Mercurial > dropbear

comparison libtommath/bn_mp_prime_strong_lucas_selfridge.c @ 1692:1051e4eea25a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update LibTomMath to 1.2.0 (#84) * update C files * update other files * update headers * update makefiles * remove mp_set/get_double() * use ltm 1.2.0 API * update ltm_desc * use bundled tommath if system-tommath is too old * XMALLOC etc. were changed to MP_MALLOC etc.
author Steffen Jaeckel <s@jaeckel.eu>
date Tue, 26 May 2020 17:36:47 +0200
parents f52919ffd3b1
children
comparison
equal deleted inserted replaced
1691:2d3745d58843 1692:1051e4eea25a
1 #include "tommath_private.h" 1 #include "tommath_private.h"
2 #ifdef BN_MP_PRIME_STRONG_LUCAS_SELFRIDGE_C 2 #ifdef BN_MP_PRIME_STRONG_LUCAS_SELFRIDGE_C
3 3
4 /* LibTomMath, multiple-precision integer library -- Tom St Denis 4 /* LibTomMath, multiple-precision integer library -- Tom St Denis */
5 * 5 /* SPDX-License-Identifier: Unlicense */
6 * LibTomMath is a library that provides multiple-precision
7 * integer arithmetic as well as number theoretic functionality.
8 *
9 * The library was designed directly after the MPI library by
10 * Michael Fromberger but has been written from scratch with
11 * additional optimizations in place.
12 *
13 * SPDX-License-Identifier: Unlicense
14 */
15 6
16 /* 7 /*
17 * See file bn_mp_prime_is_prime.c or the documentation in doc/bn.tex for the details 8 * See file bn_mp_prime_is_prime.c or the documentation in doc/bn.tex for the details
18 */ 9 */
19 #ifndef LTM_USE_FIPS_ONLY 10 #ifndef LTM_USE_ONLY_MR
20 11
21 /* 12 /*
22 * 8-bit is just too small. You can try the Frobenius test 13 * 8-bit is just too small. You can try the Frobenius test
23 * but that frobenius test can fail, too, for the same reason. 14 * but that frobenius test can fail, too, for the same reason.
24 */ 15 */
26 17
27 /* 18 /*
28 * multiply bigint a with int d and put the result in c 19 * multiply bigint a with int d and put the result in c
29 * Like mp_mul_d() but with a signed long as the small input 20 * Like mp_mul_d() but with a signed long as the small input
30 */ 21 */
31 static int s_mp_mul_si(const mp_int *a, long d, mp_int *c) 22 static mp_err s_mp_mul_si(const mp_int *a, int32_t d, mp_int *c)
32 { 23 {
33 mp_int t; 24 mp_int t;
34 int err, neg = 0; 25 mp_err err;
35 26
36 if ((err = mp_init(&t)) != MP_OKAY) { 27 if ((err = mp_init(&t)) != MP_OKAY) {
37 return err; 28 return err;
38 }
39 if (d < 0) {
40 neg = 1;
41 d = -d;
42 } 29 }
43 30
44 /* 31 /*
45 * mp_digit might be smaller than a long, which excludes 32 * mp_digit might be smaller than a long, which excludes
46 * the use of mp_mul_d() here. 33 * the use of mp_mul_d() here.
47 */ 34 */
48 if ((err = mp_set_long(&t, (unsigned long) d)) != MP_OKAY) { 35 mp_set_i32(&t, d);
49 goto LBL_MPMULSI_ERR; 36 err = mp_mul(a, &t, c);
50 }
51 if ((err = mp_mul(a, &t, c)) != MP_OKAY) {
52 goto LBL_MPMULSI_ERR;
53 }
54 if (neg == 1) {
55 c->sign = (a->sign == MP_NEG) ? MP_ZPOS: MP_NEG;
56 }
57 LBL_MPMULSI_ERR:
58 mp_clear(&t); 37 mp_clear(&t);
59 return err; 38 return err;
60 } 39 }
61 /* 40 /*
62 Strong Lucas-Selfridge test. 41 Strong Lucas-Selfridge test.
73 Additional comments marked "CZ" (without the quotes) are by the code-portist. 52 Additional comments marked "CZ" (without the quotes) are by the code-portist.
