nat.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // This file implements unsigned multi-precision integers (natural
     6  // numbers). They are the building blocks for the implementation
     7  // of signed integers, rationals, and floating-point numbers.
     8  //
     9  // Caution: This implementation relies on the function "alias"
    10  //          which assumes that (nat) slice capacities are never
    11  //          changed (no 3-operand slice expressions). If that
    12  //          changes, alias needs to be updated for correctness.
    13  
    14  package big
    15  
    16  import (
    17  	"encoding/binary"
    18  	"math/bits"
    19  	"math/rand"
    20  	"sync"
    21  )
    22  
    23  // An unsigned integer x of the form
    24  //
    25  //   x = x[n-1]*_B^(n-1) + x[n-2]*_B^(n-2) + ... + x[1]*_B + x[0]
    26  //
    27  // with 0 <= x[i] < _B and 0 <= i < n is stored in a slice of length n,
    28  // with the digits x[i] as the slice elements.
    29  //
    30  // A number is normalized if the slice contains no leading 0 digits.
    31  // During arithmetic operations, denormalized values may occur but are
    32  // always normalized before returning the final result. The normalized
    33  // representation of 0 is the empty or nil slice (length = 0).
    34  //
    35  type nat []Word
    36  
    37  var (
    38  	natOne  = nat{1}
    39  	natTwo  = nat{2}
    40  	natFive = nat{5}
    41  	natTen  = nat{10}
    42  )
    43  
    44  func (z nat) clear() {
    45  	for i := range z {
    46  		z[i] = 0
    47  	}
    48  }
    49  
    50  func (z nat) norm() nat {
    51  	i := len(z)
    52  	for i > 0 && z[i-1] == 0 {
    53  		i--
    54  	}
    55  	return z[0:i]
    56  }
    57  
    58  func (z nat) make(n int) nat {
    59  	if n <= cap(z) {
    60  		return z[:n] // reuse z
    61  	}
    62  	if n == 1 {
    63  		// Most nats start small and stay that way; don't over-allocate.
    64  		return make(nat, 1)
    65  	}
    66  	// Choosing a good value for e has significant performance impact
    67  	// because it increases the chance that a value can be reused.
    68  	const e = 4 // extra capacity
    69  	return make(nat, n, n+e)
    70  }
    71  
    72  func (z nat) setWord(x Word) nat {
    73  	if x == 0 {
    74  		return z[:0]
    75  	}
    76  	z = z.make(1)
    77  	z[0] = x
    78  	return z
    79  }
    80  
    81  func (z nat) setUint64(x uint64) nat {
    82  	// single-word value
    83  	if w := Word(x); uint64(w) == x {
    84  		return z.setWord(w)
    85  	}
    86  	// 2-word value
    87  	z = z.make(2)
    88  	z[1] = Word(x >> 32)
    89  	z[0] = Word(x)
    90  	return z
    91  }
    92  
    93  func (z nat) set(x nat) nat {
    94  	z = z.make(len(x))
    95  	copy(z, x)
    96  	return z
    97  }
    98  
    99  func (z nat) add(x, y nat) nat {
   100  	m := len(x)
   101  	n := len(y)
   102  
   103  	switch {
   104  	case m < n:
   105  		return z.add(y, x)
   106  	case m == 0:
   107  		// n == 0 because m >= n; result is 0
   108  		return z[:0]
   109  	case n == 0:
   110  		// result is x
   111  		return z.set(x)
   112  	}
   113  	// m > 0
   114  
   115  	z = z.make(m + 1)
   116  	c := addVV(z[0:n], x, y)
   117  	if m > n {
   118  		c = addVW(z[n:m], x[n:], c)
   119  	}
   120  	z[m] = c
   121  
   122  	return z.norm()
   123  }
   124  
   125  func (z nat) sub(x, y nat) nat {
   126  	m := len(x)
   127  	n := len(y)
   128  
   129  	switch {
   130  	case m < n:
   131  		panic("underflow")
   132  	case m == 0:
   133  		// n == 0 because m >= n; result is 0
   134  		return z[:0]
   135  	case n == 0:
   136  		// result is x
   137  		return z.set(x)
   138  	}
   139  	// m > 0
   140  
   141  	z = z.make(m)
   142  	c := subVV(z[0:n], x, y)
   143  	if m > n {
   144  		c = subVW(z[n:], x[n:], c)
   145  	}
   146  	if c != 0 {
   147  		panic("underflow")
   148  	}
   149  
   150  	return z.norm()
   151  }
   152  
   153  func (x nat) cmp(y nat) (r int) {
   154  	m := len(x)
   155  	n := len(y)
   156  	if m != n || m == 0 {
   157  		switch {
   158  		case m < n:
   159  			r = -1
   160  		case m > n:
   161  			r = 1
   162  		}
   163  		return
   164  	}
   165  
   166  	i := m - 1
   167  	for i > 0 && x[i] == y[i] {
   168  		i--
   169  	}
   170  
   171  	switch {
   172  	case x[i] < y[i]:
   173  		r = -1
   174  	case x[i] > y[i]:
   175  		r = 1
   176  	}
   177  	return
   178  }
   179  
   180  func (z nat) mulAddWW(x nat, y, r Word) nat {
   181  	m := len(x)
   182  	if m == 0 || y == 0 {
   183  		return z.setWord(r) // result is r
   184  	}
   185  	// m > 0
   186  
   187  	z = z.make(m + 1)
   188  	z[m] = mulAddVWW(z[0:m], x, y, r)
   189  
   190  	return z.norm()
   191  }
   192  
   193  // basicMul multiplies x and y and leaves the result in z.
   194  // The (non-normalized) result is placed in z[0 : len(x) + len(y)].
