r,mont->N);
214 int BN_MONT_CTX_set(BN_MONT_CTX *mont, BIGNUM *mod, BN_CTX *ctx)
216 BIGNUM *Ri=NULL,*R=NULL;
218 if (mont->RR == NULL) mont->RR=BN_new();
219 if (mont->N == NULL) mont->N=BN_new();
221 R=mont->RR; /* grab RR as a temp */
222 BN_copy(mont->N,mod); /* Set N */
224 mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
225 BN_lshift(R,BN_value_one(),mont->ri); /* R */
226 if ((Ri=BN_mod_inverse(NULL,R,mod,ctx)) == NULL) goto err;/* Ri */
227 BN_lshift(Ri,Ri,mont->ri); /* R*Ri */
228 BN_usub(Ri,Ri,BN_value_one()); /* R*Ri - 1 */
229 BN_div(Ri,NULL,Ri,mod,ctx);
230 if (mont->Ni != NULL) BN_free(mont->Ni);
231 mont->Ni=Ri; /* Ni=(R*Ri-1)/N */
233 /* setup RR for conversions */
234 BN_lshift(mont->RR,BN_value_one(),mont->ri*2);
235 BN_mod(mont->RR,mont->RR,mont->N,ctx);