summaryrefslogtreecommitdiff
path: root/frontend/beta/js/Clipperz/Crypto/BigInt.js
Side-by-side diff
Diffstat (limited to 'frontend/beta/js/Clipperz/Crypto/BigInt.js') (more/less context) (ignore whitespace changes)
-rw-r--r--frontend/beta/js/Clipperz/Crypto/BigInt.js22
1 files changed, 10 insertions, 12 deletions
diff --git a/frontend/beta/js/Clipperz/Crypto/BigInt.js b/frontend/beta/js/Clipperz/Crypto/BigInt.js
index 41483a3..197cd9a 100644
--- a/frontend/beta/js/Clipperz/Crypto/BigInt.js
+++ b/frontend/beta/js/Clipperz/Crypto/BigInt.js
@@ -1,214 +1,212 @@
/*
-Copyright 2008-2011 Clipperz Srl
+Copyright 2008-2013 Clipperz Srl
-This file is part of Clipperz Community Edition.
-Clipperz Community Edition is an online password manager.
+This file is part of Clipperz, the online password manager.
For further information about its features and functionalities please
refer to http://www.clipperz.com.
-* Clipperz Community Edition is free software: you can redistribute
- it and/or modify it under the terms of the GNU Affero General Public
- License as published by the Free Software Foundation, either version
- 3 of the License, or (at your option) any later version.
+* Clipperz is free software: you can redistribute it and/or modify it
+ under the terms of the GNU Affero General Public License as published
+ by the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
-* Clipperz Community Edition is distributed in the hope that it will
- be useful, but WITHOUT ANY WARRANTY; without even the implied
- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+* Clipperz is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU Affero General Public License for more details.
* You should have received a copy of the GNU Affero General Public
- License along with Clipperz Community Edition. If not, see
- <http://www.gnu.org/licenses/>.
+ License along with Clipperz. If not, see http://www.gnu.org/licenses/.
*/
if (typeof(Clipperz) == 'undefined') { Clipperz = {}; }
if (typeof(Clipperz.Crypto) == 'undefined') { Clipperz.Crypto = {}; }
//#############################################################################
// Downloaded on March 05, 2007 from http://www.leemon.com/crypto/BigInt.js
//#############################################################################
////////////////////////////////////////////////////////////////////////////////////////
// Big Integer Library v. 5.0
// Created 2000, last modified 2006
// Leemon Baird
// www.leemon.com
//
// This file is public domain. You can use it for any purpose without restriction.
// I do not guarantee that it is correct, so use it at your own risk. If you use
// it for something interesting, I'd appreciate hearing about it. If you find
// any bugs or make any improvements, I'd appreciate hearing about those too.
// It would also be nice if my name and address were left in the comments.
// But none of that is required.
//
// This code defines a bigInt library for arbitrary-precision integers.
// A bigInt is an array of integers storing the value in chunks of bpe bits,
// little endian (buff[0] is the least significant word).
// Negative bigInts are stored two's complement.
// Some functions assume their parameters have at least one leading zero element.
// Functions with an underscore at the end of the name have unpredictable behavior in case of overflow,
// so the caller must make sure overflow won't happen.
// For each function where a parameter is modified, that same
// variable must not be used as another argument too.
// So, you cannot square x by doing multMod_(x,x,n).
// You must use squareMod_(x,n) instead, or do y=dup(x); multMod_(x,y,n).
//
// These functions are designed to avoid frequent dynamic memory allocation in the inner loop.
// For most functions, if it needs a BigInt as a local variable it will actually use
// a global, and will only allocate to it when it's not the right size. This ensures
// that when a function is called repeatedly with same-sized parameters, it only allocates
// memory on the first call.
//
// Note that for cryptographic purposes, the calls to Math.random() must
// be replaced with calls to a better pseudorandom number generator.
//
// In the following, "bigInt" means a bigInt with at least one leading zero element,
// and "integer" means a nonnegative integer less than radix. In some cases, integer
// can be negative. Negative bigInts are 2s complement.
