...

# Source file src/math/big/nat.go

## Documentation: math/big

```     1  // Copyright 2009 The Go Authors. All rights reserved.
2  // Use of this source code is governed by a BSD-style
4
5  // This file implements unsigned multi-precision integers (natural
6  // numbers). They are the building blocks for the implementation
7  // of signed integers, rationals, and floating-point numbers.
8  //
9  // Caution: This implementation relies on the function "alias"
10  //          which assumes that (nat) slice capacities are never
11  //          changed (no 3-operand slice expressions). If that
12  //          changes, alias needs to be updated for correctness.
13
14  package big
15
16  import (
17  	"encoding/binary"
18  	"math/bits"
19  	"math/rand"
20  	"sync"
21  )
22
23  // An unsigned integer x of the form
24  //
25  //   x = x[n-1]*_B^(n-1) + x[n-2]*_B^(n-2) + ... + x[1]*_B + x[0]
26  //
27  // with 0 <= x[i] < _B and 0 <= i < n is stored in a slice of length n,
28  // with the digits x[i] as the slice elements.
29  //
30  // A number is normalized if the slice contains no leading 0 digits.
31  // During arithmetic operations, denormalized values may occur but are
32  // always normalized before returning the final result. The normalized
33  // representation of 0 is the empty or nil slice (length = 0).
34  //
35  type nat []Word
36
37  var (
38  	natOne = nat{1}
39  	natTwo = nat{2}
40  	natTen = nat{10}
41  )
42
43  func (z nat) clear() {
44  	for i := range z {
45  		z[i] = 0
46  	}
47  }
48
49  func (z nat) norm() nat {
50  	i := len(z)
51  	for i > 0 && z[i-1] == 0 {
52  		i--
53  	}
54  	return z[0:i]
55  }
56
57  func (z nat) make(n int) nat {
58  	if n <= cap(z) {
59  		return z[:n] // reuse z
60  	}
61  	// Choosing a good value for e has significant performance impact
62  	// because it increases the chance that a value can be reused.
63  	const e = 4 // extra capacity
64  	return make(nat, n, n+e)
65  }
66
67  func (z nat) setWord(x Word) nat {
68  	if x == 0 {
69  		return z[:0]
70  	}
71  	z = z.make(1)
72  	z[0] = x
73  	return z
74  }
75
76  func (z nat) setUint64(x uint64) nat {
77  	// single-word value
78  	if w := Word(x); uint64(w) == x {
79  		return z.setWord(w)
80  	}
81  	// 2-word value
82  	z = z.make(2)
83  	z[1] = Word(x >> 32)
84  	z[0] = Word(x)
85  	return z
86  }
87
88  func (z nat) set(x nat) nat {
89  	z = z.make(len(x))
90  	copy(z, x)
91  	return z
92  }
93
94  func (z nat) add(x, y nat) nat {
95  	m := len(x)
96  	n := len(y)
97
98  	switch {
99  	case m < n:
101  	case m == 0:
102  		// n == 0 because m >= n; result is 0
103  		return z[:0]
104  	case n == 0:
105  		// result is x
106  		return z.set(x)
107  	}
108  	// m > 0
109
110  	z = z.make(m + 1)
111  	c := addVV(z[0:n], x, y)
112  	if m > n {
113  		c = addVW(z[n:m], x[n:], c)
114  	}
115  	z[m] = c
116
117  	return z.norm()
118  }
119
120  func (z nat) sub(x, y nat) nat {
121  	m := len(x)
122  	n := len(y)
123
124  	switch {
125  	case m < n:
126  		panic("underflow")
127  	case m == 0:
128  		// n == 0 because m >= n; result is 0
129  		return z[:0]
130  	case n == 0:
131  		// result is x
132  		return z.set(x)
133  	}
134  	// m > 0
135
136  	z = z.make(m)
137  	c := subVV(z[0:n], x, y)
138  	if m > n {
139  		c = subVW(z[n:], x[n:], c)
140  	}
141  	if c != 0 {
142  		panic("underflow")
143  	}
144
145  	return z.norm()
146  }
147
148  func (x nat) cmp(y nat) (r int) {
149  	m := len(x)
150  	n := len(y)
151  	if m != n || m == 0 {
152  		switch {
153  		case m < n:
154  			r = -1
155  		case m > n:
156  			r = 1
157  		}
158  		return
159  	}
160
161  	i := m - 1
162  	for i > 0 && x[i] == y[i] {
163  		i--
164  	}
165
166  	switch {
167  	case x[i] < y[i]:
168  		r = -1
169  	case x[i] > y[i]:
170  		r = 1
171  	}
172  	return
173  }
174
175  func (z nat) mulAddWW(x nat, y, r Word) nat {
176  	m := len(x)
177  	if m == 0 || y == 0 {
178  		return z.setWord(r) // result is r
179  	}
180  	// m > 0
181
182  	z = z.make(m + 1)
183  	z[m] = mulAddVWW(z[0:m], x, y, r)
184
185  	return z.norm()
186  }
187
188  // basicMul multiplies x and y and leaves the result in z.
189  // The (non-normalized) result is placed in z[0 : len(x) + len(y)].
190  func basicMul(z, x, y nat) {
191  	z[0 : len(x)+len(y)].clear() // initialize z
192  	for i, d := range y {
193  		if d != 0 {
194  			z[len(x)+i] = addMulVVW(z[i:i+len(x)], x, d)
195  		}
196  	}
197  }
198
199  // montgomery computes z mod m = x*y*2**(-n*_W) mod m,
200  // assuming k = -1/m mod 2**_W.
201  // z is used for storing the result which is returned;
202  // z must not alias x, y or m.