   195  func basicMul(z, x, y nat) {
   196  	z[0 : len(x)+len(y)].clear() // initialize z
   197  	for i, d := range y {
   198  		if d != 0 {
   199  			z[len(x)+i] = addMulVVW(z[i:i+len(x)], x, d)
   200  		}
   201  	}
   202  }
   203  
   204  // montgomery computes z mod m = x*y*2**(-n*_W) mod m,
   205  // assuming k = -1/m mod 2**_W.
   206  // z is used for storing the result which is returned;
   207  // z must not alias x, y or m.
   208  // See Gueron, "Efficient Software Implementations of Modular Exponentiation".
   209  // https://eprint.iacr.org/2011/239.pdf
   210  // In the terminology of that paper, this is an "Almost Montgomery Multiplication":
   211  // x and y are required to satisfy 0 <= z < 2**(n*_W) and then the result
   212  // z is guaranteed to satisfy 0 <= z < 2**(n*_W), but it may not be < m.
   213  func (z nat) montgomery(x, y, m nat, k Word, n int) nat {
   214  	// This code assumes x, y, m are all the same length, n.
   215  	// (required by addMulVVW and the for loop).
   216  	// It also assumes that x, y are already reduced mod m,
   217  	// or else the result will not be properly reduced.
   218  	if len(x) != n || len(y) != n || len(m) != n {
   219  		panic("math/big: mismatched montgomery number lengths")
   220  	}
   221  	z = z.make(n * 2)
   222  	z.clear()
   223  	var c Word
   224  	for i := 0; i < n; i++ {
   225  		d := y[i]
   226  		c2 := addMulVVW(z[i:n+i], x, d)
   227  		t := z[i] * k
   228  		c3 := addMulVVW(z[i:n+i], m, t)
   229  		cx := c + c2
   230  		cy := cx + c3
   231  		z[n+i] = cy
   232  		if cx < c2 || cy < c3 {
   233  			c = 1
   234  		} else {
   235  			c = 0
   236  		}
   237  	}
   238  	if c != 0 {
   239  		subVV(z[:n], z[n:], m)
   240  	} else {
   241  		copy(z[:n], z[n:])
   242  	}
   243  	return z[:n]
   244  }
   245  
   246  // Fast version of z[0:n+n>>1].add(z[0:n+n>>1], x[0:n]) w/o bounds checks.
   247  // Factored out for readability - do not use outside karatsuba.
   248  func karatsubaAdd(z, x nat, n int) {
   249  	if c := addVV(z[0:n], z, x); c != 0 {
   250  		addVW(z[n:n+n>>1], z[n:], c)
   251  	}
   252  }
   253  
   254  // Like karatsubaAdd, but does subtract.
   255  func karatsubaSub(z, x nat, n int) {
   256  	if c := subVV(z[0:n], z, x); c != 0 {
   257  		subVW(z[n:n+n>>1], z[n:], c)
   258  	}
   259  }
   260  
   261  // Operands that are shorter than karatsubaThreshold are multiplied using
   262  // "grade school" multiplication; for longer operands the Karatsuba algorithm
   263  // is used.
   264  var karatsubaThreshold = 40 // computed by calibrate_test.go
   265  
   266  // karatsuba multiplies x and y and leaves the result in z.
   267  // Both x and y must have the same length n and n must be a
   268  // power of 2. The result vector z must have len(z) >= 6*n.
   269  // The (non-normalized) result is placed in z[0 : 2*n].
   270  func karatsuba(z, x, y nat) {
   271  	n := len(y)
   272  
   273  	// Switch to basic multiplication if numbers are odd or small.
   274  	// (n is always even if karatsubaThreshold is even, but be
   275  	// conservative)
   276  	if n&1 != 0 || n < karatsubaThreshold || n < 2 {
   277  		basicMul(z, x, y)
   278  		return
   279  	}
   280  	// n&1 == 0 && n >= karatsubaThreshold && n >= 2
   281  
   282  	// Karatsuba multiplication is based on the observation that
   283  	// for two numbers x and y with:
   284  	//
   285  	//   x = x1*b + x0
   286  	//   y = y1*b + y0
   287  	//
   288  	// the product x*y can be obtained with 3 products z2, z1, z0
   289  	// instead of 4:
   290  	//
   291  	//   x*y = x1*y1*b*b + (x1*y0 + x0*y1)*b + x0*y0
   292  	//       =    z2*b*b +              z1*b +    z0
   293  	//
   294  	// with:
   295  	//
   296  	//   xd = x1 - x0
   297  	//   yd = y0 - y1
   298  	//
   299  	//   z1 =      xd*yd                    + z2 + z0
   300  	//      = (x1-x0)*(y0 - y1)             + z2 + z0
   301  	//      = x1*y0 - x1*y1 - x0*y0 + x0*y1 + z2 + z0
   302  	//      = x1*y0 -    z2 -    z0 + x0*y1 + z2 + z0
   303  	//      = x1*y0                 + x0*y1
   304  
   305  	// split x, y into "digits"
   306  	n2 := n >> 1              // n2 >= 1
   307  	x1, x0 := x[n2:], x[0:n2] // x = x1*b + y0
   308  	y1, y0 := y[n2:], y[0:n2] // y = y1*b + y0
   309  
   310  	// z is used for the result and temporary storage:
   311  	//
   312  	//   6*n     5*n     4*n     3*n     2*n     1*n     0*n
   313  	// z = [z2 copy|z0 copy| xd*yd | yd:xd | x1*y1 | x0*y0 ]
   314  	//
   315  	// For each recursive call of karatsuba, an unused slice of
   316  	// z is passed in that has (at least) half the length of the
   317  	// caller's z.
