2 * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
14 #include "internal/cryptlib.h"
17 #ifndef OPENSSL_NO_EC2M
20 * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
23 # define MAX_ITERATIONS 50
25 static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21,
26 64, 65, 68, 69, 80, 81, 84, 85
29 /* Platform-specific macros to accelerate squaring. */
30 # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
32 SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
33 SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
34 SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
35 SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
37 SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
38 SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
39 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
40 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
42 # ifdef THIRTY_TWO_BIT
44 SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
45 SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
47 SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
48 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
51 # if !defined(OPENSSL_BN_ASM_GF2m)
53 * Product of two polynomials a, b each with degree < BN_BITS2 - 1, result is
54 * a polynomial r with degree < 2 * BN_BITS - 1 The caller MUST ensure that
55 * the variables have the right amount of space allocated.
57 # ifdef THIRTY_TWO_BIT
58 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
61 register BN_ULONG h, l, s;
62 BN_ULONG tab[8], top2b = a >> 30;
63 register BN_ULONG a1, a2, a4;
65 a1 = a & (0x3FFFFFFF);
76 tab[7] = a1 ^ a2 ^ a4;
80 s = tab[b >> 3 & 0x7];
83 s = tab[b >> 6 & 0x7];
86 s = tab[b >> 9 & 0x7];
89 s = tab[b >> 12 & 0x7];
92 s = tab[b >> 15 & 0x7];
95 s = tab[b >> 18 & 0x7];
98 s = tab[b >> 21 & 0x7];
101 s = tab[b >> 24 & 0x7];
104 s = tab[b >> 27 & 0x7];
111 /* compensate for the top two bits of a */
126 # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
127 static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a,
130 register BN_ULONG h, l, s;
131 BN_ULONG tab[16], top3b = a >> 61;
132 register BN_ULONG a1, a2, a4, a8;
134 a1 = a & (0x1FFFFFFFFFFFFFFFULL);
146 tab[7] = a1 ^ a2 ^ a4;
150 tab[11] = a1 ^ a2 ^ a8;
152 tab[13] = a1 ^ a4 ^ a8;
153 tab[14] = a2 ^ a4 ^ a8;
154 tab[15] = a1 ^ a2 ^ a4 ^ a8;
158 s = tab[b >> 4 & 0xF];
161 s = tab[b >> 8 & 0xF];
164 s = tab[b >> 12 & 0xF];
167 s = tab[b >> 16 & 0xF];
170 s = tab[b >> 20 & 0xF];
173 s = tab[b >> 24 & 0xF];
176 s = tab[b >> 28 & 0xF];
179 s = tab[b >> 32 & 0xF];
182 s = tab[b >> 36 & 0xF];
185 s = tab[b >> 40 & 0xF];
188 s = tab[b >> 44 & 0xF];
191 s = tab[b >> 48 & 0xF];
194 s = tab[b >> 52 & 0xF];
197 s = tab[b >> 56 & 0xF];
204 /* compensate for the top three bits of a */
225 * Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1,
226 * result is a polynomial r with degree < 4 * BN_BITS2 - 1 The caller MUST
227 * ensure that the variables have the right amount of space allocated.
229 static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0,
230 const BN_ULONG b1, const BN_ULONG b0)
233 /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */
234 bn_GF2m_mul_1x1(r + 3, r + 2, a1, b1);
235 bn_GF2m_mul_1x1(r + 1, r, a0, b0);
236 bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1);
237 /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */
238 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
239 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
242 void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1,
247 * Add polynomials a and b and store result in r; r could be a or b, a and b
248 * could be equal; r is the bitwise XOR of a and b.
