-
Notifications
You must be signed in to change notification settings - Fork 4
/
BigInt.js
1719 lines (1546 loc) · 58.6 KB
/
BigInt.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// cho45: Wrap all functions to OO-style and close the scope
// karlgluck: Fixed bug with int2BigInt that causes mod(smaller, bigger) to always return 0
// karlgluck: passed JSLint
// karlgluck: fixed OO-syle functions to consistently return new objects
// karlgluck: fixed OO declaration to be 'use strict' compliant
// karlgluck: declare functions in order
// karlgluck: prevent global variable clobbering
(function (Global) {
// http://www.leemon.com/crypto/BigInt.js
////////////////////////////////////////////////////////////////////////////////////////
// Big Integer Library v. 5.5
// Created 2000, last modified 2013
// Leemon Baird
// www.leemon.com
//
// Version history:
// v 5.5 17 Mar 2013
// - two lines of a form like "if (x<0) x+=n" had the "if" changed to "while" to
// handle the case when x<-n. (Thanks to James Ansell for finding that bug)
// v 5.4 3 Oct 2009
// - added "var i" to greaterShift() so i is not global. (Thanks to PŽter Szab— for finding that bug)
//
// v 5.3 21 Sep 2009
// - added randProbPrime(k) for probable primes
// - unrolled loop in mont_ (slightly faster)
// - millerRabin now takes a bigInt parameter rather than an int
//
// v 5.2 15 Sep 2009
// - fixed capitalization in call to int2bigInt in randBigInt
// (thanks to Emili Evripidou, Reinhold Behringer, and Samuel Macaleese for finding that bug)
//
// v 5.1 8 Oct 2007
// - renamed inverseModInt_ to inverseModInt since it doesn't change its parameters
// - added functions GCD and randBigInt, which call GCD_ and randBigInt_
// - fixed a bug found by Rob Visser (see comment with his name below)
// - improved comments
//
// This file is public domain. You can use it for any purpose without restriction.
// I do not guarantee that it is correct, so use it at your own risk. If you use
// it for something interesting, I'd appreciate hearing about it. If you find
// any bugs or make any improvements, I'd appreciate hearing about those too.
// It would also be nice if my name and URL were left in the comments. But none
// of that is required.
//
// This code defines a bigInt library for arbitrary-precision integers.
// A bigInt is an array of integers storing the value in chunks of bpe bits,
// little endian (buff[0] is the least significant word).
// Negative bigInts are stored two's complement. Almost all the functions treat
// bigInts as nonnegative. The few that view them as two's complement say so
// in their comments. Some functions assume their parameters have at least one
// leading zero element. Functions with an underscore at the end of the name put
// their answer into one of the arrays passed in, and have unpredictable behavior
// in case of overflow, so the caller must make sure the arrays are big enough to
// hold the answer. But the average user should never have to call any of the
// underscored functions. Each important underscored function has a wrapper function
// of the same name without the underscore that takes care of the details for you.
// For each underscored function where a parameter is modified, that same variable
// must not be used as another argument too. So, you cannot square x by doing
// multMod_(x,x,n). You must use squareMod_(x,n) instead, or do y=dup(x); multMod_(x,y,n).
// Or simply use the multMod(x,x,n) function without the underscore, where
// such issues never arise, because non-underscored functions never change
// their parameters; they always allocate new memory for the answer that is returned.
//
// These functions are designed to avoid frequent dynamic memory allocation in the inner loop.
// For most functions, if it needs a BigInt as a local variable it will actually use
// a global, and will only allocate to it only when it's not the right size. This ensures
// that when a function is called repeatedly with same-sized parameters, it only allocates
// memory on the first call.
//
// The calls to Math.random() have been replaced with calls to the cryptographic PRNG
//
//
// In the following, "bigInt" means a bigInt with at least one leading zero element,
// and "integer" means a nonnegative integer less than radix. In some cases, integer
// can be negative. Negative bigInts are 2s complement.
//
// The following functions do not modify their inputs.
// Those returning a bigInt, string, or Array will dynamically allocate memory for that value.
// Those returning a boolean will return the integer 0 (false) or 1 (true).
// Those returning boolean or int will not allocate memory except possibly on the first
// time they're called with a given parameter size.
//
// bigInt add(x,y) //return (x+y) for bigInts x and y.
// bigInt addInt(x,n) //return (x+n) where x is a bigInt and n is an integer.
// string bigInt2str(x,base) //return a string form of bigInt x in a given base, with 2 <= base <= 95
// int bitSize(x) //return how many bits long the bigInt x is, not counting leading zeros
// bigInt dup(x) //return a copy of bigInt x
// boolean equals(x,y) //is the bigInt x equal to the bigint y?
// boolean equalsInt(x,y) //is bigint x equal to integer y?