   318  
   319  	// compute z0 and z2 with the result "in place" in z
   320  	karatsuba(z, x0, y0)     // z0 = x0*y0
   321  	karatsuba(z[n:], x1, y1) // z2 = x1*y1
   322  
   323  	// compute xd (or the negative value if underflow occurs)
   324  	s := 1 // sign of product xd*yd
   325  	xd := z[2*n : 2*n+n2]
   326  	if subVV(xd, x1, x0) != 0 { // x1-x0
   327  		s = -s
   328  		subVV(xd, x0, x1) // x0-x1
   329  	}
   330  
   331  	// compute yd (or the negative value if underflow occurs)
   332  	yd := z[2*n+n2 : 3*n]
   333  	if subVV(yd, y0, y1) != 0 { // y0-y1
   334  		s = -s
   335  		subVV(yd, y1, y0) // y1-y0
   336  	}
   337  
   338  	// p = (x1-x0)*(y0-y1) == x1*y0 - x1*y1 - x0*y0 + x0*y1 for s > 0
   339  	// p = (x0-x1)*(y0-y1) == x0*y0 - x0*y1 - x1*y0 + x1*y1 for s < 0
   340  	p := z[n*3:]
   341  	karatsuba(p, xd, yd)
   342  
   343  	// save original z2:z0
   344  	// (ok to use upper half of z since we're done recursing)
   345  	r := z[n*4:]
   346  	copy(r, z[:n*2])
   347  
   348  	// add up all partial products
   349  	//
   350  	//   2*n     n     0
   351  	// z = [ z2  | z0  ]
   352  	//   +    [ z0  ]
   353  	//   +    [ z2  ]
   354  	//   +    [  p  ]
   355  	//
   356  	karatsubaAdd(z[n2:], r, n)
   357  	karatsubaAdd(z[n2:], r[n:], n)
   358  	if s > 0 {
   359  		karatsubaAdd(z[n2:], p, n)
   360  	} else {
   361  		karatsubaSub(z[n2:], p, n)
   362  	}
   363  }
   364  
   365  // alias reports whether x and y share the same base array.
   366  // Note: alias assumes that the capacity of underlying arrays
   367  //       is never changed for nat values; i.e. that there are
   368  //       no 3-operand slice expressions in this code (or worse,
   369  //       reflect-based operations to the same effect).
   370  func alias(x, y nat) bool {
   371  	return cap(x) > 0 && cap(y) > 0 && &x[0:cap(x)][cap(x)-1] == &y[0:cap(y)][cap(y)-1]
   372  }
   373  
   374  // addAt implements z += x<<(_W*i); z must be long enough.
   375  // (we don't use nat.add because we need z to stay the same
   376  // slice, and we don't need to normalize z after each addition)
   377  func addAt(z, x nat, i int) {
   378  	if n := len(x); n > 0 {
   379  		if c := addVV(z[i:i+n], z[i:], x); c != 0 {
   380  			j := i + n
   381  			if j < len(z) {
   382  				addVW(z[j:], z[j:], c)
   383  			}
   384  		}
   385  	}
   386  }
   387  
   388  func max(x, y int) int {
   389  	if x > y {
   390  		return x
   391  	}
   392  	return y
   393  }
   394  
   395  // karatsubaLen computes an approximation to the maximum k <= n such that
   396  // k = p<<i for a number p <= threshold and an i >= 0. Thus, the
   397  // result is the largest number that can be divided repeatedly by 2 before
   398  // becoming about the value of threshold.
   399  func karatsubaLen(n, threshold int) int {
   400  	i := uint(0)
   401  	for n > threshold {
   402  		n >>= 1
   403  		i++
   404  	}
   405  	return n << i
   406  }
   407  
   408  func (z nat) mul(x, y nat) nat {
   409  	m := len(x)
   410  	n := len(y)
   411  
   412  	switch {
   413  	case m < n:
   414  		return z.mul(y, x)
   415  	case m == 0 || n == 0:
   416  		return z[:0]
   417  	case n == 1:
   418  		return z.mulAddWW(x, y[0], 0)
   419  	}
   420  	// m >= n > 1
   421  
   422  	// determine if z can be reused
   423  	if alias(z, x) || alias(z, y) {
   424  		z = nil // z is an alias for x or y - cannot reuse
   425  	}
   426  
   427  	// use basic multiplication if the numbers are small
   428  	if n < karatsubaThreshold {
   429  		z = z.make(m + n)
   430  		basicMul(z, x, y)
   431  		return z.norm()
   432  	}
   433  	// m >= n && n >= karatsubaThreshold && n >= 2
   434  
   435  	// determine Karatsuba length k such that
   436  	//
   437  	//   x = xh*b + x0  (0 <= x0 < b)
   438  	//   y = yh*b + y0  (0 <= y0 < b)
   439  	//   b = 1<<(_W*k)  ("base" of digits xi, yi)
   440  	//
   441  	k := karatsubaLen(n, karatsubaThreshold)
   442  	// k <= n
   443  
   444  	// multiply x0 and y0 via Karatsuba
   445  	x0 := x[0:k]              // x0 is not normalized
   446  	y0 := y[0:k]              // y0 is not normalized
   447  	z = z.make(max(6*k, m+n)) // enough space for karatsuba of x0*y0 and full result of x*y
   448  	karatsuba(z, x0, y0)
   449  	z = z[0 : m+n]  // z has final length but may be incomplete
   450  	z[2*k:].clear() // upper portion of z is garbage (and 2*k <= m+n since k <= n <= m)
   451  
   452  	// If xh != 0 or yh != 0, add the missing terms to z. For
   453  	//
   454  	//   xh = xi*b^i + ... + x2*b^2 + x1*b (0 <= xi < b)
   455  	//   yh =                         y1*b (0 <= y1 < b)
   456  	//
   457  	// the missing terms are
   458  	//
   459  	//   x0*y1*b and xi*y0*b^i, xi*y1*b^(i+1) for i > 0
   460  	//
   461  	// since all the yi for i > 1 are 0 by choice of k: If any of them
   462  	// were > 0, then yh >= b^2 and thus y >= b^2. Then k' = k*2 would
   463  	// be a larger valid threshold contradicting the assumption about k.