74 53
75 (If that name sounds familiar, he is the guy who found the fdiv bug in the 54 (If that name sounds familiar, he is the guy who found the fdiv bug in the
76 Pentium (P5x, I think) Intel processor) 55 Pentium (P5x, I think) Intel processor)
77 */ 56 */
78 int mp_prime_strong_lucas_selfridge(const mp_int *a, int *result) 57 mp_err mp_prime_strong_lucas_selfridge(const mp_int *a, mp_bool *result)
79 { 58 {
80 /* CZ TODO: choose better variable names! */ 59 /* CZ TODO: choose better variable names! */
81 mp_int Dz, gcd, Np1, Uz, Vz, U2mz, V2mz, Qmz, Q2mz, Qkdz, T1z, T2z, T3z, T4z, Q2kdz; 60 mp_int Dz, gcd, Np1, Uz, Vz, U2mz, V2mz, Qmz, Q2mz, Qkdz, T1z, T2z, T3z, T4z, Q2kdz;
82 /* CZ TODO: Some of them need the full 32 bit, hence the (temporary) exclusion of MP_8BIT */ 61 /* CZ TODO: Some of them need the full 32 bit, hence the (temporary) exclusion of MP_8BIT */
83 int32_t D, Ds, J, sign, P, Q, r, s, u, Nbits; 62 int32_t D, Ds, J, sign, P, Q, r, s, u, Nbits;
84 int e; 63 mp_err err;
85 int isset, oddness; 64 mp_bool oddness;
86 65
87 *result = MP_NO; 66 *result = MP_NO;
88 /* 67 /*
89 Find the first element D in the sequence {5, -7, 9, -11, 13, ...} 68 Find the first element D in the sequence {5, -7, 9, -11, 13, ...}
90 such that Jacobi(D,N) = -1 (Selfridge's algorithm). Theory 69 such that Jacobi(D,N) = -1 (Selfridge's algorithm). Theory
91 indicates that, if N is not a perfect square, D will "nearly 70 indicates that, if N is not a perfect square, D will "nearly
92 always" be "small." Just in case, an overflow trap for D is 71 always" be "small." Just in case, an overflow trap for D is
93 included. 72 included.
94 */ 73 */
95 74
96 if ((e = mp_init_multi(&Dz, &gcd, &Np1, &Uz, &Vz, &U2mz, &V2mz, &Qmz, &Q2mz, &Qkdz, &T1z, &T2z, &T3z, &T4z, &Q2kdz, 75 if ((err = mp_init_multi(&Dz, &gcd, &Np1, &Uz, &Vz, &U2mz, &V2mz, &Qmz, &Q2mz, &Qkdz, &T1z, &T2z, &T3z, &T4z, &Q2kdz,
97 NULL)) != MP_OKAY) { 76 NULL)) != MP_OKAY) {
98 return e; 77 return err;
99 } 78 }
100 79
101 D = 5; 80 D = 5;
102 sign = 1; 81 sign = 1;
103 82
104 for (;;) { 83 for (;;) {
105 Ds = sign * D; 84 Ds = sign * D;
106 sign = -sign; 85 sign = -sign;
107 if ((e = mp_set_long(&Dz, (unsigned long)D)) != MP_OKAY) { 86 mp_set_u32(&Dz, (uint32_t)D);
108 goto LBL_LS_ERR; 87 if ((err = mp_gcd(a, &Dz, &gcd)) != MP_OKAY) goto LBL_LS_ERR;
109 } 88
110 if ((e = mp_gcd(a, &Dz, &gcd)) != MP_OKAY) {
111 goto LBL_LS_ERR;
112 }
113 /* if 1 < GCD < N then N is composite with factor "D", and 89 /* if 1 < GCD < N then N is composite with factor "D", and
114 Jacobi(D,N) is technically undefined (but often returned 90 Jacobi(D,N) is technically undefined (but often returned
115 as zero). */ 91 as zero). */