// bigInt expand(x,n) //return a copy of x with at least n elements, adding leading zeros if needed
// Array findPrimes(n) //return array of all primes less than integer n
// bigInt GCD(x,y) //return greatest common divisor of bigInts x and y (each with same number of elements).
// boolean greater(x,y) //is x>y? (x and y are nonnegative bigInts)
// boolean greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y?
// bigInt int2bigInt(t,n,m) //return a bigInt equal to integer t, with at least n bits and m array elements
// bigInt inverseMod(x,n) //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null
// int inverseModInt(x,n) //return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse
// boolean isZero(x) //is the bigInt x equal to zero?
// boolean millerRabin(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime? (b is bigInt, 1<b<x)
// boolean millerRabinInt(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime? (b is int, 1<b<x)
// bigInt mod(x,n) //return a new bigInt equal to (x mod n) for bigInts x and n.
// int modInt(x,n) //return x mod n for bigInt x and integer n.
// bigInt mult(x,y) //return x*y for bigInts x and y. This is faster when y<x.
// bigInt multMod(x,y,n) //return (x*y mod n) for bigInts x,y,n. For greater speed, let y<x.
// boolean negative(x) //is bigInt x negative?
// bigInt powMod(x,y,n) //return (x**y mod n) where x,y,n are bigInts and ** is exponentiation. 0**0=1. Faster for odd n.
// bigInt randBigInt(n,s) //return an n-bit random BigInt (n>=1). If s=1, then the most significant of those n bits is set to 1.
// bigInt randTruePrime(k) //return a new, random, k-bit, true prime bigInt using Maurer's algorithm.
// bigInt randProbPrime(k) //return a new, random, k-bit, probable prime bigInt (probability it's composite less than 2^-80).
// bigInt str2bigInt(s,b,n,m) //return a bigInt for number represented in string s in base b with at least n bits and m array elements
// bigInt sub(x,y) //return (x-y) for bigInts x and y. Negative answers will be 2s complement
// bigInt trim(x,k) //return a copy of x with exactly k leading zero elements
//
//
// The following functions each have a non-underscored version, which most users should call instead.
// These functions each write to a single parameter, and the caller is responsible for ensuring the array
// passed in is large enough to hold the result.
//
// void addInt_(x,n) //do x=x+n where x is a bigInt and n is an integer
// void add_(x,y) //do x=x+y for bigInts x and y
// void copy_(x,y) //do x=y on bigInts x and y
// void copyInt_(x,n) //do x=n on bigInt x and integer n
// void GCD_(x,y) //set x to the greatest common divisor of bigInts x and y, (y is destroyed). (This never overflows its array).
// boolean inverseMod_(x,n) //do x=x**(-1) mod n, for bigInts x and n. Returns 1 (0) if inverse does (doesn't) exist
// void mod_(x,n) //do x=x mod n for bigInts x and n. (This never overflows its array).
// void mult_(x,y) //do x=x*y for bigInts x and y.
// void multMod_(x,y,n) //do x=x*y mod n for bigInts x,y,n.
// void powMod_(x,y,n) //do x=x**y mod n, where x,y,n are bigInts (n is odd) and ** is exponentiation. 0**0=1.
// void randBigInt_(b,n,s) //do b = an n-bit random BigInt. if s=1, then nth bit (most significant bit) is set to 1. n>=1.
// void randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb.
// void sub_(x,y) //do x=x-y for bigInts x and y. Negative answers will be 2s complement.
//
// The following functions do NOT have a non-underscored version.
// They each write a bigInt result to one or more parameters. The caller is responsible for
// ensuring the arrays passed in are large enough to hold the results.
//
// void addShift_(x,y,ys) //do x=x+(y<<(ys*bpe))
// void carry_(x) //do carries and borrows so each element of the bigInt x fits in bpe bits.
// void divide_(x,y,q,r) //divide x by y giving quotient q and remainder r
// int divInt_(x,n) //do x=floor(x/n) for bigInt x and integer n, and return the remainder. (This never overflows its array).
// int eGCD_(x,y,d,a,b) //sets a,b,d to positive bigInts such that d = GCD_(x,y) = a*x-b*y
// void halve_(x) //do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement. (This never overflows its array).
// void leftShift_(x,n) //left shift bigInt x by n bits. n<bpe.
// void linComb_(x,y,a,b) //do x=a*x+b*y for bigInts x and y and integers a and b
// void linCombShift_(x,y,b,ys) //do x=x+b*(y<<(ys*bpe)) for bigInts x and y, and integers b and ys
// void mont_(x,y,n,np) //Montgomery multiplication (see comments where the function is defined)
// void multInt_(x,n) //do x=x*n where x is a bigInt and n is an integer.
// void rightShift_(x,n) //right shift bigInt x by n bits. 0 <= n < bpe. (This never overflows its array).
// void squareMod_(x,n) //do x=x*x mod n for bigInts x,n
// void subShift_(x,y,ys) //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement.