203  // See Gueron, "Efficient Software Implementations of Modular Exponentiation".
204  // https://eprint.iacr.org/2011/239.pdf
205  // In the terminology of that paper, this is an "Almost Montgomery Multiplication":
206  // x and y are required to satisfy 0 <= z < 2**(n*_W) and then the result
207  // z is guaranteed to satisfy 0 <= z < 2**(n*_W), but it may not be < m.
208  func (z nat) montgomery(x, y, m nat, k Word, n int) nat {
209  	// This code assumes x, y, m are all the same length, n.
210  	// (required by addMulVVW and the for loop).
211  	// It also assumes that x, y are already reduced mod m,
212  	// or else the result will not be properly reduced.
213  	if len(x) != n || len(y) != n || len(m) != n {
214  		panic("math/big: mismatched montgomery number lengths")
215  	}
216  	z = z.make(n * 2)
217  	z.clear()
218  	var c Word
219  	for i := 0; i < n; i++ {
220  		d := y[i]
221  		c2 := addMulVVW(z[i:n+i], x, d)
222  		t := z[i] * k
223  		c3 := addMulVVW(z[i:n+i], m, t)
224  		cx := c + c2
225  		cy := cx + c3
226  		z[n+i] = cy
227  		if cx < c2 || cy < c3 {
228  			c = 1
229  		} else {
230  			c = 0
231  		}
232  	}
233  	if c != 0 {
234  		subVV(z[:n], z[n:], m)
235  	} else {
236  		copy(z[:n], z[n:])
237  	}
238  	return z[:n]
239  }
240
241  // Fast version of z[0:n+n>>1].add(z[0:n+n>>1], x[0:n]) w/o bounds checks.
242  // Factored out for readability - do not use outside karatsuba.
243  func karatsubaAdd(z, x nat, n int) {
244  	if c := addVV(z[0:n], z, x); c != 0 {
246  	}
247  }
248
249  // Like karatsubaAdd, but does subtract.
250  func karatsubaSub(z, x nat, n int) {
251  	if c := subVV(z[0:n], z, x); c != 0 {
252  		subVW(z[n:n+n>>1], z[n:], c)
253  	}
254  }
255
256  // Operands that are shorter than karatsubaThreshold are multiplied using
257  // "grade school" multiplication; for longer operands the Karatsuba algorithm
258  // is used.
259  var karatsubaThreshold = 40 // computed by calibrate_test.go
260
261  // karatsuba multiplies x and y and leaves the result in z.
262  // Both x and y must have the same length n and n must be a
263  // power of 2. The result vector z must have len(z) >= 6*n.
264  // The (non-normalized) result is placed in z[0 : 2*n].
265  func karatsuba(z, x, y nat) {
266  	n := len(y)
267
268  	// Switch to basic multiplication if numbers are odd or small.
269  	// (n is always even if karatsubaThreshold is even, but be
270  	// conservative)
271  	if n&1 != 0 || n < karatsubaThreshold || n < 2 {
272  		basicMul(z, x, y)
273  		return
274  	}
275  	// n&1 == 0 && n >= karatsubaThreshold && n >= 2
276
277  	// Karatsuba multiplication is based on the observation that
278  	// for two numbers x and y with:
279  	//
280  	//   x = x1*b + x0
281  	//   y = y1*b + y0
282  	//
283  	// the product x*y can be obtained with 3 products z2, z1, z0
285  	//
286  	//   x*y = x1*y1*b*b + (x1*y0 + x0*y1)*b + x0*y0
287  	//       =    z2*b*b +              z1*b +    z0
288  	//
289  	// with:
290  	//
291  	//   xd = x1 - x0
292  	//   yd = y0 - y1
293  	//
294  	//   z1 =      xd*yd                    + z2 + z0
295  	//      = (x1-x0)*(y0 - y1)             + z2 + z0
296  	//      = x1*y0 - x1*y1 - x0*y0 + x0*y1 + z2 + z0
297  	//      = x1*y0 -    z2 -    z0 + x0*y1 + z2 + z0
298  	//      = x1*y0                 + x0*y1
299
300  	// split x, y into "digits"
301  	n2 := n >> 1              // n2 >= 1
302  	x1, x0 := x[n2:], x[0:n2] // x = x1*b + y0
303  	y1, y0 := y[n2:], y[0:n2] // y = y1*b + y0
304
305  	// z is used for the result and temporary storage:
306  	//
307  	//   6*n     5*n     4*n     3*n     2*n     1*n     0*n
308  	// z = [z2 copy|z0 copy| xd*yd | yd:xd | x1*y1 | x0*y0 ]
309  	//
310  	// For each recursive call of karatsuba, an unused slice of
311  	// z is passed in that has (at least) half the length of the
312  	// caller's z.
313
314  	// compute z0 and z2 with the result "in place" in z
315  	karatsuba(z, x0, y0)     // z0 = x0*y0
316  	karatsuba(z[n:], x1, y1) // z2 = x1*y1
317
318  	// compute xd (or the negative value if underflow occurs)
319  	s := 1 // sign of product xd*yd
320  	xd := z[2*n : 2*n+n2]
321  	if subVV(xd, x1, x0) != 0 { // x1-x0
322  		s = -s
323  		subVV(xd, x0, x1) // x0-x1
324  	}
325
326  	// compute yd (or the negative value if underflow occurs)
327  	yd := z[2*n+n2 : 3*n]
328  	if subVV(yd, y0, y1) != 0 { // y0-y1
329  		s = -s
330  		subVV(yd, y1, y0) // y1-y0
331  	}
332
333  	// p = (x1-x0)*(y0-y1) == x1*y0 - x1*y1 - x0*y0 + x0*y1 for s > 0
334  	// p = (x0-x1)*(y0-y1) == x0*y0 - x0*y1 - x1*y0 + x1*y1 for s < 0
335  	p := z[n*3:]
336  	karatsuba(p, xd, yd)
337
338  	// save original z2:z0
339  	// (ok to use upper half of z since we're done recursing)
340  	r := z[n*4:]
341  	copy(r, z[:n*2])
342
343  	// add up all partial products
344  	//
345  	//   2*n     n     0
346  	// z = [ z2  | z0  ]
347  	//   +    [ z0  ]
348  	//   +    [ z2  ]
349  	//   +    [  p  ]
350  	//
353  	if s > 0 {
355  	} else {
356  		karatsubaSub(z[n2:], p, n)
357  	}
358  }
359
360  // alias reports whether x and y share the same base array.