250 int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
253 const BIGNUM *at, *bt;
258 if (a->top < b->top) {
266 if (bn_wexpand(r, at->top) == NULL)
269 for (i = 0; i < bt->top; i++) {
270 r->d[i] = at->d[i] ^ bt->d[i];
272 for (; i < at->top; i++) {
283 * Some functions allow for representation of the irreducible polynomials
284 * as an int[], say p. The irreducible f(t) is then of the form:
285 * t^p[0] + t^p[1] + ... + t^p[k]
286 * where m = p[0] > p[1] > ... > p[k] = 0.
289 /* Performs modular reduction of a and store result in r. r could be a. */
290 int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
299 /* reduction mod 1 => return 0 */
305 * Since the algorithm does reduction in the r value, if a != r, copy the
306 * contents of a into r so we can do reduction in r.
309 if (!bn_wexpand(r, a->top))
311 for (j = 0; j < a->top; j++) {
318 /* start reduction */
319 dN = p[0] / BN_BITS2;
320 for (j = r->top - 1; j > dN;) {
328 for (k = 1; p[k] != 0; k++) {
329 /* reducing component t^p[k] */
334 z[j - n] ^= (zz >> d0);
336 z[j - n - 1] ^= (zz << d1);
339 /* reducing component t^0 */
341 d0 = p[0] % BN_BITS2;
343 z[j - n] ^= (zz >> d0);
345 z[j - n - 1] ^= (zz << d1);
348 /* final round of reduction */
351 d0 = p[0] % BN_BITS2;
357 /* clear up the top d1 bits */
359 z[dN] = (z[dN] << d1) >> d1;
362 z[0] ^= zz; /* reduction t^0 component */
364 for (k = 1; p[k] != 0; k++) {
367 /* reducing component t^p[k] */
369 d0 = p[k] % BN_BITS2;
372 if (d0 && (tmp_ulong = zz >> d1))
373 z[n + 1] ^= tmp_ulong;
383 * Performs modular reduction of a by p and store result in r. r could be a.
384 * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper
385 * function is only provided for convenience; for best performance, use the
386 * BN_GF2m_mod_arr function.
388 int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
394 ret = BN_GF2m_poly2arr(p, arr, OSSL_NELEM(arr));
395 if (!ret || ret > (int)OSSL_NELEM(arr)) {
396 BNerr(BN_F_BN_GF2M_MOD, BN_R_INVALID_LENGTH);
399 ret = BN_GF2m_mod_arr(r, a, arr);
405 * Compute the product of two polynomials a and b, reduce modulo p, and store
406 * the result in r. r could be a or b; a could be b.
408 int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
409 const int p[], BN_CTX *ctx)
411 int zlen, i, j, k, ret = 0;
413 BN_ULONG x1, x0, y1, y0, zz[4];
419 return BN_GF2m_mod_sqr_arr(r, a, p, ctx);
423 if ((s = BN_CTX_get(ctx)) == NULL)
426 zlen = a->top + b->top + 4;
427 if (!bn_wexpand(s, zlen))
431 for (i = 0; i < zlen; i++)
434 for (j = 0; j < b->top; j += 2) {
436 y1 = ((j + 1) == b->top) ? 0 : b->d[j + 1];
437 for (i = 0; i < a->top; i += 2) {
439 x1 = ((i + 1) == a->top) ? 0 : a->d[i + 1];
440 bn_GF2m_mul_2x2(zz, x1, x0, y1, y0);
441 for (k = 0; k < 4; k++)
442 s->d[i + j + k] ^= zz[k];
447 if (BN_GF2m_mod_arr(r, s, p))
457 * Compute the product of two polynomials a and b, reduce modulo p, and store
458 * the result in r. r could be a or b; a could equal b. This function calls
459 * down to the BN_GF2m_mod_mul_arr implementation; this wrapper function is
460 * only provided for convenience; for best performance, use the
461 * BN_GF2m_mod_mul_arr function.