//
// The following functions are based on algorithms from the _Handbook of Applied Cryptography_
// powMod_() = algorithm 14.94, Montgomery exponentiation
// eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_
// GCD_() = algorothm 14.57, Lehmer's algorithm
// mont_() = algorithm 14.36, Montgomery multiplication
// divide_() = algorithm 14.20 Multiple-precision division
// squareMod_() = algorithm 14.16 Multiple-precision squaring
// randTruePrime_() = algorithm 4.62, Maurer's algorithm
// millerRabin() = algorithm 4.24, Miller-Rabin algorithm
//
// Profiling shows:
// randTruePrime_() spends:
// 10% of its time in calls to powMod_()
// 85% of its time in calls to millerRabin()
// millerRabin() spends:
// 99% of its time in calls to powMod_() (always with a base of 2)
// powMod_() spends:
// 94% of its time in calls to mont_() (almost always with x==y)
//
// This suggests there are several ways to speed up this library slightly:
// - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window)
// -- this should especially focus on being fast when raising 2 to a power mod n
// - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test
// - tune the parameters in randTruePrime_(), including c, m, and recLimit
// - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking
// within the loop when all the parameters are the same length.
//
// There are several ideas that look like they wouldn't help much at all:
// - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway)
// - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32)
// - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square
// followed by a Montgomery reduction. The intermediate answer will be twice as long as x, so that
// method would be slower. This is unfortunate because the code currently spends almost all of its time
// doing mont_(x,x,...), both for randTruePrime_() and powMod_(). A faster method for Montgomery squaring
// would have a large impact on the speed of randTruePrime_() and powMod_(). HAC has a couple of poorly-worded
// sentences that seem to imply it's faster to do a non-modular square followed by a single
// Montgomery reduction, but that's obviously wrong.
////////////////////////////////////////////////////////////////////////////////////////
'use strict';
var bpe = 0, // bits stored per array element
mask = 0, // AND this with an array element to chop it down to bpe bits
radix = mask + 1, // equals 2^bpe. A single 1 bit to the left of the last bit of mask.
one = [1, 0], // constant used in powMod_()
// the digits for converting to different bases
digitsStr = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-';
// the following global variables are scratchpad memory to
// reduce dynamic memory allocation in the inner loop
var t = new Array(0);
var ss = t, // used in mult_()
s0 = t, // used in multMod_(), squareMod_()
s1 = t, // used in powMod_(), multMod_(), squareMod_()
s2 = t, // used in powMod_(), multMod_()
s3 = t, // used in powMod_()
s4 = t,
s5 = t, // used in mod_()
s6 = t, // used in bigInt2str()
s7 = t, // used in powMod_()
T = t, // used in GCD_()
sa = t, // used in mont_()
mr_x1 = t, mr_r = t, mr_a = t, // used in millerRabin()
eg_v = t, eg_u = t, eg_A = t, eg_B = t, eg_C = t, eg_D = t, // used in eGCD_(), inverseMod_()
md_q1 = t, md_q2 = t, md_q3 = t, md_r = t, md_r1 = t, md_r2 = t, md_tt = t, // used in mod_()
primes = t, pows = t, s_i = t, s_i2 = t, s_R = t, s_rm = t, s_q = t, s_n1 = t,
s_a = t, s_r2 = t, s_n = t, s_b = t, s_d = t, s_x1 = t, s_x2 = t, s_aa = t, // used in randTruePrime_()
rpprb = t; // used in randProbPrimeRounds() (which also uses "primes")
for (bpe = 0; (1 << (bpe + 1)) > (1 << bpe); bpe++) { } // bpe=number of bits in the mantissa on this platform
bpe >>= 1; // bpe=number of bits in one element of the array representing the bigInt
mask = (1 << bpe) - 1; // AND the mask with an integer to get its bpe least significant bits
radix = mask + 1; // 2^bpe. a single 1 bit to the left of the first bit of mask
////////////////////////////////////////////////////////////////////////////////////////
//do x=y on bigInts x and y. x must be an array at least as big as y (not counting the leading zeros in y).
function copy_(x, y) {
var i;
var k = x.length < y.length ? x.length : y.length;
for (i = 0; i < k; i++)
x[i] = y[i];
for (i = k; i < x.length; i++)
x[i] = 0;
}
//do x=y on bigInt x and integer y.
function copyInt_(x, n) {
var i, c;
for (c = n, i = 0; i < x.length; i++) {
x[i] = c & mask;
c >>= bpe;
}
}
//returns a duplicate of bigInt x
function dup(x) {
var buff = new Array(x.length);
copy_(buff, x);
return buff;
}
//do x=x+n where x is a bigInt and n is an integer.