361  // Note: alias assumes that the capacity of underlying arrays
362  //       is never changed for nat values; i.e. that there are
363  //       no 3-operand slice expressions in this code (or worse,
364  //       reflect-based operations to the same effect).
365  func alias(x, y nat) bool {
366  	return cap(x) > 0 && cap(y) > 0 && &x[0:cap(x)][cap(x)-1] == &y[0:cap(y)][cap(y)-1]
367  }
368
369  // addAt implements z += x<<(_W*i); z must be long enough.
370  // (we don't use nat.add because we need z to stay the same
371  // slice, and we don't need to normalize z after each addition)
372  func addAt(z, x nat, i int) {
373  	if n := len(x); n > 0 {
374  		if c := addVV(z[i:i+n], z[i:], x); c != 0 {
375  			j := i + n
376  			if j < len(z) {
378  			}
379  		}
380  	}
381  }
382
383  func max(x, y int) int {
384  	if x > y {
385  		return x
386  	}
387  	return y
388  }
389
390  // karatsubaLen computes an approximation to the maximum k <= n such that
391  // k = p<<i for a number p <= threshold and an i >= 0. Thus, the
392  // result is the largest number that can be divided repeatedly by 2 before
393  // becoming about the value of threshold.
394  func karatsubaLen(n, threshold int) int {
395  	i := uint(0)
396  	for n > threshold {
397  		n >>= 1
398  		i++
399  	}
400  	return n << i
401  }
402
403  func (z nat) mul(x, y nat) nat {
404  	m := len(x)
405  	n := len(y)
406
407  	switch {
408  	case m < n:
409  		return z.mul(y, x)
410  	case m == 0 || n == 0:
411  		return z[:0]
412  	case n == 1:
414  	}
415  	// m >= n > 1
416
417  	// determine if z can be reused
418  	if alias(z, x) || alias(z, y) {
419  		z = nil // z is an alias for x or y - cannot reuse
420  	}
421
422  	// use basic multiplication if the numbers are small
423  	if n < karatsubaThreshold {
424  		z = z.make(m + n)
425  		basicMul(z, x, y)
426  		return z.norm()
427  	}
428  	// m >= n && n >= karatsubaThreshold && n >= 2
429
430  	// determine Karatsuba length k such that
431  	//
432  	//   x = xh*b + x0  (0 <= x0 < b)
433  	//   y = yh*b + y0  (0 <= y0 < b)
434  	//   b = 1<<(_W*k)  ("base" of digits xi, yi)
435  	//
436  	k := karatsubaLen(n, karatsubaThreshold)
437  	// k <= n
438
439  	// multiply x0 and y0 via Karatsuba
440  	x0 := x[0:k]              // x0 is not normalized
441  	y0 := y[0:k]              // y0 is not normalized
442  	z = z.make(max(6*k, m+n)) // enough space for karatsuba of x0*y0 and full result of x*y
443  	karatsuba(z, x0, y0)
444  	z = z[0 : m+n]  // z has final length but may be incomplete
445  	z[2*k:].clear() // upper portion of z is garbage (and 2*k <= m+n since k <= n <= m)
446
447  	// If xh != 0 or yh != 0, add the missing terms to z. For
448  	//
449  	//   xh = xi*b^i + ... + x2*b^2 + x1*b (0 <= xi < b)
450  	//   yh =                         y1*b (0 <= y1 < b)
451  	//
452  	// the missing terms are
453  	//
454  	//   x0*y1*b and xi*y0*b^i, xi*y1*b^(i+1) for i > 0
455  	//
456  	// since all the yi for i > 1 are 0 by choice of k: If any of them
457  	// were > 0, then yh >= b^2 and thus y >= b^2. Then k' = k*2 would
458  	// be a larger valid threshold contradicting the assumption about k.
459  	//
460  	if k < n || m != n {
461  		var t nat
462
464  		x0 := x0.norm()
465  		y1 := y[k:]       // y1 is normalized because y is
466  		t = t.mul(x0, y1) // update t so we don't lose t's underlying array
468
470  		y0 := y0.norm()
471  		for i := k; i < len(x); i += k {
472  			xi := x[i:]
473  			if len(xi) > k {
474  				xi = xi[:k]
475  			}
476  			xi = xi.norm()
477  			t = t.mul(xi, y0)
479  			t = t.mul(xi, y1)
481  		}
482  	}
483
484  	return z.norm()
485  }
486
487  // basicSqr sets z = x*x and is asymptotically faster than basicMul
488  // by about a factor of 2, but slower for small arguments due to overhead.
489  // Requirements: len(x) > 0, len(z) == 2*len(x)
490  // The (non-normalized) result is placed in z.