463 int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
464 const BIGNUM *p, BN_CTX *ctx)
467 const int max = BN_num_bits(p) + 1;
472 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
474 ret = BN_GF2m_poly2arr(p, arr, max);
475 if (!ret || ret > max) {
476 BNerr(BN_F_BN_GF2M_MOD_MUL, BN_R_INVALID_LENGTH);
479 ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx);
486 /* Square a, reduce the result mod p, and store it in a. r could be a. */
487 int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
495 if ((s = BN_CTX_get(ctx)) == NULL)
497 if (!bn_wexpand(s, 2 * a->top))
500 for (i = a->top - 1; i >= 0; i--) {
501 s->d[2 * i + 1] = SQR1(a->d[i]);
502 s->d[2 * i] = SQR0(a->d[i]);
507 if (!BN_GF2m_mod_arr(r, s, p))
517 * Square a, reduce the result mod p, and store it in a. r could be a. This
518 * function calls down to the BN_GF2m_mod_sqr_arr implementation; this
519 * wrapper function is only provided for convenience; for best performance,
520 * use the BN_GF2m_mod_sqr_arr function.
522 int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
525 const int max = BN_num_bits(p) + 1;
530 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
532 ret = BN_GF2m_poly2arr(p, arr, max);
533 if (!ret || ret > max) {
534 BNerr(BN_F_BN_GF2M_MOD_SQR, BN_R_INVALID_LENGTH);
537 ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx);
545 * Invert a, reduce modulo p, and store the result in r. r could be a. Uses
546 * Modified Almost Inverse Algorithm (Algorithm 10) from Hankerson, D.,
547 * Hernandez, J.L., and Menezes, A. "Software Implementation of Elliptic
548 * Curve Cryptography Over Binary Fields".
550 static int BN_GF2m_mod_inv_vartime(BIGNUM *r, const BIGNUM *a,
551 const BIGNUM *p, BN_CTX *ctx)
553 BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp;
568 if (!BN_GF2m_mod(u, a, p))
580 while (!BN_is_odd(u)) {
583 if (!BN_rshift1(u, u))
586 if (!BN_GF2m_add(b, b, p))
589 if (!BN_rshift1(b, b))
593 if (BN_abs_is_word(u, 1))
596 if (BN_num_bits(u) < BN_num_bits(v)) {
605 if (!BN_GF2m_add(u, u, v))
607 if (!BN_GF2m_add(b, b, c))
613 int ubits = BN_num_bits(u);
614 int vbits = BN_num_bits(v); /* v is copy of p */
616 BN_ULONG *udp, *bdp, *vdp, *cdp;
618 if (!bn_wexpand(u, top))
621 for (i = u->top; i < top; i++)
624 if (!bn_wexpand(b, top))
628 for (i = 1; i < top; i++)
631 if (!bn_wexpand(c, top))
634 for (i = 0; i < top; i++)
637 vdp = v->d; /* It pays off to "cache" *->d pointers,
638 * because it allows optimizer to be more
639 * aggressive. But we don't have to "cache"
640 * p->d, because *p is declared 'const'... */
642 while (ubits && !(udp[0] & 1)) {
643 BN_ULONG u0, u1, b0, b1, mask;
647 mask = (BN_ULONG)0 - (b0 & 1);
648 b0 ^= p->d[0] & mask;
649 for (i = 0; i < top - 1; i++) {
651 udp[i] = ((u0 >> 1) | (u1 << (BN_BITS2 - 1))) & BN_MASK2;
653 b1 = bdp[i + 1] ^ (p->d[i + 1] & mask);
654 bdp[i] = ((b0 >> 1) | (b1 << (BN_BITS2 - 1))) & BN_MASK2;
662 if (ubits <= BN_BITS2) {
663 if (udp[0] == 0) /* poly was reducible */
684 for (i = 0; i < top; i++) {
688 if (ubits == vbits) {
690 int utop = (ubits - 1) / BN_BITS2;
692 while ((ul = udp[utop]) == 0 && utop)
694 ubits = utop * BN_BITS2 + BN_num_bits_word(ul);
707 # ifdef BN_DEBUG /* BN_CTX_end would complain about the
718 * Wrapper for BN_GF2m_mod_inv_vartime that blinds the input before calling.