//x must be large enough to hold the result.
function addInt_(x, n) {
var i, k, c, b;
x[0] += n;
k = x.length;
c = 0;
for (i = 0; i < k; i++) {
c += x[i];
b = 0;
if (c < 0) {
b = -(c >> bpe);
c += b * radix;
}
x[i] = c & mask;
c = (c >> bpe) - b;
if (!c) return; //stop carrying as soon as the carry is zero
}
}
//right shift bigInt x by n bits. 0 <= n < bpe.
function rightShift_(x, n) {
var i;
var k = Math.floor(n / bpe);
if (k) {
for (i = 0; i < x.length - k; i++) //right shift x by k elements
x[i] = x[i + k];
for (; i < x.length; i++)
x[i] = 0;
n %= bpe;
}
for (i = 0; i < x.length - 1; i++) {
x[i] = mask & ((x[i + 1] << (bpe - n)) | (x[i] >> n));
}
x[i] >>= n;
}
//do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement
function halve_(x) {
var i;
for (i = 0; i < x.length - 1; i++) {
x[i] = mask & ((x[i + 1] << (bpe - 1)) | (x[i] >> 1));
}
x[i] = (x[i] >> 1) | (x[i] & (radix >> 1)); //most significant bit stays the same
}
//left shift bigInt x by n bits.
function leftShift_(x, n) {
var i;
var k = Math.floor(n / bpe);
if (k) {
for (i = x.length; i >= k; i--) //left shift x by k elements
x[i] = x[i - k];
for (; i >= 0; i--)
x[i] = 0;
n %= bpe;
}
if (!n)
return;
for (i = x.length - 1; i > 0; i--) {
x[i] = mask & ((x[i] << n) | (x[i - 1] >> (bpe - n)));
}
x[i] = mask & (x[i] << n);
}
//do x=x*n where x is a bigInt and n is an integer.
//x must be large enough to hold the result.
function multInt_(x, n) {
var i, k, c, b;
if (!n)
return;
k = x.length;
c = 0;
for (i = 0; i < k; i++) {
c += x[i] * n;
b = 0;
if (c < 0) {
b = -(c >> bpe);
c += b * radix;
}
x[i] = c & mask;
c = (c >> bpe) - b;
}
}
//do x=floor(x/n) for bigInt x and integer n, and return the remainder
function divInt_(x, n) {
var i, r = 0, s;
for (i = x.length - 1; i >= 0; i--) {
s = r * radix + x[i];
x[i] = Math.floor(s / n);
r = s % n;
}
return r;
}
//do the linear combination x=a*x+b*y for bigInts x and y, and integers a and b.
//x must be large enough to hold the answer.
function linComb_(x, y, a, b) {
var i, c, k, kk;
k = x.length < y.length ? x.length : y.length;
kk = x.length;
for (c = 0, i = 0; i < k; i++) {
c += a * x[i] + b * y[i];
x[i] = c & mask;
c >>= bpe;
}
for (i = k; i < kk; i++) {
c += a * x[i];
x[i] = c & mask;
c >>= bpe;
}
}
//do the linear combination x=a*x+b*(y<<(ys*bpe)) for bigInts x and y, and integers a, b and ys.
//x must be large enough to hold the answer.
function linCombShift_(x, y, b, ys) {
var i, c, k, kk;
k = x.length < ys + y.length ? x.length : ys + y.length;
kk = x.length;
for (c = 0, i = ys; i < k; i++) {
c += x[i] + b * y[i - ys];
x[i] = c & mask;
c >>= bpe;
}
for (i = k; c && i < kk; i++) {
c += x[i];
x[i] = c & mask;
c >>= bpe;
}
}
//do x=x+(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys.
//x must be large enough to hold the answer.
function addShift_(x, y, ys) {
var i, c, k, kk;
k = x.length < ys + y.length ? x.length : ys + y.length;
kk = x.length;
for (c = 0, i = ys; i < k; i++) {
c += x[i] + y[i - ys];
x[i] = c & mask;
c >>= bpe;
}
for (i = k; c && i < kk; i++) {
c += x[i];
x[i] = c & mask;
c >>= bpe;
}
}
//do x=x-(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys.
//x must be large enough to hold the answer.
function subShift_(x, y, ys) {
var i, c, k, kk;
k = x.length < ys + y.length ? x.length : ys + y.length;
kk = x.length;
for (c = 0, i = ys; i < k; i++) {
c += x[i] - y[i - ys];
x[i] = c & mask;
c >>= bpe;
}
for (i = k; c && i < kk; i++) {
c += x[i];
x[i] = c & mask;
c >>= bpe;
}
}
//do x=x-y for bigInts x and y.
//x must be large enough to hold the answer.
//negative answers will be 2s complement
function sub_(x, y) {
var i, c, k, kk;
k = x.length < y.length ? x.length : y.length;
for (c = 0, i = 0; i < k; i++) {
c += x[i] - y[i];
x[i] = c & mask;
c >>= bpe;
}
for (i = k; c && i < x.length; i++) {
c += x[i];
x[i] = c & mask;
c >>= bpe;
}
}
//do x=x+y for bigInts x and y.