   464  	//
   465  	if k < n || m != n {
   466  		tp := getNat(3 * k)
   467  		t := *tp
   468  
   469  		// add x0*y1*b
   470  		x0 := x0.norm()
   471  		y1 := y[k:]       // y1 is normalized because y is
   472  		t = t.mul(x0, y1) // update t so we don't lose t's underlying array
   473  		addAt(z, t, k)
   474  
   475  		// add xi*y0<<i, xi*y1*b<<(i+k)
   476  		y0 := y0.norm()
   477  		for i := k; i < len(x); i += k {
   478  			xi := x[i:]
   479  			if len(xi) > k {
   480  				xi = xi[:k]
   481  			}
   482  			xi = xi.norm()
   483  			t = t.mul(xi, y0)
   484  			addAt(z, t, i)
   485  			t = t.mul(xi, y1)
   486  			addAt(z, t, i+k)
   487  		}
   488  
   489  		putNat(tp)
   490  	}
   491  
   492  	return z.norm()
   493  }
   494  
   495  // basicSqr sets z = x*x and is asymptotically faster than basicMul
   496  // by about a factor of 2, but slower for small arguments due to overhead.
   497  // Requirements: len(x) > 0, len(z) == 2*len(x)
   498  // The (non-normalized) result is placed in z.
   499  func basicSqr(z, x nat) {
   500  	n := len(x)
   501  	tp := getNat(2 * n)
   502  	t := *tp // temporary variable to hold the products
   503  	t.clear()
   504  	z[1], z[0] = mulWW(x[0], x[0]) // the initial square
   505  	for i := 1; i < n; i++ {
   506  		d := x[i]
   507  		// z collects the squares x[i] * x[i]
   508  		z[2*i+1], z[2*i] = mulWW(d, d)
   509  		// t collects the products x[i] * x[j] where j < i
   510  		t[2*i] = addMulVVW(t[i:2*i], x[0:i], d)
   511  	}
   512  	t[2*n-1] = shlVU(t[1:2*n-1], t[1:2*n-1], 1) // double the j < i products
   513  	addVV(z, z, t)                              // combine the result
   514  	putNat(tp)
   515  }
   516  
   517  // karatsubaSqr squares x and leaves the result in z.
   518  // len(x) must be a power of 2 and len(z) >= 6*len(x).
   519  // The (non-normalized) result is placed in z[0 : 2*len(x)].
   520  //
   521  // The algorithm and the layout of z are the same as for karatsuba.
   522  func karatsubaSqr(z, x nat) {
   523  	n := len(x)
   524  
   525  	if n&1 != 0 || n < karatsubaSqrThreshold || n < 2 {
   526  		basicSqr(z[:2*n], x)
   527  		return
   528  	}
   529  
   530  	n2 := n >> 1
   531  	x1, x0 := x[n2:], x[0:n2]
   532  
   533  	karatsubaSqr(z, x0)
   534  	karatsubaSqr(z[n:], x1)
   535  
   536  	// s = sign(xd*yd) == -1 for xd != 0; s == 1 for xd == 0
   537  	xd := z[2*n : 2*n+n2]
   538  	if subVV(xd, x1, x0) != 0 {
   539  		subVV(xd, x0, x1)
   540  	}
   541  
   542  	p := z[n*3:]
   543  	karatsubaSqr(p, xd)
   544  
   545  	r := z[n*4:]
   546  	copy(r, z[:n*2])
   547  
   548  	karatsubaAdd(z[n2:], r, n)
   549  	karatsubaAdd(z[n2:], r[n:], n)
   550  	karatsubaSub(z[n2:], p, n) // s == -1 for p != 0; s == 1 for p == 0
   551  }
   552  
   553  // Operands that are shorter than basicSqrThreshold are squared using
   554  // "grade school" multiplication; for operands longer than karatsubaSqrThreshold
   555  // we use the Karatsuba algorithm optimized for x == y.
   556  var basicSqrThreshold = 20      // computed by calibrate_test.go
   557  var karatsubaSqrThreshold = 260 // computed by calibrate_test.go
   558  
   559  // z = x*x
   560  func (z nat) sqr(x nat) nat {
   561  	n := len(x)
   562  	switch {
   563  	case n == 0:
   564  		return z[:0]
   565  	case n == 1:
   566  		d := x[0]
   567  		z = z.make(2)
   568  		z[1], z[0] = mulWW(d, d)
   569  		return z.norm()
   570  	}
   571  
   572  	if alias(z, x) {
   573  		z = nil // z is an alias for x - cannot reuse
   574  	}
   575  
   576  	if n < basicSqrThreshold {
   577  		z = z.make(2 * n)
   578  		basicMul(z, x, x)
   579  		return z.norm()
   580  	}
   581  	if n < karatsubaSqrThreshold {
   582  		z = z.make(2 * n)
   583  		basicSqr(z, x)
   584  		return z.norm()
   585  	}
   586  
   587  	// Use Karatsuba multiplication optimized for x == y.
   588  	// The algorithm and layout of z are the same as for mul.