116 if ((mp_cmp_d(&gcd, 1uL) == MP_GT) && (mp_cmp(&gcd, a) == MP_LT)) { 92 if ((mp_cmp_d(&gcd, 1uL) == MP_GT) && (mp_cmp(&gcd, a) == MP_LT)) {
117 goto LBL_LS_ERR; 93 goto LBL_LS_ERR;
118 } 94 }
119 if (Ds < 0) { 95 if (Ds < 0) {
120 Dz.sign = MP_NEG; 96 Dz.sign = MP_NEG;
121 } 97 }
122 if ((e = mp_kronecker(&Dz, a, &J)) != MP_OKAY) { 98 if ((err = mp_kronecker(&Dz, a, &J)) != MP_OKAY) goto LBL_LS_ERR;
123 goto LBL_LS_ERR;
124 }
125 99
126 if (J == -1) { 100 if (J == -1) {
127 break; 101 break;
128 } 102 }
129 D += 2; 103 D += 2;
130 104
131 if (D > (INT_MAX - 2)) { 105 if (D > (INT_MAX - 2)) {
132 e = MP_VAL; 106 err = MP_VAL;
133 goto LBL_LS_ERR; 107 goto LBL_LS_ERR;
134 } 108 }
135 } 109 }
136 110
137 111
167 the evidence indicates that the strong Lucas-Selfridge test is 141 the evidence indicates that the strong Lucas-Selfridge test is
168 more effective than the standard Lucas-Selfridge test, and a 142 more effective than the standard Lucas-Selfridge test, and a
169 Baillie-PSW test based on the strong Lucas-Selfridge test 143 Baillie-PSW test based on the strong Lucas-Selfridge test
170 should be more reliable. */ 144 should be more reliable. */
171 145
172 if ((e = mp_add_d(a, 1uL, &Np1)) != MP_OKAY) { 146 if ((err = mp_add_d(a, 1uL, &Np1)) != MP_OKAY) goto LBL_LS_ERR;
173 goto LBL_LS_ERR;
174 }
175 s = mp_cnt_lsb(&Np1); 147 s = mp_cnt_lsb(&Np1);
176 148
177 /* CZ 149 /* CZ
178 * This should round towards zero because 150 * This should round towards zero because
179 * Thomas R. Nicely used GMP's mpz_tdiv_q_2exp() 151 * Thomas R. Nicely used GMP's mpz_tdiv_q_2exp()
180 * and mp_div_2d() is equivalent. Additionally: 152 * and mp_div_2d() is equivalent. Additionally:
181 * dividing an even number by two does not produce 153 * dividing an even number by two does not produce
182 * any leftovers. 154 * any leftovers.
183 */ 155 */
184 if ((e = mp_div_2d(&Np1, s, &Dz, NULL)) != MP_OKAY) { 156 if ((err = mp_div_2d(&Np1, s, &Dz, NULL)) != MP_OKAY) goto LBL_LS_ERR;
185 goto LBL_LS_ERR;
186 }
187 /* We must now compute U_d and V_d. Since d is odd, the accumulated 157 /* We must now compute U_d and V_d. Since d is odd, the accumulated
188 values U and V are initialized to U_1 and V_1 (if the target 158 values U and V are initialized to U_1 and V_1 (if the target
189 index were even, U and V would be initialized instead to U_0=0 159 index were even, U and V would be initialized instead to U_0=0
190 and V_0=2). The values of U_2m and V_2m are also initialized to 160 and V_0=2). The values of U_2m and V_2m are also initialized to
191 U_1 and V_1; the FOR loop calculates in succession U_2 and V_2, 161 U_1 and V_1; the FOR loop calculates in succession U_2 and V_2,