//x must be large enough to hold the answer.
function add_(x, y) {
var i, c, k, kk;
k = x.length < y.length ? x.length : y.length;
for (c = 0, i = 0; i < k; i++) {
c += x[i] + y[i];
x[i] = c & mask;
c >>= bpe;
}
for (i = k; c && i < x.length; i++) {
c += x[i];
x[i] = c & mask;
c >>= bpe;
}
}
//do x=x*y for bigInts x and y. This is faster when y<x.
function mult_(x, y) {
var i;
if (ss.length != 2 * x.length)
ss = new Array(2 * x.length);
copyInt_(ss, 0);
for (i = 0; i < y.length; i++)
if (y[i])
linCombShift_(ss, x, y[i], i); //ss=1*ss+y[i]*(x<<(i*bpe))
copy_(x, ss);
}
//do x=x mod n for bigInts x and n.
function mod_(x, n) {
if (s4.length != x.length)
s4 = dup(x);
else
copy_(s4, x);
if (s5.length != x.length)
s5 = dup(x);
divide_(s4, n, s5, x); //x = remainder of s4 / n
}
//do x=x*y mod n for bigInts x,y,n.
//for greater speed, let y<x.
function multMod_(x, y, n) {
var i;
if (s0.length != 2 * x.length)
s0 = new Array(2 * x.length);
copyInt_(s0, 0);
for (i = 0; i < y.length; i++)
if (y[i])
linCombShift_(s0, x, y[i], i); //s0=1*s0+y[i]*(x<<(i*bpe))
mod_(s0, n);
copy_(x, s0);
}
//do x=x*x mod n for bigInts x,n.
function squareMod_(x, n) {
var i, j, d, c, kx, kn, k;
for (kx = x.length; kx > 0 && !x[kx - 1]; kx--); //ignore leading zeros in x
k = kx > n.length ? 2 * kx : 2 * n.length; //k=# elements in the product, which is twice the elements in the larger of x and n
if (s0.length != k)
s0 = new Array(k);
copyInt_(s0, 0);
for (i = 0; i < kx; i++) {
c = s0[2 * i] + x[i] * x[i];
s0[2 * i] = c & mask;
c >>= bpe;
for (j = i + 1; j < kx; j++) {
c = s0[i + j] + 2 * x[i] * x[j] + c;
s0[i + j] = (c & mask);
c >>= bpe;
}
s0[i + kx] = c;
}
mod_(s0, n);
copy_(x, s0);
}
//return x with exactly k leading zero elements
function trim(x, k) {
var i, y;
for (i = x.length; i > 0 && !x[i - 1]; i--);
y = new Array(i + k);
copy_(y, x);
return y;
}
//do x=x**y mod n, where x,y,n are bigInts and ** is exponentiation. 0**0=1.
//this is faster when n is odd. x usually needs to have as many elements as n.
function powMod_(x, y, n) {
var k1, k2, kn, np;
if (s7.length != n.length)
s7 = dup(n);
//for even modulus, use a simple square-and-multiply algorithm,
//rather than using the more complex Montgomery algorithm.
if ((n[0] & 1) == 0) {
copy_(s7, x);
copyInt_(x, 1);
while (!equalsInt(y, 0)) {
if (y[0] & 1)
multMod_(x, s7, n);
divInt_(y, 2);
squareMod_(s7, n);
}
return;
}
//calculate np from n for the Montgomery multiplications
copyInt_(s7, 0);
for (kn = n.length; kn > 0 && !n[kn - 1]; kn--);
np = radix - inverseModInt(modInt(n, radix), radix);
s7[kn] = 1;
multMod_(x, s7, n); // x = x * 2**(kn*bp) mod n
if (s3.length != x.length)
s3 = dup(x);
else
copy_(s3, x);
for (k1 = y.length - 1; k1 > 0 & !y[k1]; k1--); //k1=first nonzero element of y
if (y[k1] == 0) { //anything to the 0th power is 1
copyInt_(x, 1);
return;
}
for (k2 = 1 << (bpe - 1); k2 && !(y[k1] & k2); k2 >>= 1); //k2=position of first 1 bit in y[k1]
for (; ; ) {
if (!(k2 >>= 1)) { //look at next bit of y
k1--;
if (k1 < 0) {
mont_(x, one, n, np);
return;
}
k2 = 1 << (bpe - 1);
}
mont_(x, x, n, np);
if (k2 & y[k1]) //if next bit is a 1
mont_(x, s3, n, np);
}
}
//do x=x*y*Ri mod n for bigInts x,y,n,
// where Ri = 2**(-kn*bpe) mod n, and kn is the
// number of elements in the n array, not
// counting leading zeros.