491  func basicSqr(z, x nat) {
492  	n := len(x)
493  	t := make(nat, 2*n)            // temporary variable to hold the products
494  	z[1], z[0] = mulWW(x[0], x[0]) // the initial square
495  	for i := 1; i < n; i++ {
496  		d := x[i]
497  		// z collects the squares x[i] * x[i]
498  		z[2*i+1], z[2*i] = mulWW(d, d)
499  		// t collects the products x[i] * x[j] where j < i
500  		t[2*i] = addMulVVW(t[i:2*i], x[0:i], d)
501  	}
502  	t[2*n-1] = shlVU(t[1:2*n-1], t[1:2*n-1], 1) // double the j < i products
503  	addVV(z, z, t)                              // combine the result
504  }
505
506  // karatsubaSqr squares x and leaves the result in z.
507  // len(x) must be a power of 2 and len(z) >= 6*len(x).
508  // The (non-normalized) result is placed in z[0 : 2*len(x)].
509  //
510  // The algorithm and the layout of z are the same as for karatsuba.
511  func karatsubaSqr(z, x nat) {
512  	n := len(x)
513
514  	if n&1 != 0 || n < karatsubaSqrThreshold || n < 2 {
515  		basicSqr(z[:2*n], x)
516  		return
517  	}
518
519  	n2 := n >> 1
520  	x1, x0 := x[n2:], x[0:n2]
521
522  	karatsubaSqr(z, x0)
523  	karatsubaSqr(z[n:], x1)
524
525  	// s = sign(xd*yd) == -1 for xd != 0; s == 1 for xd == 0
526  	xd := z[2*n : 2*n+n2]
527  	if subVV(xd, x1, x0) != 0 {
528  		subVV(xd, x0, x1)
529  	}
530
531  	p := z[n*3:]
532  	karatsubaSqr(p, xd)
533
534  	r := z[n*4:]
535  	copy(r, z[:n*2])
536
539  	karatsubaSub(z[n2:], p, n) // s == -1 for p != 0; s == 1 for p == 0
540  }
541
542  // Operands that are shorter than basicSqrThreshold are squared using
543  // "grade school" multiplication; for operands longer than karatsubaSqrThreshold
544  // we use the Karatsuba algorithm optimized for x == y.
545  var basicSqrThreshold = 20      // computed by calibrate_test.go
546  var karatsubaSqrThreshold = 260 // computed by calibrate_test.go
547
548  // z = x*x
549  func (z nat) sqr(x nat) nat {
550  	n := len(x)
551  	switch {
552  	case n == 0:
553  		return z[:0]
554  	case n == 1:
555  		d := x[0]
556  		z = z.make(2)
557  		z[1], z[0] = mulWW(d, d)
558  		return z.norm()
559  	}
560
561  	if alias(z, x) {
562  		z = nil // z is an alias for x - cannot reuse
563  	}
564
565  	if n < basicSqrThreshold {
566  		z = z.make(2 * n)
567  		basicMul(z, x, x)
568  		return z.norm()
569  	}
570  	if n < karatsubaSqrThreshold {
571  		z = z.make(2 * n)
572  		basicSqr(z, x)
573  		return z.norm()
574  	}
575
576  	// Use Karatsuba multiplication optimized for x == y.
577  	// The algorithm and layout of z are the same as for mul.
578
579  	// z = (x1*b + x0)^2 = x1^2*b^2 + 2*x1*x0*b + x0^2
580
581  	k := karatsubaLen(n, karatsubaSqrThreshold)
582
583  	x0 := x[0:k]
584  	z = z.make(max(6*k, 2*n))
585  	karatsubaSqr(z, x0) // z = x0^2
586  	z = z[0 : 2*n]
587  	z[2*k:].clear()
588
589  	if k < n {
590  		var t nat
591  		x0 := x0.norm()
592  		x1 := x[k:]
593  		t = t.mul(x0, x1)
595  		addAt(z, t, k) // z = 2*x1*x0*b + x0^2
596  		t = t.sqr(x1)
597  		addAt(z, t, 2*k) // z = x1^2*b^2 + 2*x1*x0*b + x0^2
598  	}
599
600  	return z.norm()
601  }
602
603  // mulRange computes the product of all the unsigned integers in the
604  // range [a, b] inclusively. If a > b (empty range), the result is 1.
605  func (z nat) mulRange(a, b uint64) nat {
606  	switch {
607  	case a == 0:
608  		// cut long ranges short (optimization)
609  		return z.setUint64(0)
610  	case a > b:
611  		return z.setUint64(1)
612  	case a == b:
613  		return z.setUint64(a)
614  	case a+1 == b:
615  		return z.mul(nat(nil).setUint64(a), nat(nil).setUint64(b))
616  	}
617  	m := (a + b) / 2
618  	return z.mul(nat(nil).mulRange(a, m), nat(nil).mulRange(m+1, b))
619  }
620
621  // q = (x-r)/y, with 0 <= r < y
622  func (z nat) divW(x nat, y Word) (q nat, r Word) {
623  	m := len(x)
624  	switch {
625  	case y == 0:
626  		panic("division by zero")
627  	case y == 1:
628  		q = z.set(x) // result is x
629  		return
630  	case m == 0:
631  		q = z[:0] // result is 0
632  		return
633  	}
634  	// m > 0
635  	z = z.make(m)
636  	r = divWVW(z, 0, x, y)
637  	q = z.norm()
638  	return
639  }
640
641  func (z nat) div(z2, u, v nat) (q, r nat) {
642  	if len(v) == 0 {
643  		panic("division by zero")
644  	}
645
646  	if u.cmp(v) < 0 {
647  		q = z[:0]
648  		r = z2.set(u)
649  		return
650  	}
651
652  	if len(v) == 1 {
653  		var r2 Word
654  		q, r2 = z.divW(u, v[0])
655  		r = z2.setWord(r2)
656  		return
657  	}
658
659  	q, r = z.divLarge(z2, u, v)
660  	return
661  }
662
663  // getNat returns a *nat of len n. The contents may not be zero.