   589  
   590  	// z = (x1*b + x0)^2 = x1^2*b^2 + 2*x1*x0*b + x0^2
   591  
   592  	k := karatsubaLen(n, karatsubaSqrThreshold)
   593  
   594  	x0 := x[0:k]
   595  	z = z.make(max(6*k, 2*n))
   596  	karatsubaSqr(z, x0) // z = x0^2
   597  	z = z[0 : 2*n]
   598  	z[2*k:].clear()
   599  
   600  	if k < n {
   601  		tp := getNat(2 * k)
   602  		t := *tp
   603  		x0 := x0.norm()
   604  		x1 := x[k:]
   605  		t = t.mul(x0, x1)
   606  		addAt(z, t, k)
   607  		addAt(z, t, k) // z = 2*x1*x0*b + x0^2
   608  		t = t.sqr(x1)
   609  		addAt(z, t, 2*k) // z = x1^2*b^2 + 2*x1*x0*b + x0^2
   610  		putNat(tp)
   611  	}
   612  
   613  	return z.norm()
   614  }
   615  
   616  // mulRange computes the product of all the unsigned integers in the
   617  // range [a, b] inclusively. If a > b (empty range), the result is 1.
   618  func (z nat) mulRange(a, b uint64) nat {
   619  	switch {
   620  	case a == 0:
   621  		// cut long ranges short (optimization)
   622  		return z.setUint64(0)
   623  	case a > b:
   624  		return z.setUint64(1)
   625  	case a == b:
   626  		return z.setUint64(a)
   627  	case a+1 == b:
   628  		return z.mul(nat(nil).setUint64(a), nat(nil).setUint64(b))
   629  	}
   630  	m := (a + b) / 2
   631  	return z.mul(nat(nil).mulRange(a, m), nat(nil).mulRange(m+1, b))
   632  }
   633  
   634  // getNat returns a *nat of len n. The contents may not be zero.
   635  // The pool holds *nat to avoid allocation when converting to interface{}.
   636  func getNat(n int) *nat {
   637  	var z *nat
   638  	if v := natPool.Get(); v != nil {
   639  		z = v.(*nat)
   640  	}
   641  	if z == nil {
   642  		z = new(nat)
   643  	}
   644  	*z = z.make(n)
   645  	return z
   646  }
   647  
   648  func putNat(x *nat) {
   649  	natPool.Put(x)
   650  }
   651  
   652  var natPool sync.Pool
   653  
   654  // Length of x in bits. x must be normalized.
   655  func (x nat) bitLen() int {
   656  	if i := len(x) - 1; i >= 0 {
   657  		return i*_W + bits.Len(uint(x[i]))
   658  	}
   659  	return 0
   660  }
   661  
   662  // trailingZeroBits returns the number of consecutive least significant zero
   663  // bits of x.
   664  func (x nat) trailingZeroBits() uint {
   665  	if len(x) == 0 {
   666  		return 0
   667  	}
   668  	var i uint
   669  	for x[i] == 0 {
   670  		i++
   671  	}
   672  	// x[i] != 0
   673  	return i*_W + uint(bits.TrailingZeros(uint(x[i])))
   674  }
   675  
   676  func same(x, y nat) bool {
   677  	return len(x) == len(y) && len(x) > 0 && &x[0] == &y[0]
   678  }
   679  
   680  // z = x << s
   681  func (z nat) shl(x nat, s uint) nat {
   682  	if s == 0 {
   683  		if same(z, x) {
   684  			return z
   685  		}
   686  		if !alias(z, x) {
   687  			return z.set(x)
   688  		}
   689  	}
   690  
   691  	m := len(x)
   692  	if m == 0 {
   693  		return z[:0]
   694  	}
   695  	// m > 0
   696  
   697  	n := m + int(s/_W)
   698  	z = z.make(n + 1)
   699  	z[n] = shlVU(z[n-m:n], x, s%_W)
   700  	z[0 : n-m].clear()
   701  
   702  	return z.norm()
   703  }
   704  
   705  // z = x >> s
   706  func (z nat) shr(x nat, s uint) nat {
   707  	if s == 0 {
   708  		if same(z, x) {
   709  			return z
   710  		}
   711  		if !alias(z, x) {
   712  			return z.set(x)
   713  		}
   714  	}
   715  
   716  	m := len(x)
   717  	n := m - int(s/_W)
   718  	if n <= 0 {
   719  		return z[:0]
   720  	}
   721  	// n > 0
   722  
   723  	z = z.make(n)
   724  	shrVU(z, x[m-n:], s%_W)
   725  
   726  	return z.norm()
   727  }
   728  
   729  func (z nat) setBit(x nat, i uint, b uint) nat {
   730  	j := int(i / _W)
   731  	m := Word(1) << (i % _W)
   732  	n := len(x)
   733  	switch b {
   734  	case 0:
   735  		z = z.make(n)
   736  		copy(z, x)
   737  		if j >= n {
   738  			// no need to grow
   739  			return z
   740  		}
   741  		z[j] &^= m
   742  		return z.norm()
   743  	case 1:
   744  		if j >= n {
   745  			z = z.make(j + 1)
   746  			z[n:].clear()
   747  		} else {
   748  			z = z.make(n)
   749  		}
   750  		copy(z, x)
   751  		z[j] |= m
   752  		// no need to normalize
   753  		return z
   754  	}
   755  	panic("set bit is not 0 or 1")
   756  }
   757  
   758  // bit returns the value of the i'th bit, with lsb == bit 0.
   759  func (x nat) bit(i uint) uint {
   760  	j := i / _W
   761  	if j >= uint(len(x)) {
   762  		return 0
   763  	}
   764  	// 0 <= j < len(x)
   765  	return uint(x[j] >> (i % _W) & 1)
   766  }
   767  
   768  // sticky returns 1 if there's a 1 bit within the
   769  // i least significant bits, otherwise it returns 0.