719 * This is not constant time.
720 * But it does eliminate first order deduction on the input.
722 int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
728 if ((b = BN_CTX_get(ctx)) == NULL)
731 /* generate blinding value */
733 if (!BN_priv_rand(b, BN_num_bits(p) - 1,
734 BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
736 } while (BN_is_zero(b));
739 if (!BN_GF2m_mod_mul(r, a, b, p, ctx))
743 if (!BN_GF2m_mod_inv_vartime(r, r, p, ctx))
746 /* r := b/(a * b) = 1/a */
747 if (!BN_GF2m_mod_mul(r, r, b, p, ctx))
758 * Invert xx, reduce modulo p, and store the result in r. r could be xx.
759 * This function calls down to the BN_GF2m_mod_inv implementation; this
760 * wrapper function is only provided for convenience; for best performance,
761 * use the BN_GF2m_mod_inv function.
763 int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[],
771 if ((field = BN_CTX_get(ctx)) == NULL)
773 if (!BN_GF2m_arr2poly(p, field))
776 ret = BN_GF2m_mod_inv(r, xx, field, ctx);
785 * Divide y by x, reduce modulo p, and store the result in r. r could be x
786 * or y, x could equal y.
788 int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x,
789 const BIGNUM *p, BN_CTX *ctx)
799 xinv = BN_CTX_get(ctx);
803 if (!BN_GF2m_mod_inv(xinv, x, p, ctx))
805 if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx))
816 * Divide yy by xx, reduce modulo p, and store the result in r. r could be xx
817 * * or yy, xx could equal yy. This function calls down to the
818 * BN_GF2m_mod_div implementation; this wrapper function is only provided for
819 * convenience; for best performance, use the BN_GF2m_mod_div function.
821 int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx,
822 const int p[], BN_CTX *ctx)
831 if ((field = BN_CTX_get(ctx)) == NULL)
833 if (!BN_GF2m_arr2poly(p, field))
836 ret = BN_GF2m_mod_div(r, yy, xx, field, ctx);
845 * Compute the bth power of a, reduce modulo p, and store the result in r. r
846 * could be a. Uses simple square-and-multiply algorithm A.5.1 from IEEE
849 int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
850 const int p[], BN_CTX *ctx)
861 if (BN_abs_is_word(b, 1))
862 return (BN_copy(r, a) != NULL);
865 if ((u = BN_CTX_get(ctx)) == NULL)
868 if (!BN_GF2m_mod_arr(u, a, p))
871 n = BN_num_bits(b) - 1;
872 for (i = n - 1; i >= 0; i--) {
873 if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx))
875 if (BN_is_bit_set(b, i)) {
876 if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx))
890 * Compute the bth power of a, reduce modulo p, and store the result in r. r
891 * could be a. This function calls down to the BN_GF2m_mod_exp_arr
892 * implementation; this wrapper function is only provided for convenience;
893 * for best performance, use the BN_GF2m_mod_exp_arr function.
895 int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
896 const BIGNUM *p, BN_CTX *ctx)
899 const int max = BN_num_bits(p) + 1;
904 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
906 ret = BN_GF2m_poly2arr(p, arr, max);
907 if (!ret || ret > max) {
908 BNerr(BN_F_BN_GF2M_MOD_EXP, BN_R_INVALID_LENGTH);
911 ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx);
919 * Compute the square root of a, reduce modulo p, and store the result in r.
920 * r could be a. Uses exponentiation as in algorithm A.4.1 from IEEE P1363.
922 int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[],
931 /* reduction mod 1 => return 0 */
937 if ((u = BN_CTX_get(ctx)) == NULL)
940 if (!BN_set_bit(u, p[0] - 1))
942 ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx);
951 * Compute the square root of a, reduce modulo p, and store the result in r.