//
// The following functions do not modify their inputs, but dynamically allocate memory every time they are called:
//
// function bigInt2str(x,base) //convert a bigInt into a string in a given base, from base 2 up to base 95
// function dup(x) //returns a copy of bigInt x
// function findPrimes(n) //return array of all primes less than integer n
// function int2bigInt(t,n,m) //convert integer t to a bigInt with at least n bits and m array elements
// function int2bigInt(s,b,n,m) //convert string s in base b to a bigInt with at least n bits and m array elements
// function trim(x,k) //return a copy of x with exactly k leading zero elements
//
// The following functions do not modify their inputs, so there is never a problem with the result being too big:
//
// function bitSize(x) //returns how many bits long the bigInt x is, not counting leading zeros
// function equals(x,y) //is the bigInt x equal to the bigint y?
// function equalsInt(x,y) //is bigint x equal to integer y?
// function greater(x,y) //is x>y? (x and y are nonnegative bigInts)
// function greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y?
// function isZero(x) //is the bigInt x equal to zero?
// function millerRabin(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime (as opposed to definitely composite)?
// function modInt(x,n) //return x mod n for bigInt x and integer n.
// function negative(x) //is bigInt x negative?
//
// The following functions do not modify their inputs, but allocate memory and call functions with underscores
//
// function add(x,y) //return (x+y) for bigInts x and y.
// function addInt(x,n) //return (x+n) where x is a bigInt and n is an integer.
// function expand(x,n) //return a copy of x with at least n elements, adding leading zeros if needed
// function inverseMod(x,n) //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null
// function mod(x,n) //return a new bigInt equal to (x mod n) for bigInts x and n.
// function mult(x,y) //return x*y for bigInts x and y. This is faster when y<x.
// function multMod(x,y,n) //return (x*y mod n) for bigInts x,y,n. For greater speed, let y<x.
// function powMod(x,y,n) //return (x**y mod n) where x,y,n are bigInts and ** is exponentiation. 0**0=1. Faster for odd n.
// function randTruePrime(k) //return a new, random, k-bit, true prime using Maurer's algorithm.
// function sub(x,y) //return (x-y) for bigInts x and y. Negative answers will be 2s complement
//
// The following functions write a bigInt result to one of the parameters, but
// the result is never bigger than the original, so there can't be overflow problems:
//
// function divInt_(x,n) //do x=floor(x/n) for bigInt x and integer n, and return the remainder
// function GCD_(x,y) //set x to the greatest common divisor of bigInts x and y, (y is destroyed).
// function halve_(x) //do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement
// function mod_(x,n) //do x=x mod n for bigInts x and n.
// function rightShift_(x,n) //right shift bigInt x by n bits. 0 <= n < bpe.
//
// The following functions write a bigInt result to one of the parameters. The caller is responsible for
// ensuring it is large enough to hold the result.
//
// function addInt_(x,n) //do x=x+n where x is a bigInt and n is an integer
// function add_(x,y) //do x=x+y for bigInts x and y
// function addShift_(x,y,ys) //do x=x+(y<<(ys*bpe))
// function copy_(x,y) //do x=y on bigInts x and y
// function copyInt_(x,n) //do x=n on bigInt x and integer n
// function carry_(x) //do carries and borrows so each element of the bigInt x fits in bpe bits.
// function divide_(x,y,q,r) //divide_ x by y giving quotient q and remainder r
// function eGCD_(x,y,d,a,b) //sets a,b,d to positive big integers such that d = GCD_(x,y) = a*x-b*y
// function inverseMod_(x,n) //do x=x**(-1) mod n, for bigInts x and n. Returns 1 (0) if inverse does (doesn't) exist
// function inverseModInt_(x,n) //return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse
// function leftShift_(x,n) //left shift bigInt x by n bits. n<bpe.
// function linComb_(x,y,a,b) //do x=a*x+b*y for bigInts x and y and integers a and b
// function linCombShift_(x,y,b,ys) //do x=x+b*(y<<(ys*bpe)) for bigInts x and y, and integers b and ys
// function mont_(x,y,n,np) //Montgomery multiplication (see comments where the function is defined)
// function mult_(x,y) //do x=x*y for bigInts x and y.
// function multInt_(x,n) //do x=x*n where x is a bigInt and n is an integer.
// function multMod_(x,y,n) //do x=x*y mod n for bigInts x,y,n.
// function powMod_(x,y,n) //do x=x**y mod n, where x,y,n are bigInts (n is odd) and ** is exponentiation. 0**0=1.