   770  func (x nat) sticky(i uint) uint {
   771  	j := i / _W
   772  	if j >= uint(len(x)) {
   773  		if len(x) == 0 {
   774  			return 0
   775  		}
   776  		return 1
   777  	}
   778  	// 0 <= j < len(x)
   779  	for _, x := range x[:j] {
   780  		if x != 0 {
   781  			return 1
   782  		}
   783  	}
   784  	if x[j]<<(_W-i%_W) != 0 {
   785  		return 1
   786  	}
   787  	return 0
   788  }
   789  
   790  func (z nat) and(x, y nat) nat {
   791  	m := len(x)
   792  	n := len(y)
   793  	if m > n {
   794  		m = n
   795  	}
   796  	// m <= n
   797  
   798  	z = z.make(m)
   799  	for i := 0; i < m; i++ {
   800  		z[i] = x[i] & y[i]
   801  	}
   802  
   803  	return z.norm()
   804  }
   805  
   806  func (z nat) andNot(x, y nat) nat {
   807  	m := len(x)
   808  	n := len(y)
   809  	if n > m {
   810  		n = m
   811  	}
   812  	// m >= n
   813  
   814  	z = z.make(m)
   815  	for i := 0; i < n; i++ {
   816  		z[i] = x[i] &^ y[i]
   817  	}
   818  	copy(z[n:m], x[n:m])
   819  
   820  	return z.norm()
   821  }
   822  
   823  func (z nat) or(x, y nat) nat {
   824  	m := len(x)
   825  	n := len(y)
   826  	s := x
   827  	if m < n {
   828  		n, m = m, n
   829  		s = y
   830  	}
   831  	// m >= n
   832  
   833  	z = z.make(m)
   834  	for i := 0; i < n; i++ {
   835  		z[i] = x[i] | y[i]
   836  	}
   837  	copy(z[n:m], s[n:m])
   838  
   839  	return z.norm()
   840  }
   841  
   842  func (z nat) xor(x, y nat) nat {
   843  	m := len(x)
   844  	n := len(y)
   845  	s := x
   846  	if m < n {
   847  		n, m = m, n
   848  		s = y
   849  	}
   850  	// m >= n
   851  
   852  	z = z.make(m)
   853  	for i := 0; i < n; i++ {
   854  		z[i] = x[i] ^ y[i]
   855  	}
   856  	copy(z[n:m], s[n:m])
   857  
   858  	return z.norm()
   859  }
   860  
   861  // random creates a random integer in [0..limit), using the space in z if
   862  // possible. n is the bit length of limit.
   863  func (z nat) random(rand *rand.Rand, limit nat, n int) nat {
   864  	if alias(z, limit) {
   865  		z = nil // z is an alias for limit - cannot reuse
   866  	}
   867  	z = z.make(len(limit))
   868  
   869  	bitLengthOfMSW := uint(n % _W)
   870  	if bitLengthOfMSW == 0 {
   871  		bitLengthOfMSW = _W
   872  	}
   873  	mask := Word((1 << bitLengthOfMSW) - 1)
   874  
   875  	for {
   876  		switch _W {
   877  		case 32:
   878  			for i := range z {
   879  				z[i] = Word(rand.Uint32())
   880  			}
   881  		case 64:
   882  			for i := range z {
   883  				z[i] = Word(rand.Uint32()) | Word(rand.Uint32())<<32
   884  			}
   885  		default:
   886  			panic("unknown word size")
   887  		}
   888  		z[len(limit)-1] &= mask
   889  		if z.cmp(limit) < 0 {
   890  			break
   891  		}
   892  	}
   893  
   894  	return z.norm()
   895  }
   896  
   897  // If m != 0 (i.e., len(m) != 0), expNN sets z to x**y mod m;
   898  // otherwise it sets z to x**y. The result is the value of z.
   899  func (z nat) expNN(x, y, m nat) nat {
   900  	if alias(z, x) || alias(z, y) {
   901  		// We cannot allow in-place modification of x or y.
   902  		z = nil
   903  	}
   904  
   905  	// x**y mod 1 == 0
   906  	if len(m) == 1 && m[0] == 1 {
   907  		return z.setWord(0)
   908  	}
   909  	// m == 0 || m > 1
   910  
   911  	// x**0 == 1
   912  	if len(y) == 0 {
   913  		return z.setWord(1)
   914  	}
   915  	// y > 0
   916  
   917  	// x**1 mod m == x mod m
   918  	if len(y) == 1 && y[0] == 1 && len(m) != 0 {
   919  		_, z = nat(nil).div(z, x, m)
   920  		return z
   921  	}
   922  	// y > 1
   923  
   924  	if len(m) != 0 {
   925  		// We likely end up being as long as the modulus.
   926  		z = z.make(len(m))
   927  	}
   928  	z = z.set(x)
   929  
   930  	// If the base is non-trivial and the exponent is large, we use
   931  	// 4-bit, windowed exponentiation. This involves precomputing 14 values
   932  	// (x^2...x^15) but then reduces the number of multiply-reduces by a
   933  	// third. Even for a 32-bit exponent, this reduces the number of
   934  	// operations. Uses Montgomery method for odd moduli.
   935  	if x.cmp(natOne) > 0 && len(y) > 1 && len(m) > 0 {
   936  		if m[0]&1 == 1 {
   937  			return z.expNNMontgomery(x, y, m)
   938  		}
   939  		return z.expNNWindowed(x, y, m)
   940  	}
   941  
   942  	v := y[len(y)-1] // v > 0 because y is normalized and y > 0
   943  	shift := nlz(v) + 1
   944  	v <<= shift
   945  	var q nat
   946  
   947  	const mask = 1 << (_W - 1)
   948  
   949  	// We walk through the bits of the exponent one by one. Each time we
   950  	// see a bit, we square, thus doubling the power. If the bit is a one,
   951  	// we also multiply by x, thus adding one to the power.
   952  
   953  	w := _W - int(shift)
   954  	// zz and r are used to avoid allocating in mul and div as
   955  	// otherwise the arguments would alias.