//x array must have at least as many elemnts as the n array
//It's OK if x and y are the same variable.
//must have:
// x,y < n
// n is odd
// np = -(n^(-1)) mod radix
function mont_(x, y, n, np) {
var i, j, c, ui, t, ks;
var kn = n.length;
var ky = y.length;
if (sa.length != kn)
sa = new Array(kn);
copyInt_(sa, 0);
for (; kn > 0 && n[kn - 1] == 0; kn--); //ignore leading zeros of n
for (; ky > 0 && y[ky - 1] == 0; ky--); //ignore leading zeros of y
ks = sa.length - 1; //sa will never have more than this many nonzero elements.
//the following loop consumes 95% of the runtime for randTruePrime_() and powMod_() for large numbers
for (i = 0; i < kn; i++) {
t = sa[0] + x[i] * y[0];
ui = ((t & mask) * np) & mask; //the inner "& mask" was needed on Safari (but not MSIE) at one time
c = (t + ui * n[0]) >> bpe;
t = x[i];
//do sa=(sa+x[i]*y+ui*n)/b where b=2**bpe. Loop is unrolled 5-fold for speed
j = 1;
for (; j < ky - 4; ) {
c += sa[j] + ui * n[j] + t * y[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j] + t * y[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j] + t * y[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j] + t * y[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j] + t * y[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
}
for (; j < ky; ) { c += sa[j] + ui * n[j] + t * y[j]; sa[j - 1] = c & mask; c >>= bpe; j++; }
for (; j < kn - 4; ) {
c += sa[j] + ui * n[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
c += sa[j] + ui * n[j]; sa[j - 1] = c & mask; c >>= bpe; j++;
}
for (; j < kn; ) { c += sa[j] + ui * n[j]; sa[j - 1] = c & mask; c >>= bpe; j++; }
for (; j < ks; ) { c += sa[j]; sa[j - 1] = c & mask; c >>= bpe; j++; }
sa[j - 1] = c & mask;
}
if (!greater(n, sa))
sub_(sa, n);
copy_(x, sa);
}
//return array of all primes less than integer n
function findPrimes(n) {
var i, s, p, ans;
s = new Array(n);
for (i = 0; i < n; i++)
s[i] = 0;
s[0] = 2;
p = 0; //first p elements of s are primes, the rest are a sieve
for (; s[p] < n; ) { //s[p] is the pth prime
for (i = s[p] * s[p]; i < n; i += s[p]) //mark multiples of s[p]
s[i] = 1;
p++;
s[p] = s[p - 1] + 1;
for (; s[p] < n && s[s[p]]; s[p]++); //find next prime (where s[p]==0)
}
ans = new Array(p);
for (i = 0; i < p; i++)
ans[i] = s[i];
return ans;
}
//does a single round of Miller-Rabin base b consider x to be a possible prime?
//x and b are bigInts with b<x
function millerRabin(x, b) {
var i, j, k, s;
if (mr_x1.length != x.length) {
mr_x1 = dup(x);
mr_r = dup(x);
mr_a = dup(x);
}
copy_(mr_a, b);
copy_(mr_r, x);
copy_(mr_x1, x);
addInt_(mr_r, -1);
addInt_(mr_x1, -1);
//s=the highest power of two that divides mr_r
k = 0;
for (i = 0; i < mr_r.length; i++)
for (j = 1; j < mask; j <<= 1)
if (x[i] & j) {
s = (k < mr_r.length + bpe ? k : 0);
i = mr_r.length;
j = mask;
} else
k++;
if (s)
rightShift_(mr_r, s);
powMod_(mr_a, mr_r, x);
if (!equalsInt(mr_a, 1) && !equals(mr_a, mr_x1)) {
j = 1;
while (j <= s - 1 && !equals(mr_a, mr_x1)) {
squareMod_(mr_a, x);
if (equalsInt(mr_a, 1)) {
return 0;
}
j++;
}
if (!equals(mr_a, mr_x1)) {
return 0;
}
}
return 1;
}
//does a single round of Miller-Rabin base b consider x to be a possible prime?
//x is a bigInt, and b is an integer, with b<x
function millerRabinInt(x, b) {
if (mr_x1.length != x.length) {
mr_x1 = dup(x);
mr_r = dup(x);
mr_a = dup(x);
}
copyInt_(mr_a, b);
return millerRabin(x, mr_a);
}
//returns how many bits long the bigInt is, not counting leading zeros.
function bitSize(x) {
var j, z, w;
for (j = x.length - 1; (x[j] == 0) && (j > 0); j--);
for (z = 0, w = x[j]; w; (w >>= 1), z++);
z += bpe * j;
return z;
}
//return a copy of x with at least n elements, adding leading zeros if needed
function expand(x, n) {
var ans = int2bigInt(0, (x.length > n ? x.length : n) * bpe, 0);
copy_(ans, x);
return ans;
}
//return a k-bit true random prime using Maurer's algorithm.