// function randBigInt_(b,n,s) //do b = an n-bit random BigInt. if s=1, then nth bit (most significant bit) is set to 1. n>=1.
// function randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb.
// function squareMod_(x,n) //do x=x*x mod n for bigInts x,n
// function sub_(x,y) //do x=x-y for bigInts x and y. Negative answers will be 2s complement.
// function subShift_(x,y,ys) //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement.
//
// The following functions are based on algorithms from the _Handbook of Applied Cryptography_
// powMod_() = algorithm 14.94, Montgomery exponentiation
// eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_
// GCD_() = algorothm 14.57, Lehmer's algorithm
// mont_() = algorithm 14.36, Montgomery multiplication
// divide_() = algorithm 14.20 Multiple-precision division
// squareMod_() = algorithm 14.16 Multiple-precision squaring
// randTruePrime_() = algorithm 4.62, Maurer's algorithm
// millerRabin() = algorithm 4.24, Miller-Rabin algorithm
//
// Profiling shows:
// randTruePrime_() spends:
// 10% of its time in calls to powMod_()
// 85% of its time in calls to millerRabin()
// millerRabin() spends:
// 99% of its time in calls to powMod_() (always with a base of 2)
// powMod_() spends:
// 94% of its time in calls to mont_() (almost always with x==y)
//
// This suggests there are several ways to speed up this library slightly:
// - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window)
// -- this should especially focus on being fast when raising 2 to a power mod n
// - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test
// - tune the parameters in randTruePrime_(), including c, m, and recLimit
// - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking
// within the loop when all the parameters are the same length.
//
// There are several ideas that look like they wouldn't help much at all:
// - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway)
// - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32)
// - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square
// followed by a Montgomery reduction. The intermediate answer will be twice as long as x, so that
// method would be slower. This is unfortunate because the code currently spends almost all of its time
// doing mont_(x,x,...), both for randTruePrime_() and powMod_(). A faster method for Montgomery squaring
// would have a large impact on the speed of randTruePrime_() and powMod_(). HAC has a couple of poorly-worded
// sentences that seem to imply it's faster to do a non-modular square followed by a single
// Montgomery reduction, but that's obviously wrong.
////////////////////////////////////////////////////////////////////////////////////////
//globals
bpe=0; //bits stored per array element
mask=0; //AND this with an array element to chop it down to bpe bits
radix=mask+1; //equals 2^bpe. A single 1 bit to the left of the last bit of mask.
//the digits for converting to different bases
digitsStr='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-';
//initialize the global variables
for (bpe=0; (1<<(bpe+1)) > (1<<bpe); bpe++); //bpe=number of bits in the mantissa on this platform
bpe>>=1; //bpe=number of bits in one element of the array representing the bigInt
mask=(1<<bpe)-1; //AND the mask with an integer to get its bpe least significant bits
radix=mask+1; //2^bpe. a single 1 bit to the left of the first bit of mask
one=int2bigInt(1,1,1); //constant used in powMod_()
//the following global variables are scratchpad memory to
//reduce dynamic memory allocation in the inner loop
t=new Array(0);
ss=t; //used in mult_()
s0=t; //used in multMod_(), squareMod_()
s1=t; //used in powMod_(), multMod_(), squareMod_()
s2=t; //used in powMod_(), multMod_()
s3=t; //used in powMod_()
s4=t; s5=t; //used in mod_()
s6=t; //used in bigInt2str()
s7=t; //used in powMod_()
T=t; //used in GCD_()
sa=t; //used in mont_()
mr_x1=t; mr_r=t; mr_a=t; //used in millerRabin()
eg_v=t; eg_u=t; eg_A=t; eg_B=t; eg_C=t; eg_D=t; //used in eGCD_(), inverseMod_()
md_q1=t; md_q2=t; md_q3=t; md_r=t; md_r1=t; md_r2=t; md_tt=t; //used in mod_()
primes=t; pows=t; s_i=t; s_i2=t; s_R=t; s_rm=t; s_q=t; s_n1=t;
s_a=t; s_r2=t; s_n=t; s_b=t; s_d=t; s_x1=t; s_x2=t, s_aa=t; //used in randTruePrime_()