664  // The pool holds *nat to avoid allocation when converting to interface{}.
665  func getNat(n int) *nat {
666  	var z *nat
667  	if v := natPool.Get(); v != nil {
668  		z = v.(*nat)
669  	}
670  	if z == nil {
671  		z = new(nat)
672  	}
673  	*z = z.make(n)
674  	return z
675  }
676
677  func putNat(x *nat) {
678  	natPool.Put(x)
679  }
680
681  var natPool sync.Pool
682
683  // q = (uIn-r)/v, with 0 <= r < y
684  // Uses z as storage for q, and u as storage for r if possible.
685  // See Knuth, Volume 2, section 4.3.1, Algorithm D.
686  // Preconditions:
687  //    len(v) >= 2
688  //    len(uIn) >= len(v)
689  func (z nat) divLarge(u, uIn, v nat) (q, r nat) {
690  	n := len(v)
691  	m := len(uIn) - n
692
693  	// determine if z can be reused
694  	// TODO(gri) should find a better solution - this if statement
695  	//           is very costly (see e.g. time pidigits -s -n 10000)
696  	if alias(z, u) || alias(z, uIn) || alias(z, v) {
697  		z = nil // z is an alias for u or uIn or v - cannot reuse
698  	}
699  	q = z.make(m + 1)
700
701  	qhatvp := getNat(n + 1)
702  	qhatv := *qhatvp
703  	if alias(u, uIn) || alias(u, v) {
704  		u = nil // u is an alias for uIn or v - cannot reuse
705  	}
706  	u = u.make(len(uIn) + 1)
707  	u.clear() // TODO(gri) no need to clear if we allocated a new u
708
709  	// D1.
710  	var v1p *nat
711  	shift := nlz(v[n-1])
712  	if shift > 0 {
713  		// do not modify v, it may be used by another goroutine simultaneously
714  		v1p = getNat(n)
715  		v1 := *v1p
716  		shlVU(v1, v, shift)
717  		v = v1
718  	}
719  	u[len(uIn)] = shlVU(u[0:len(uIn)], uIn, shift)
720
721  	// D2.
722  	vn1 := v[n-1]
723  	for j := m; j >= 0; j-- {
724  		// D3.
725  		qhat := Word(_M)
726  		if ujn := u[j+n]; ujn != vn1 {
727  			var rhat Word
728  			qhat, rhat = divWW(ujn, u[j+n-1], vn1)
729
730  			// x1 | x2 = q̂v_{n-2}
731  			vn2 := v[n-2]
732  			x1, x2 := mulWW(qhat, vn2)
733  			// test if q̂v_{n-2} > br̂ + u_{j+n-2}
734  			ujn2 := u[j+n-2]
735  			for greaterThan(x1, x2, rhat, ujn2) {
736  				qhat--
737  				prevRhat := rhat
738  				rhat += vn1
739  				// v[n-1] >= 0, so this tests for overflow.
740  				if rhat < prevRhat {
741  					break
742  				}
743  				x1, x2 = mulWW(qhat, vn2)
744  			}
745  		}
746
747  		// D4.
748  		qhatv[n] = mulAddVWW(qhatv[0:n], v, qhat, 0)
749
750  		c := subVV(u[j:j+len(qhatv)], u[j:], qhatv)
751  		if c != 0 {
752  			c := addVV(u[j:j+n], u[j:], v)
753  			u[j+n] += c
754  			qhat--
755  		}
756
757  		q[j] = qhat
758  	}
759  	if v1p != nil {
760  		putNat(v1p)
761  	}
762  	putNat(qhatvp)
763
764  	q = q.norm()
765  	shrVU(u, u, shift)
766  	r = u.norm()
767
768  	return q, r
769  }
770
771  // Length of x in bits. x must be normalized.
772  func (x nat) bitLen() int {
773  	if i := len(x) - 1; i >= 0 {
774  		return i*_W + bits.Len(uint(x[i]))
775  	}
776  	return 0
777  }
778
779  // trailingZeroBits returns the number of consecutive least significant zero
780  // bits of x.
781  func (x nat) trailingZeroBits() uint {
782  	if len(x) == 0 {
783  		return 0
784  	}
785  	var i uint
786  	for x[i] == 0 {
787  		i++
788  	}
789  	// x[i] != 0
790  	return i*_W + uint(bits.TrailingZeros(uint(x[i])))
791  }
792
793  func same(x, y nat) bool {
794  	return len(x) == len(y) && len(x) > 0 && &x[0] == &y[0]
795  }
796
797  // z = x << s
798  func (z nat) shl(x nat, s uint) nat {
799  	if s == 0 {
800  		if same(z, x) {
801  			return z
802  		}
803  		if !alias(z, x) {
804  			return z.set(x)
805  		}
806  	}
807
808  	m := len(x)
809  	if m == 0 {
810  		return z[:0]
811  	}
812  	// m > 0
813
814  	n := m + int(s/_W)
815  	z = z.make(n + 1)
816  	z[n] = shlVU(z[n-m:n], x, s%_W)
817  	z[0 : n-m].clear()
818
819  	return z.norm()
820  }
821
822  // z = x >> s
823  func (z nat) shr(x nat, s uint) nat {
824  	if s == 0 {
825  		if same(z, x) {
826  			return z
827  		}
828  		if !alias(z, x) {
829  			return z.set(x)
830  		}
831  	}
832
833  	m := len(x)
834  	n := m - int(s/_W)
835  	if n <= 0 {
836  		return z[:0]
837  	}
838  	// n > 0
839
840  	z = z.make(n)
841  	shrVU(z, x[m-n:], s%_W)
842
843  	return z.norm()
844  }
845
846  func (z nat) setBit(x nat, i uint, b uint) nat {
847  	j := int(i / _W)
848  	m := Word(1) << (i % _W)
849  	n := len(x)
850  	switch b {
851  	case 0:
852  		z = z.make(n)
853  		copy(z, x)
854  		if j >= n {
855  			// no need to grow
856  			return z
857  		}
858  		z[j] &^= m
859  		return z.norm()
860  	case 1:
861  		if j >= n {
862  			z = z.make(j + 1)
863  			z[n:].clear()
864  		} else {
865  			z = z.make(n)
866  		}
867  		copy(z, x)
868  		z[j] |= m
869  		// no need to normalize
870  		return z
871  	}
872  	panic("set bit is not 0 or 1")
873  }
874
875  // bit returns the value of the i'th bit, with lsb == bit 0.