function randTruePrime(k) {
var ans = int2bigInt(0, k, 0);
randTruePrime_(ans, k);
return trim(ans, 1);
}
//return a k-bit random probable prime with probability of error < 2^-80
function randProbPrime(k) {
if (k >= 600) return randProbPrimeRounds(k, 2); //numbers from HAC table 4.3
if (k >= 550) return randProbPrimeRounds(k, 4);
if (k >= 500) return randProbPrimeRounds(k, 5);
if (k >= 400) return randProbPrimeRounds(k, 6);
if (k >= 350) return randProbPrimeRounds(k, 7);
if (k >= 300) return randProbPrimeRounds(k, 9);
if (k >= 250) return randProbPrimeRounds(k, 12); //numbers from HAC table 4.4
if (k >= 200) return randProbPrimeRounds(k, 15);
if (k >= 150) return randProbPrimeRounds(k, 18);
if (k >= 100) return randProbPrimeRounds(k, 27);
return randProbPrimeRounds(k, 40); //number from HAC remark 4.26 (only an estimate)
}
//return a k-bit probable random prime using n rounds of Miller Rabin (after trial division with small primes)
function randProbPrimeRounds(k, n) {
var ans, i, divisible, B;
B = 30000; //B is largest prime to use in trial division
ans = int2bigInt(0, k, 0);
//optimization: try larger and smaller B to find the best limit.
if (primes.length == 0)
primes = findPrimes(30000); //check for divisibility by primes <=30000
if (rpprb.length != ans.length)
rpprb = dup(ans);
for (; ; ) { //keep trying random values for ans until one appears to be prime
//optimization: pick a random number times L=2*3*5*...*p, plus a
// random element of the list of all numbers in [0,L) not divisible by any prime up to p.
// This can reduce the amount of random number generation.
randBigInt_(ans, k, 0); //ans = a random odd number to check
ans[0] |= 1;
divisible = 0;
//check ans for divisibility by small primes up to B
for (i = 0; (i < primes.length) && (primes[i] <= B); i++)
if (modInt(ans, primes[i]) == 0 && !equalsInt(ans, primes[i])) {
divisible = 1;
break;
}
//optimization: change millerRabin so the base can be bigger than the number being checked, then eliminate the while here.
//do n rounds of Miller Rabin, with random bases less than ans
for (i = 0; i < n && !divisible; i++) {
randBigInt_(rpprb, k, 0);
while (!greater(ans, rpprb)) //pick a random rpprb that's < ans
randBigInt_(rpprb, k, 0);
if (!millerRabin(ans, rpprb))
divisible = 1;
}
if (!divisible)
return ans;
}
}
//return a new bigInt equal to (x mod n) for bigInts x and n.
function mod(x, n) {
var ans = dup(x);
mod_(ans, n);
return trim(ans, 1);
}
//return (x+n) where x is a bigInt and n is an integer.
function addInt(x, n) {
var ans = expand(x, x.length + 1);
addInt_(ans, n);
return trim(ans, 1);
}
//return x*y for bigInts x and y. This is faster when y<x.
function mult(x, y) {
var ans = expand(x, x.length + y.length);
mult_(ans, y);
return trim(ans, 1);
}
//return (x**y mod n) where x,y,n are bigInts and ** is exponentiation. 0**0=1. Faster for odd n.
function powMod(x, y, n) {
var ans = expand(x, n.length);
powMod_(ans, trim(y, 2), trim(n, 2), 0); //this should work without the trim, but doesn't
return trim(ans, 1);
}
//return (x-y) for bigInts x and y. Negative answers will be 2s complement
function sub(x, y) {
var ans = expand(x, (x.length > y.length ? x.length + 1 : y.length + 1));
sub_(ans, y);
return trim(ans, 1);
}
//return (x+y) for bigInts x and y.
function add(x, y) {
var ans = expand(x, (x.length > y.length ? x.length + 1 : y.length + 1));
add_(ans, y);
return trim(ans, 1);
}
//return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null
function inverseMod(x, n) {
var ans = expand(x, n.length);
var s;
s = inverseMod_(ans, n);
return s ? trim(ans, 1) : null;
}
//return (x*y mod n) for bigInts x,y,n. For greater speed, let y<x.
function multMod(x, y, n) {
var ans = expand(x, n.length);
multMod_(ans, y, n);
return trim(ans, 1);
}
//generate a k-bit true random prime using Maurer's algorithm,
//and put it into ans. The bigInt ans must be large enough to hold it.