198 mp_set(&Uz, 1uL); /* U=U_1 */ 168 mp_set(&Uz, 1uL); /* U=U_1 */
199 mp_set(&Vz, (mp_digit)P); /* V=V_1 */ 169 mp_set(&Vz, (mp_digit)P); /* V=V_1 */
200 mp_set(&U2mz, 1uL); /* U_1 */ 170 mp_set(&U2mz, 1uL); /* U_1 */
201 mp_set(&V2mz, (mp_digit)P); /* V_1 */ 171 mp_set(&V2mz, (mp_digit)P); /* V_1 */
202 172
203 if (Q < 0) { 173 mp_set_i32(&Qmz, Q);
204 Q = -Q; 174 if ((err = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) goto LBL_LS_ERR;
205 if ((e = mp_set_long(&Qmz, (unsigned long)Q)) != MP_OKAY) { 175 /* Initializes calculation of Q^d */
206 goto LBL_LS_ERR; 176 mp_set_i32(&Qkdz, Q);
207 }
208 if ((e = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) {
209 goto LBL_LS_ERR;
210 }
211 /* Initializes calculation of Q^d */
212 if ((e = mp_set_long(&Qkdz, (unsigned long)Q)) != MP_OKAY) {
213 goto LBL_LS_ERR;
214 }
215 Qmz.sign = MP_NEG;
216 Q2mz.sign = MP_NEG;
217 Qkdz.sign = MP_NEG;
218 Q = -Q;
219 } else {
220 if ((e = mp_set_long(&Qmz, (unsigned long)Q)) != MP_OKAY) {
221 goto LBL_LS_ERR;
222 }
223 if ((e = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) {
224 goto LBL_LS_ERR;
225 }
226 /* Initializes calculation of Q^d */
227 if ((e = mp_set_long(&Qkdz, (unsigned long)Q)) != MP_OKAY) {
228 goto LBL_LS_ERR;
229 }
230 }
231 177
232 Nbits = mp_count_bits(&Dz); 178 Nbits = mp_count_bits(&Dz);
233 179
234 for (u = 1; u < Nbits; u++) { /* zero bit off, already accounted for */ 180 for (u = 1; u < Nbits; u++) { /* zero bit off, already accounted for */
235 /* Formulas for doubling of indices (carried out mod N). Note that 181 /* Formulas for doubling of indices (carried out mod N). Note that
238 * 184 *
239 * U_2m = U_m*V_m 185 * U_2m = U_m*V_m
240 * V_2m = V_m*V_m - 2*Q^m 186 * V_2m = V_m*V_m - 2*Q^m
241 */ 187 */
242 188
243 if ((e = mp_mul(&U2mz, &V2mz, &U2mz)) != MP_OKAY) { 189 if ((err = mp_mul(&U2mz, &V2mz, &U2mz)) != MP_OKAY) goto LBL_LS_ERR;
244 goto LBL_LS_ERR; 190 if ((err = mp_mod(&U2mz, a, &U2mz)) != MP_OKAY) goto LBL_LS_ERR;
245 } 191 if ((err = mp_sqr(&V2mz, &V2mz)) != MP_OKAY) goto LBL_LS_ERR;
246 if ((e = mp_mod(&U2mz, a, &U2mz)) != MP_OKAY) { 192 if ((err = mp_sub(&V2mz, &Q2mz, &V2mz)) != MP_OKAY) goto LBL_LS_ERR;
247 goto LBL_LS_ERR; 193 if ((err = mp_mod(&V2mz, a, &V2mz)) != MP_OKAY) goto LBL_LS_ERR;
248 } 194
249 if ((e = mp_sqr(&V2mz, &V2mz)) != MP_OKAY) {
250 goto LBL_LS_ERR;
251 }
252 if ((e = mp_sub(&V2mz, &Q2mz, &V2mz)) != MP_OKAY) {
253 goto LBL_LS_ERR;
254 }
255 if ((e = mp_mod(&V2mz, a, &V2mz)) != MP_OKAY) {
256 goto LBL_LS_ERR;
257 }
258 /* Must calculate powers of Q for use in V_2m, also for Q^d later */ 195 /* Must calculate powers of Q for use in V_2m, also for Q^d later */