876  func (x nat) bit(i uint) uint {
877  	j := i / _W
878  	if j >= uint(len(x)) {
879  		return 0
880  	}
881  	// 0 <= j < len(x)
882  	return uint(x[j] >> (i % _W) & 1)
883  }
884
885  // sticky returns 1 if there's a 1 bit within the
886  // i least significant bits, otherwise it returns 0.
887  func (x nat) sticky(i uint) uint {
888  	j := i / _W
889  	if j >= uint(len(x)) {
890  		if len(x) == 0 {
891  			return 0
892  		}
893  		return 1
894  	}
895  	// 0 <= j < len(x)
896  	for _, x := range x[:j] {
897  		if x != 0 {
898  			return 1
899  		}
900  	}
901  	if x[j]<<(_W-i%_W) != 0 {
902  		return 1
903  	}
904  	return 0
905  }
906
907  func (z nat) and(x, y nat) nat {
908  	m := len(x)
909  	n := len(y)
910  	if m > n {
911  		m = n
912  	}
913  	// m <= n
914
915  	z = z.make(m)
916  	for i := 0; i < m; i++ {
917  		z[i] = x[i] & y[i]
918  	}
919
920  	return z.norm()
921  }
922
923  func (z nat) andNot(x, y nat) nat {
924  	m := len(x)
925  	n := len(y)
926  	if n > m {
927  		n = m
928  	}
929  	// m >= n
930
931  	z = z.make(m)
932  	for i := 0; i < n; i++ {
933  		z[i] = x[i] &^ y[i]
934  	}
935  	copy(z[n:m], x[n:m])
936
937  	return z.norm()
938  }
939
940  func (z nat) or(x, y nat) nat {
941  	m := len(x)
942  	n := len(y)
943  	s := x
944  	if m < n {
945  		n, m = m, n
946  		s = y
947  	}
948  	// m >= n
949
950  	z = z.make(m)
951  	for i := 0; i < n; i++ {
952  		z[i] = x[i] | y[i]
953  	}
954  	copy(z[n:m], s[n:m])
955
956  	return z.norm()
957  }
958
959  func (z nat) xor(x, y nat) nat {
960  	m := len(x)
961  	n := len(y)
962  	s := x
963  	if m < n {
964  		n, m = m, n
965  		s = y
966  	}
967  	// m >= n
968
969  	z = z.make(m)
970  	for i := 0; i < n; i++ {
971  		z[i] = x[i] ^ y[i]
972  	}
973  	copy(z[n:m], s[n:m])
974
975  	return z.norm()
976  }
977
978  // greaterThan reports whether (x1<<_W + x2) > (y1<<_W + y2)
979  func greaterThan(x1, x2, y1, y2 Word) bool {
980  	return x1 > y1 || x1 == y1 && x2 > y2
981  }
982
983  // modW returns x % d.
984  func (x nat) modW(d Word) (r Word) {
985  	// TODO(agl): we don't actually need to store the q value.
986  	var q nat
987  	q = q.make(len(x))
988  	return divWVW(q, 0, x, d)
989  }
990
991  // random creates a random integer in [0..limit), using the space in z if
992  // possible. n is the bit length of limit.
993  func (z nat) random(rand *rand.Rand, limit nat, n int) nat {
994  	if alias(z, limit) {
995  		z = nil // z is an alias for limit - cannot reuse
996  	}
997  	z = z.make(len(limit))
998
999  	bitLengthOfMSW := uint(n % _W)
1000  	if bitLengthOfMSW == 0 {
1001  		bitLengthOfMSW = _W
1002  	}
1003  	mask := Word((1 << bitLengthOfMSW) - 1)
1004
1005  	for {
1006  		switch _W {
1007  		case 32:
1008  			for i := range z {
1009  				z[i] = Word(rand.Uint32())
1010  			}
1011  		case 64:
1012  			for i := range z {
1013  				z[i] = Word(rand.Uint32()) | Word(rand.Uint32())<<32
1014  			}
1015  		default:
1016  			panic("unknown word size")
1017  		}
1019  		if z.cmp(limit) < 0 {
1020  			break
1021  		}
1022  	}
1023
1024  	return z.norm()
1025  }
1026
1027  // If m != 0 (i.e., len(m) != 0), expNN sets z to x**y mod m;
1028  // otherwise it sets z to x**y. The result is the value of z.
1029  func (z nat) expNN(x, y, m nat) nat {
1030  	if alias(z, x) || alias(z, y) {
1031  		// We cannot allow in-place modification of x or y.