   956  	var zz, r nat
   957  	for j := 0; j < w; j++ {
   958  		zz = zz.sqr(z)
   959  		zz, z = z, zz
   960  
   961  		if v&mask != 0 {
   962  			zz = zz.mul(z, x)
   963  			zz, z = z, zz
   964  		}
   965  
   966  		if len(m) != 0 {
   967  			zz, r = zz.div(r, z, m)
   968  			zz, r, q, z = q, z, zz, r
   969  		}
   970  
   971  		v <<= 1
   972  	}
   973  
   974  	for i := len(y) - 2; i >= 0; i-- {
   975  		v = y[i]
   976  
   977  		for j := 0; j < _W; j++ {
   978  			zz = zz.sqr(z)
   979  			zz, z = z, zz
   980  
   981  			if v&mask != 0 {
   982  				zz = zz.mul(z, x)
   983  				zz, z = z, zz
   984  			}
   985  
   986  			if len(m) != 0 {
   987  				zz, r = zz.div(r, z, m)
   988  				zz, r, q, z = q, z, zz, r
   989  			}
   990  
   991  			v <<= 1
   992  		}
   993  	}
   994  
   995  	return z.norm()
   996  }
   997  
   998  // expNNWindowed calculates x**y mod m using a fixed, 4-bit window.
   999  func (z nat) expNNWindowed(x, y, m nat) nat {
  1000  	// zz and r are used to avoid allocating in mul and div as otherwise
  1001  	// the arguments would alias.
  1002  	var zz, r nat
  1003  
  1004  	const n = 4
  1005  	// powers[i] contains x^i.
  1006  	var powers [1 << n]nat
  1007  	powers[0] = natOne
  1008  	powers[1] = x
  1009  	for i := 2; i < 1<<n; i += 2 {
  1010  		p2, p, p1 := &powers[i/2], &powers[i], &powers[i+1]
  1011  		*p = p.sqr(*p2)
  1012  		zz, r = zz.div(r, *p, m)
  1013  		*p, r = r, *p
  1014  		*p1 = p1.mul(*p, x)
  1015  		zz, r = zz.div(r, *p1, m)
  1016  		*p1, r = r, *p1
  1017  	}
  1018  
  1019  	z = z.setWord(1)
  1020  
  1021  	for i := len(y) - 1; i >= 0; i-- {
  1022  		yi := y[i]
  1023  		for j := 0; j < _W; j += n {
  1024  			if i != len(y)-1 || j != 0 {
  1025  				// Unrolled loop for significant performance
  1026  				// gain. Use go test -bench=".*" in crypto/rsa
  1027  				// to check performance before making changes.
  1028  				zz = zz.sqr(z)
  1029  				zz, z = z, zz
  1030  				zz, r = zz.div(r, z, m)
  1031  				z, r = r, z
  1032  
  1033  				zz = zz.sqr(z)
  1034  				zz, z = z, zz
  1035  				zz, r = zz.div(r, z, m)
  1036  				z, r = r, z
  1037  
  1038  				zz = zz.sqr(z)
  1039  				zz, z = z, zz
  1040  				zz, r = zz.div(r, z, m)
  1041  				z, r = r, z
  1042  
  1043  				zz = zz.sqr(z)
  1044  				zz, z = z, zz
  1045  				zz, r = zz.div(r, z, m)
  1046  				z, r = r, z
  1047  			}
  1048  
  1049  			zz = zz.mul(z, powers[yi>>(_W-n)])
  1050  			zz, z = z, zz
  1051  			zz, r = zz.div(r, z, m)
  1052  			z, r = r, z
  1053  
  1054  			yi <<= n
  1055  		}
  1056  	}
  1057  
  1058  	return z.norm()
  1059  }
  1060  
  1061  // expNNMontgomery calculates x**y mod m using a fixed, 4-bit window.
  1062  // Uses Montgomery representation.
  1063  func (z nat) expNNMontgomery(x, y, m nat) nat {
  1064  	numWords := len(m)
  1065  
  1066  	// We want the lengths of x and m to be equal.
  1067  	// It is OK if x >= m as long as len(x) == len(m).
  1068  	if len(x) > numWords {
  1069  		_, x = nat(nil).div(nil, x, m)
  1070  		// Note: now len(x) <= numWords, not guaranteed ==.
  1071  	}
  1072  	if len(x) < numWords {
  1073  		rr := make(nat, numWords)
  1074  		copy(rr, x)
  1075  		x = rr
  1076  	}
  1077  
  1078  	// Ideally the precomputations would be performed outside, and reused
  1079  	// k0 = -m**-1 mod 2**_W. Algorithm from: Dumas, J.G. "On Newton–Raphson
  1080  	// Iteration for Multiplicative Inverses Modulo Prime Powers".
  1081  	k0 := 2 - m[0]
  1082  	t := m[0] - 1
  1083  	for i := 1; i < _W; i <<= 1 {
  1084  		t *= t
  1085  		k0 *= (t + 1)
  1086  	}
  1087  	k0 = -k0
  1088  
  1089  	// RR = 2**(2*_W*len(m)) mod m
  1090  	RR := nat(nil).setWord(1)
  1091  	zz := nat(nil).shl(RR, uint(2*numWords*_W))
  1092  	_, RR = nat(nil).div(RR, zz, m)
  1093  	if len(RR) < numWords {
  1094  		zz = zz.make(numWords)
  1095  		copy(zz, RR)
  1096  		RR = zz
  1097  	}
  1098  	// one = 1, with equal length to that of m
  1099  	one := make(nat, numWords)
  1100  	one[0] = 1
  1101  
  1102  	const n = 4
  1103  	// powers[i] contains x^i
  1104  	var powers [1 << n]nat
  1105  	powers[0] = powers[0].montgomery(one, RR, m, k0, numWords)
  1106  	powers[1] = powers[1].montgomery(x, RR, m, k0, numWords)
  1107  	for i := 2; i < 1<<n; i++ {
  1108  		powers[i] = powers[i].montgomery(powers[i-1], powers[1], m, k0, numWords)
  1109  	}
  1110  
  1111  	// initialize z = 1 (Montgomery 1)
  1112  	z = z.make(numWords)
  1113  	copy(z, powers[0])
  1114  
  1115  	zz = zz.make(numWords)
  1116  
  1117  	// same windowed exponent, but with Montgomery multiplications
  1118  	for i := len(y) - 1; i >= 0; i-- {
  1119  		yi := y[i]
  1120  		for j := 0; j < _W; j += n {
  1121  			if i != len(y)-1 || j != 0 {
  1122  				zz = zz.montgomery(z, z, m, k0, numWords)
  1123  				z = z.montgomery(zz, zz, m, k0, numWords)
  1124  				zz = zz.montgomery(z, z, m, k0, numWords)
  1125  				z = z.montgomery(zz, zz, m, k0, numWords)
  1126  			}
  1127  			zz = zz.montgomery(z, powers[yi>>(_W-n)], m, k0, numWords)
  1128  			z, zz = zz, z
  1129  			yi <<= n
  1130  		}
  1131  	}
  1132  	// convert to regular number
  1133  	zz = zz.montgomery(z, one, m, k0, numWords)
  1134  
  1135  	// One last reduction, just in case.