259 if ((e = mp_sqr(&Qmz, &Qmz)) != MP_OKAY) { 196 if ((err = mp_sqr(&Qmz, &Qmz)) != MP_OKAY) goto LBL_LS_ERR;
260 goto LBL_LS_ERR; 197
261 }
262 /* prevents overflow */ /* CZ still necessary without a fixed prealloc'd mem.? */ 198 /* prevents overflow */ /* CZ still necessary without a fixed prealloc'd mem.? */
263 if ((e = mp_mod(&Qmz, a, &Qmz)) != MP_OKAY) { 199 if ((err = mp_mod(&Qmz, a, &Qmz)) != MP_OKAY) goto LBL_LS_ERR;
264 goto LBL_LS_ERR; 200 if ((err = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) goto LBL_LS_ERR;
265 } 201
266 if ((e = mp_mul_2(&Qmz, &Q2mz)) != MP_OKAY) { 202 if (s_mp_get_bit(&Dz, (unsigned int)u) == MP_YES) {
267 goto LBL_LS_ERR;
268 }
269 if ((isset = mp_get_bit(&Dz, u)) == MP_VAL) {
270 e = isset;
271 goto LBL_LS_ERR;
272 }
273 if (isset == MP_YES) {
274 /* Formulas for addition of indices (carried out mod N); 203 /* Formulas for addition of indices (carried out mod N);
275 * 204 *
276 * U_(m+n) = (U_m*V_n + U_n*V_m)/2 205 * U_(m+n) = (U_m*V_n + U_n*V_m)/2
277 * V_(m+n) = (V_m*V_n + D*U_m*U_n)/2 206 * V_(m+n) = (V_m*V_n + D*U_m*U_n)/2
278 * 207 *
279 * Be careful with division by 2 (mod N)! 208 * Be careful with division by 2 (mod N)!
280 */ 209 */
281 if ((e = mp_mul(&U2mz, &Vz, &T1z)) != MP_OKAY) { 210 if ((err = mp_mul(&U2mz, &Vz, &T1z)) != MP_OKAY) goto LBL_LS_ERR;
282 goto LBL_LS_ERR; 211 if ((err = mp_mul(&Uz, &V2mz, &T2z)) != MP_OKAY) goto LBL_LS_ERR;
283 } 212 if ((err = mp_mul(&V2mz, &Vz, &T3z)) != MP_OKAY) goto LBL_LS_ERR;
284 if ((e = mp_mul(&Uz, &V2mz, &T2z)) != MP_OKAY) { 213 if ((err = mp_mul(&U2mz, &Uz, &T4z)) != MP_OKAY) goto LBL_LS_ERR;
285 goto LBL_LS_ERR; 214 if ((err = s_mp_mul_si(&T4z, Ds, &T4z)) != MP_OKAY) goto LBL_LS_ERR;
286 } 215 if ((err = mp_add(&T1z, &T2z, &Uz)) != MP_OKAY) goto LBL_LS_ERR;
287 if ((e = mp_mul(&V2mz, &Vz, &T3z)) != MP_OKAY) { 216 if (MP_IS_ODD(&Uz)) {
288 goto LBL_LS_ERR; 217 if ((err = mp_add(&Uz, a, &Uz)) != MP_OKAY) goto LBL_LS_ERR;
289 }
290 if ((e = mp_mul(&U2mz, &Uz, &T4z)) != MP_OKAY) {
291 goto LBL_LS_ERR;
292 }
293 if ((e = s_mp_mul_si(&T4z, (long)Ds, &T4z)) != MP_OKAY) {
294 goto LBL_LS_ERR;
295 }
296 if ((e = mp_add(&T1z, &T2z, &Uz)) != MP_OKAY) {
297 goto LBL_LS_ERR;
298 }
299 if (mp_isodd(&Uz) != MP_NO) {
300 if ((e = mp_add(&Uz, a, &Uz)) != MP_OKAY) {
301 goto LBL_LS_ERR;
302 }
303 } 218 }
304 /* CZ 219 /* CZ
305 * This should round towards negative infinity because 220 * This should round towards negative infinity because
306 * Thomas R. Nicely used GMP's mpz_fdiv_q_2exp(). 221 * Thomas R. Nicely used GMP's mpz_fdiv_q_2exp().
307 * But mp_div_2() does not do so, it is truncating instead. 222 * But mp_div_2() does not do so, it is truncating instead.