1032  		z = nil
1033  	}
1034
1035  	// x**y mod 1 == 0
1036  	if len(m) == 1 && m[0] == 1 {
1037  		return z.setWord(0)
1038  	}
1039  	// m == 0 || m > 1
1040
1041  	// x**0 == 1
1042  	if len(y) == 0 {
1043  		return z.setWord(1)
1044  	}
1045  	// y > 0
1046
1047  	// x**1 mod m == x mod m
1048  	if len(y) == 1 && y[0] == 1 && len(m) != 0 {
1049  		_, z = nat(nil).div(z, x, m)
1050  		return z
1051  	}
1052  	// y > 1
1053
1054  	if len(m) != 0 {
1055  		// We likely end up being as long as the modulus.
1056  		z = z.make(len(m))
1057  	}
1058  	z = z.set(x)
1059
1060  	// If the base is non-trivial and the exponent is large, we use
1061  	// 4-bit, windowed exponentiation. This involves precomputing 14 values
1062  	// (x^2...x^15) but then reduces the number of multiply-reduces by a
1063  	// third. Even for a 32-bit exponent, this reduces the number of
1064  	// operations. Uses Montgomery method for odd moduli.
1065  	if x.cmp(natOne) > 0 && len(y) > 1 && len(m) > 0 {
1066  		if m[0]&1 == 1 {
1067  			return z.expNNMontgomery(x, y, m)
1068  		}
1069  		return z.expNNWindowed(x, y, m)
1070  	}
1071
1072  	v := y[len(y)-1] // v > 0 because y is normalized and y > 0
1073  	shift := nlz(v) + 1
1074  	v <<= shift
1075  	var q nat
1076
1077  	const mask = 1 << (_W - 1)
1078
1079  	// We walk through the bits of the exponent one by one. Each time we
1080  	// see a bit, we square, thus doubling the power. If the bit is a one,
1081  	// we also multiply by x, thus adding one to the power.
1082
1083  	w := _W - int(shift)
1084  	// zz and r are used to avoid allocating in mul and div as
1085  	// otherwise the arguments would alias.
1086  	var zz, r nat
1087  	for j := 0; j < w; j++ {
1088  		zz = zz.sqr(z)
1089  		zz, z = z, zz
1090
1091  		if v&mask != 0 {
1092  			zz = zz.mul(z, x)
1093  			zz, z = z, zz
1094  		}
1095
1096  		if len(m) != 0 {
1097  			zz, r = zz.div(r, z, m)
1098  			zz, r, q, z = q, z, zz, r
1099  		}
1100
1101  		v <<= 1
1102  	}
1103
1104  	for i := len(y) - 2; i >= 0; i-- {
1105  		v = y[i]
1106
1107  		for j := 0; j < _W; j++ {
1108  			zz = zz.sqr(z)
1109  			zz, z = z, zz
1110
1111  			if v&mask != 0 {
1112  				zz = zz.mul(z, x)
1113  				zz, z = z, zz
1114  			}
1115
1116  			if len(m) != 0 {
1117  				zz, r = zz.div(r, z, m)
1118  				zz, r, q, z = q, z, zz, r
1119  			}
1120
1121  			v <<= 1
1122  		}
1123  	}
1124
1125  	return z.norm()
1126  }
1127
1128  // expNNWindowed calculates x**y mod m using a fixed, 4-bit window.
1129  func (z nat) expNNWindowed(x, y, m nat) nat {
1130  	// zz and r are used to avoid allocating in mul and div as otherwise
1131  	// the arguments would alias.
1132  	var zz, r nat
1133
1134  	const n = 4
1135  	// powers[i] contains x^i.
1136  	var powers [1 << n]nat
1137  	powers[0] = natOne
1138  	powers[1] = x
1139  	for i := 2; i < 1<<n; i += 2 {
1140  		p2, p, p1 := &powers[i/2], &powers[i], &powers[i+1]
1141  		*p = p.sqr(*p2)
1142  		zz, r = zz.div(r, *p, m)
1143  		*p, r = r, *p
1144  		*p1 = p1.mul(*p, x)
1145  		zz, r = zz.div(r, *p1, m)
1146  		*p1, r = r, *p1
1147  	}
1148
1149  	z = z.setWord(1)
1150
1151  	for i := len(y) - 1; i >= 0; i-- {
1152  		yi := y[i]
1153  		for j := 0; j < _W; j += n {
1154  			if i != len(y)-1 || j != 0 {
1155  				// Unrolled loop for significant performance
1156  				// gain. Use go test -bench=".*" in crypto/rsa
1157  				// to check performance before making changes.
1158  				zz = zz.sqr(z)
1159  				zz, z = z, zz
1160  				zz, r = zz.div(r, z, m)
1161  				z, r = r, z
1162
1163  				zz = zz.sqr(z)
1164  				zz, z = z, zz
1165  				zz, r = zz.div(r, z, m)
1166  				z, r = r, z
1167
1168  				zz = zz.sqr(z)
1169  				zz, z = z, zz
1170  				zz, r = zz.div(r, z, m)
1171  				z, r = r, z
1172
1173  				zz = zz.sqr(z)
1174  				zz, z = z, zz
1175  				zz, r = zz.div(r, z, m)
1176  				z, r = r, z
1177  			}
1178
1179  			zz = zz.mul(z, powers[yi>>(_W-n)])
1180  			zz, z = z, zz
1181  			zz, r = zz.div(r, z, m)
1182  			z, r = r, z
1183
1184  			yi <<= n
1185  		}
1186  	}
1187
1188  	return z.norm()
1189  }
1190
1191  // expNNMontgomery calculates x**y mod m using a fixed, 4-bit window.
1192  // Uses Montgomery representation.
1193  func (z nat) expNNMontgomery(x, y, m nat) nat {
1194  	numWords := len(m)
1195
1196  	// We want the lengths of x and m to be equal.