952 * r could be a. This function calls down to the BN_GF2m_mod_sqrt_arr
953 * implementation; this wrapper function is only provided for convenience;
954 * for best performance, use the BN_GF2m_mod_sqrt_arr function.
956 int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
959 const int max = BN_num_bits(p) + 1;
963 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
965 ret = BN_GF2m_poly2arr(p, arr, max);
966 if (!ret || ret > max) {
967 BNerr(BN_F_BN_GF2M_MOD_SQRT, BN_R_INVALID_LENGTH);
970 ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx);
978 * Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
979 * 0. Uses algorithms A.4.7 and A.4.6 from IEEE P1363.
981 int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[],
984 int ret = 0, count = 0, j;
985 BIGNUM *a, *z, *rho, *w, *w2, *tmp;
990 /* reduction mod 1 => return 0 */
1002 if (!BN_GF2m_mod_arr(a, a_, p))
1005 if (BN_is_zero(a)) {
1011 if (p[0] & 0x1) { /* m is odd */
1012 /* compute half-trace of a */
1015 for (j = 1; j <= (p[0] - 1) / 2; j++) {
1016 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1018 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1020 if (!BN_GF2m_add(z, z, a))
1024 } else { /* m is even */
1026 rho = BN_CTX_get(ctx);
1027 w2 = BN_CTX_get(ctx);
1028 tmp = BN_CTX_get(ctx);
1032 if (!BN_priv_rand(rho, p[0], BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
1034 if (!BN_GF2m_mod_arr(rho, rho, p))
1037 if (!BN_copy(w, rho))
1039 for (j = 1; j <= p[0] - 1; j++) {
1040 if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx))
1042 if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx))
1044 if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx))
1046 if (!BN_GF2m_add(z, z, tmp))
1048 if (!BN_GF2m_add(w, w2, rho))
1052 } while (BN_is_zero(w) && (count < MAX_ITERATIONS));
1053 if (BN_is_zero(w)) {
1054 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_TOO_MANY_ITERATIONS);
1059 if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx))
1061 if (!BN_GF2m_add(w, z, w))
1063 if (BN_GF2m_cmp(w, a)) {
1064 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR, BN_R_NO_SOLUTION);
1080 * Find r such that r^2 + r = a mod p. r could be a. If no r exists returns
1081 * 0. This function calls down to the BN_GF2m_mod_solve_quad_arr
1082 * implementation; this wrapper function is only provided for convenience;
1083 * for best performance, use the BN_GF2m_mod_solve_quad_arr function.
1085 int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
1089 const int max = BN_num_bits(p) + 1;
1093 if ((arr = OPENSSL_malloc(sizeof(*arr) * max)) == NULL)
1095 ret = BN_GF2m_poly2arr(p, arr, max);
1096 if (!ret || ret > max) {
1097 BNerr(BN_F_BN_GF2M_MOD_SOLVE_QUAD, BN_R_INVALID_LENGTH);
1100 ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx);
1108 * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
1109 * x^i) into an array of integers corresponding to the bits with non-zero
1110 * coefficient. Array is terminated with -1. Up to max elements of the array
1111 * will be filled. Return value is total number of array elements that would
1112 * be filled if array was large enough.
1114 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
1122 for (i = a->top - 1; i >= 0; i--) {
1124 /* skip word if a->d[i] == 0 */
1127 for (j = BN_BITS2 - 1; j >= 0; j--) {
1128 if (a->d[i] & mask) {
1130 p[k] = BN_BITS2 * i + j;
1146 * Convert the coefficient array representation of a polynomial to a
1147 * bit-string. The array must be terminated by -1.
1149 int BN_GF2m_arr2poly(const int p[], BIGNUM *a)
1155 for (i = 0; p[i] != -1; i++) {
1156 if (BN_set_bit(a, p[i]) == 0)
projects / openssl.git / blob