308 */ 223 */
309 oddness = mp_isodd(&Uz); 224 oddness = MP_IS_ODD(&Uz) ? MP_YES : MP_NO;
310 if ((e = mp_div_2(&Uz, &Uz)) != MP_OKAY) { 225 if ((err = mp_div_2(&Uz, &Uz)) != MP_OKAY) goto LBL_LS_ERR;
311 goto LBL_LS_ERR;
312 }
313 if ((Uz.sign == MP_NEG) && (oddness != MP_NO)) { 226 if ((Uz.sign == MP_NEG) && (oddness != MP_NO)) {
314 if ((e = mp_sub_d(&Uz, 1uL, &Uz)) != MP_OKAY) { 227 if ((err = mp_sub_d(&Uz, 1uL, &Uz)) != MP_OKAY) goto LBL_LS_ERR;
315 goto LBL_LS_ERR; 228 }
316 } 229 if ((err = mp_add(&T3z, &T4z, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
317 } 230 if (MP_IS_ODD(&Vz)) {
318 if ((e = mp_add(&T3z, &T4z, &Vz)) != MP_OKAY) { 231 if ((err = mp_add(&Vz, a, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
319 goto LBL_LS_ERR; 232 }
320 } 233 oddness = MP_IS_ODD(&Vz) ? MP_YES : MP_NO;
321 if (mp_isodd(&Vz) != MP_NO) { 234 if ((err = mp_div_2(&Vz, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
322 if ((e = mp_add(&Vz, a, &Vz)) != MP_OKAY) {
323 goto LBL_LS_ERR;
324 }
325 }
326 oddness = mp_isodd(&Vz);
327 if ((e = mp_div_2(&Vz, &Vz)) != MP_OKAY) {
328 goto LBL_LS_ERR;
329 }
330 if ((Vz.sign == MP_NEG) && (oddness != MP_NO)) { 235 if ((Vz.sign == MP_NEG) && (oddness != MP_NO)) {
331 if ((e = mp_sub_d(&Vz, 1uL, &Vz)) != MP_OKAY) { 236 if ((err = mp_sub_d(&Vz, 1uL, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
332 goto LBL_LS_ERR; 237 }
333 } 238 if ((err = mp_mod(&Uz, a, &Uz)) != MP_OKAY) goto LBL_LS_ERR;
334 } 239 if ((err = mp_mod(&Vz, a, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
335 if ((e = mp_mod(&Uz, a, &Uz)) != MP_OKAY) { 240
336 goto LBL_LS_ERR;
337 }
338 if ((e = mp_mod(&Vz, a, &Vz)) != MP_OKAY) {
339 goto LBL_LS_ERR;
340 }
341 /* Calculating Q^d for later use */ 241 /* Calculating Q^d for later use */
342 if ((e = mp_mul(&Qkdz, &Qmz, &Qkdz)) != MP_OKAY) { 242 if ((err = mp_mul(&Qkdz, &Qmz, &Qkdz)) != MP_OKAY) goto LBL_LS_ERR;
343 goto LBL_LS_ERR; 243 if ((err = mp_mod(&Qkdz, a, &Qkdz)) != MP_OKAY) goto LBL_LS_ERR;
344 }
345 if ((e = mp_mod(&Qkdz, a, &Qkdz)) != MP_OKAY) {
346 goto LBL_LS_ERR;
347 }
348 } 244 }
349 } 245 }
350 246
351 /* If U_d or V_d is congruent to 0 mod N, then N is a prime or a 247 /* If U_d or V_d is congruent to 0 mod N, then N is a prime or a
352 strong Lucas pseudoprime. */ 248 strong Lucas pseudoprime. */
353 if ((mp_iszero(&Uz) != MP_NO) || (mp_iszero(&Vz) != MP_NO)) { 249 if (MP_IS_ZERO(&Uz) || MP_IS_ZERO(&Vz)) {
354 *result = MP_YES; 250 *result = MP_YES;
355 goto LBL_LS_ERR; 251 goto LBL_LS_ERR;
356 } 252 }
357 253