  1136  	// See golang.org/issue/13907.
  1137  	if zz.cmp(m) >= 0 {
  1138  		// Common case is m has high bit set; in that case,
  1139  		// since zz is the same length as m, there can be just
  1140  		// one multiple of m to remove. Just subtract.
  1141  		// We think that the subtract should be sufficient in general,
  1142  		// so do that unconditionally, but double-check,
  1143  		// in case our beliefs are wrong.
  1144  		// The div is not expected to be reached.
  1145  		zz = zz.sub(zz, m)
  1146  		if zz.cmp(m) >= 0 {
  1147  			_, zz = nat(nil).div(nil, zz, m)
  1148  		}
  1149  	}
  1150  
  1151  	return zz.norm()
  1152  }
  1153  
  1154  // bytes writes the value of z into buf using big-endian encoding.
  1155  // The value of z is encoded in the slice buf[i:]. If the value of z
  1156  // cannot be represented in buf, bytes panics. The number i of unused
  1157  // bytes at the beginning of buf is returned as result.
  1158  func (z nat) bytes(buf []byte) (i int) {
  1159  	i = len(buf)
  1160  	for _, d := range z {
  1161  		for j := 0; j < _S; j++ {
  1162  			i--
  1163  			if i >= 0 {
  1164  				buf[i] = byte(d)
  1165  			} else if byte(d) != 0 {
  1166  				panic("math/big: buffer too small to fit value")
  1167  			}
  1168  			d >>= 8
  1169  		}
  1170  	}
  1171  
  1172  	if i < 0 {
  1173  		i = 0
  1174  	}
  1175  	for i < len(buf) && buf[i] == 0 {
  1176  		i++
  1177  	}
  1178  
  1179  	return
  1180  }
  1181  
  1182  // bigEndianWord returns the contents of buf interpreted as a big-endian encoded Word value.
  1183  func bigEndianWord(buf []byte) Word {
  1184  	if _W == 64 {
  1185  		return Word(binary.BigEndian.Uint64(buf))
  1186  	}
  1187  	return Word(binary.BigEndian.Uint32(buf))
  1188  }
  1189  
  1190  // setBytes interprets buf as the bytes of a big-endian unsigned
  1191  // integer, sets z to that value, and returns z.
  1192  func (z nat) setBytes(buf []byte) nat {
  1193  	z = z.make((len(buf) + _S - 1) / _S)
  1194  
  1195  	i := len(buf)
  1196  	for k := 0; i >= _S; k++ {
  1197  		z[k] = bigEndianWord(buf[i-_S : i])
  1198  		i -= _S
  1199  	}
  1200  	if i > 0 {
  1201  		var d Word
  1202  		for s := uint(0); i > 0; s += 8 {
  1203  			d |= Word(buf[i-1]) << s
  1204  			i--
  1205  		}
  1206  		z[len(z)-1] = d
  1207  	}
  1208  
  1209  	return z.norm()
  1210  }
  1211  
  1212  // sqrt sets z = ⌊√x⌋
  1213  func (z nat) sqrt(x nat) nat {
  1214  	if x.cmp(natOne) <= 0 {
  1215  		return z.set(x)
  1216  	}
  1217  	if alias(z, x) {
  1218  		z = nil
  1219  	}
  1220  
  1221  	// Start with value known to be too large and repeat "z = ⌊(z + ⌊x/z⌋)/2⌋" until it stops getting smaller.
  1222  	// See Brent and Zimmermann, Modern Computer Arithmetic, Algorithm 1.13 (SqrtInt).
  1223  	// https://members.loria.fr/PZimmermann/mca/pub226.html
  1224  	// If x is one less than a perfect square, the sequence oscillates between the correct z and z+1;
  1225  	// otherwise it converges to the correct z and stays there.
  1226  	var z1, z2 nat
  1227  	z1 = z
  1228  	z1 = z1.setUint64(1)
  1229  	z1 = z1.shl(z1, uint(x.bitLen()+1)/2) // must be ≥ √x
  1230  	for n := 0; ; n++ {
  1231  		z2, _ = z2.div(nil, x, z1)
  1232  		z2 = z2.add(z2, z1)
  1233  		z2 = z2.shr(z2, 1)
  1234  		if z2.cmp(z1) >= 0 {
  1235  			// z1 is answer.
  1236  			// Figure out whether z1 or z2 is currently aliased to z by looking at loop count.
  1237  			if n&1 == 0 {
  1238  				return z1
  1239  			}
  1240  			return z.set(z1)
  1241  		}
  1242  		z1, z2 = z2, z1
  1243  	}
  1244  }
  1245
View as plain text