function randTruePrime_(ans, k) {
var c, m, pm, dd, j, r, B, divisible, z, zz, recSize;
if (primes.length == 0)
primes = findPrimes(30000); //check for divisibility by primes <=30000
if (pows.length == 0) {
pows = new Array(512);
for (j = 0; j < 512; j++) {
pows[j] = Math.pow(2, j / 511. - 1.);
}
}
//c and m should be tuned for a particular machine and value of k, to maximize speed
c = 0.1; //c=0.1 in HAC
m = 20; //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits
recLimit = 20; //stop recursion when k <=recLimit. Must have recLimit >= 2
if (s_i2.length != ans.length) {
s_i2 = dup(ans);
s_R = dup(ans);
s_n1 = dup(ans);
s_r2 = dup(ans);
s_d = dup(ans);
s_x1 = dup(ans);
s_x2 = dup(ans);
s_b = dup(ans);
s_n = dup(ans);
s_i = dup(ans);
s_rm = dup(ans);
s_q = dup(ans);
s_a = dup(ans);
s_aa = dup(ans);
}
if (k <= recLimit) { //generate small random primes by trial division up to its square root
pm = (1 << ((k + 2) >> 1)) - 1; //pm is binary number with all ones, just over sqrt(2^k)
copyInt_(ans, 0);
for (dd = 1; dd; ) {
dd = 0;
ans[0] = 1 | (1 << (k - 1)) | Math.floor(Math.random() * (1 << k)); //random, k-bit, odd integer, with msb 1
for (j = 1; (j < primes.length) && ((primes[j] & pm) == primes[j]); j++) { //trial division by all primes 3...sqrt(2^k)
if (0 == (ans[0] % primes[j])) {
dd = 1;
break;
}
}
}
carry_(ans);
return;
}
B = c * k * k; //try small primes up to B (or all the primes[] array if the largest is less than B).
if (k > 2 * m) //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits
for (r = 1; k - k * r <= m; )
r = pows[Math.floor(Math.random() * 512)]; //r=Math.pow(2,Math.random()-1);
else
r = .5;
//simulation suggests the more complex algorithm using r=.333 is only slightly faster.
recSize = Math.floor(r * k) + 1;
randTruePrime_(s_q, recSize);
copyInt_(s_i2, 0);
s_i2[Math.floor((k - 2) / bpe)] |= (1 << ((k - 2) % bpe)); //s_i2=2^(k-2)
divide_(s_i2, s_q, s_i, s_rm); //s_i=floor((2^(k-1))/(2q))
z = bitSize(s_i);
for (; ; ) {
for (; ; ) { //generate z-bit numbers until one falls in the range [0,s_i-1]
randBigInt_(s_R, z, 0);
if (greater(s_i, s_R))
break;
} //now s_R is in the range [0,s_i-1]
addInt_(s_R, 1); //now s_R is in the range [1,s_i]
add_(s_R, s_i); //now s_R is in the range [s_i+1,2*s_i]
copy_(s_n, s_q);
mult_(s_n, s_R);
multInt_(s_n, 2);
addInt_(s_n, 1); //s_n=2*s_R*s_q+1
copy_(s_r2, s_R);
multInt_(s_r2, 2); //s_r2=2*s_R
//check s_n for divisibility by small primes up to B
for (divisible = 0, j = 0; (j < primes.length) && (primes[j] < B); j++)
if (modInt(s_n, primes[j]) == 0 && !equalsInt(s_n, primes[j])) {
divisible = 1;
break;
}
if (!divisible) //if it passes small primes check, then try a single Miller-Rabin base 2
if (!millerRabinInt(s_n, 2)) //this line represents 75% of the total runtime for randTruePrime_
divisible = 1;
if (!divisible) { //if it passes that test, continue checking s_n
addInt_(s_n, -3);
for (j = s_n.length - 1; (s_n[j] == 0) && (j > 0); j--); //strip leading zeros
for (zz = 0, w = s_n[j]; w; (w >>= 1), zz++);
zz += bpe * j; //zz=number of bits in s_n, ignoring leading zeros
for (; ; ) { //generate z-bit numbers until one falls in the range [0,s_n-1]
randBigInt_(s_a, zz, 0);
if (greater(s_n, s_a))
break;
} //now s_a is in the range [0,s_n-1]
addInt_(s_n, 3); //now s_a is in the range [0,s_n-4]
addInt_(s_a, 2); //now s_a is in the range [2,s_n-2]
copy_(s_b, s_a);
copy_(s_n1, s_n);
addInt_(s_n1, -1);
powMod_(s_b, s_n1, s_n); //s_b=s_a^(s_n-1) modulo s_n
addInt_(s_b, -1);
if (isZero(s_b)) {
copy_(s_b, s_a);
powMod_(s_b, s_r2, s_n);
addInt_(s_b, -1);
copy_(s_aa, s_n);
copy_(s_d, s_b);
GCD_(s_d, s_n); //if s_b and s_n are relatively prime, then s_n is a prime
if (equalsInt(s_d, 1)) {
copy_(ans, s_aa);
return; //if we've made it this far, then s_n is absolutely guaranteed to be prime
}
}