358 /* NOTE: Ribenboim ("The new book of prime number records," 3rd ed., 254 /* NOTE: Ribenboim ("The new book of prime number records," 3rd ed.,
365 by repeated use of the formula V_2m = V_m*V_m - 2*Q^m. If any of 261 by repeated use of the formula V_2m = V_m*V_m - 2*Q^m. If any of
366 these are congruent to 0 mod N, then N is a prime or a strong 262 these are congruent to 0 mod N, then N is a prime or a strong
367 Lucas pseudoprime. */ 263 Lucas pseudoprime. */
368 264
369 /* Initialize 2*Q^(d*2^r) for V_2m */ 265 /* Initialize 2*Q^(d*2^r) for V_2m */
370 if ((e = mp_mul_2(&Qkdz, &Q2kdz)) != MP_OKAY) { 266 if ((err = mp_mul_2(&Qkdz, &Q2kdz)) != MP_OKAY) goto LBL_LS_ERR;
371 goto LBL_LS_ERR;
372 }
373 267
374 for (r = 1; r < s; r++) { 268 for (r = 1; r < s; r++) {
375 if ((e = mp_sqr(&Vz, &Vz)) != MP_OKAY) { 269 if ((err = mp_sqr(&Vz, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
376 goto LBL_LS_ERR; 270 if ((err = mp_sub(&Vz, &Q2kdz, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
377 } 271 if ((err = mp_mod(&Vz, a, &Vz)) != MP_OKAY) goto LBL_LS_ERR;
378 if ((e = mp_sub(&Vz, &Q2kdz, &Vz)) != MP_OKAY) { 272 if (MP_IS_ZERO(&Vz)) {
379 goto LBL_LS_ERR;
380 }
381 if ((e = mp_mod(&Vz, a, &Vz)) != MP_OKAY) {
382 goto LBL_LS_ERR;
383 }
384 if (mp_iszero(&Vz) != MP_NO) {
385 *result = MP_YES; 273 *result = MP_YES;
386 goto LBL_LS_ERR; 274 goto LBL_LS_ERR;
387 } 275 }
388 /* Calculate Q^{d*2^r} for next r (final iteration irrelevant). */ 276 /* Calculate Q^{d*2^r} for next r (final iteration irrelevant). */
389 if (r < (s - 1)) { 277 if (r < (s - 1)) {
390 if ((e = mp_sqr(&Qkdz, &Qkdz)) != MP_OKAY) { 278 if ((err = mp_sqr(&Qkdz, &Qkdz)) != MP_OKAY) goto LBL_LS_ERR;
391 goto LBL_LS_ERR; 279 if ((err = mp_mod(&Qkdz, a, &Qkdz)) != MP_OKAY) goto LBL_LS_ERR;
392 } 280 if ((err = mp_mul_2(&Qkdz, &Q2kdz)) != MP_OKAY) goto LBL_LS_ERR;
393 if ((e = mp_mod(&Qkdz, a, &Qkdz)) != MP_OKAY) {
394 goto LBL_LS_ERR;
395 }
396 if ((e = mp_mul_2(&Qkdz, &Q2kdz)) != MP_OKAY) {
397 goto LBL_LS_ERR;
398 }
399 } 281 }
400 } 282 }
401 LBL_LS_ERR: 283 LBL_LS_ERR:
402 mp_clear_multi(&Q2kdz, &T4z, &T3z, &T2z, &T1z, &Qkdz, &Q2mz, &Qmz, &V2mz, &U2mz, &Vz, &Uz, &Np1, &gcd, &Dz, NULL); 284 mp_clear_multi(&Q2kdz, &T4z, &T3z, &T2z, &T1z, &Qkdz, &Q2mz, &Qmz, &V2mz, &U2mz, &Vz, &Uz, &Np1, &gcd, &Dz, NULL);
403 return e; 285 return err;
404 } 286 }
405 #endif 287 #endif
406 #endif 288 #endif
407 #endif 289 #endif
408
409 /* ref: HEAD -> master, tag: v1.1.0 */
410 /* git commit: 08549ad6bc8b0cede0b357a9c341c5c6473a9c55 */
411 /* commit time: 2019-01-28 20:32:32 +0100 */