1197  	// It is OK if x >= m as long as len(x) == len(m).
1198  	if len(x) > numWords {
1199  		_, x = nat(nil).div(nil, x, m)
1200  		// Note: now len(x) <= numWords, not guaranteed ==.
1201  	}
1202  	if len(x) < numWords {
1203  		rr := make(nat, numWords)
1204  		copy(rr, x)
1205  		x = rr
1206  	}
1207
1208  	// Ideally the precomputations would be performed outside, and reused
1209  	// k0 = -m**-1 mod 2**_W. Algorithm from: Dumas, J.G. "On Newton–Raphson
1210  	// Iteration for Multiplicative Inverses Modulo Prime Powers".
1211  	k0 := 2 - m[0]
1212  	t := m[0] - 1
1213  	for i := 1; i < _W; i <<= 1 {
1214  		t *= t
1215  		k0 *= (t + 1)
1216  	}
1217  	k0 = -k0
1218
1219  	// RR = 2**(2*_W*len(m)) mod m
1220  	RR := nat(nil).setWord(1)
1221  	zz := nat(nil).shl(RR, uint(2*numWords*_W))
1222  	_, RR = nat(nil).div(RR, zz, m)
1223  	if len(RR) < numWords {
1224  		zz = zz.make(numWords)
1225  		copy(zz, RR)
1226  		RR = zz
1227  	}
1228  	// one = 1, with equal length to that of m
1229  	one := make(nat, numWords)
1230  	one[0] = 1
1231
1232  	const n = 4
1233  	// powers[i] contains x^i
1234  	var powers [1 << n]nat
1235  	powers[0] = powers[0].montgomery(one, RR, m, k0, numWords)
1236  	powers[1] = powers[1].montgomery(x, RR, m, k0, numWords)
1237  	for i := 2; i < 1<<n; i++ {
1238  		powers[i] = powers[i].montgomery(powers[i-1], powers[1], m, k0, numWords)
1239  	}
1240
1241  	// initialize z = 1 (Montgomery 1)
1242  	z = z.make(numWords)
1243  	copy(z, powers[0])
1244
1245  	zz = zz.make(numWords)
1246
1247  	// same windowed exponent, but with Montgomery multiplications
1248  	for i := len(y) - 1; i >= 0; i-- {
1249  		yi := y[i]
1250  		for j := 0; j < _W; j += n {
1251  			if i != len(y)-1 || j != 0 {
1252  				zz = zz.montgomery(z, z, m, k0, numWords)
1253  				z = z.montgomery(zz, zz, m, k0, numWords)
1254  				zz = zz.montgomery(z, z, m, k0, numWords)
1255  				z = z.montgomery(zz, zz, m, k0, numWords)
1256  			}
1257  			zz = zz.montgomery(z, powers[yi>>(_W-n)], m, k0, numWords)
1258  			z, zz = zz, z
1259  			yi <<= n
1260  		}
1261  	}
1262  	// convert to regular number
1263  	zz = zz.montgomery(z, one, m, k0, numWords)
1264
1265  	// One last reduction, just in case.
1266  	// See golang.org/issue/13907.
1267  	if zz.cmp(m) >= 0 {
1268  		// Common case is m has high bit set; in that case,
1269  		// since zz is the same length as m, there can be just
1270  		// one multiple of m to remove. Just subtract.
1271  		// We think that the subtract should be sufficient in general,
1272  		// so do that unconditionally, but double-check,
1273  		// in case our beliefs are wrong.
1274  		// The div is not expected to be reached.
1275  		zz = zz.sub(zz, m)
1276  		if zz.cmp(m) >= 0 {
1277  			_, zz = nat(nil).div(nil, zz, m)
1278  		}
1279  	}
1280
1281  	return zz.norm()
1282  }
1283
1284  // bytes writes the value of z into buf using big-endian encoding.
1285  // len(buf) must be >= len(z)*_S. The value of z is encoded in the
1286  // slice buf[i:]. The number i of unused bytes at the beginning of
1287  // buf is returned as result.
1288  func (z nat) bytes(buf []byte) (i int) {
1289  	i = len(buf)
1290  	for _, d := range z {
1291  		for j := 0; j < _S; j++ {
1292  			i--
1293  			buf[i] = byte(d)
1294  			d >>= 8
1295  		}
1296  	}
1297
1298  	for i < len(buf) && buf[i] == 0 {
1299  		i++
1300  	}
1301
1302  	return
1303  }
1304
1305  // bigEndianWord returns the contents of buf interpreted as a big-endian encoded Word value.
1306  func bigEndianWord(buf []byte) Word {
1307  	if _W == 64 {
1308  		return Word(binary.BigEndian.Uint64(buf))
1309  	}
1310  	return Word(binary.BigEndian.Uint32(buf))
1311  }
1312
1313  // setBytes interprets buf as the bytes of a big-endian unsigned
1314  // integer, sets z to that value, and returns z.
1315  func (z nat) setBytes(buf []byte) nat {
1316  	z = z.make((len(buf) + _S - 1) / _S)
1317
1318  	i := len(buf)
1319  	for k := 0; i >= _S; k++ {
1320  		z[k] = bigEndianWord(buf[i-_S : i])
1321  		i -= _S
1322  	}
1323  	if i > 0 {
1324  		var d Word
1325  		for s := uint(0); i > 0; s += 8 {
1326  			d |= Word(buf[i-1]) << s
1327  			i--
1328  		}
1329  		z[len(z)-1] = d
1330  	}
1331
1332  	return z.norm()
1333  }
1334
1335  // sqrt sets z = ⌊√x⌋
1336  func (z nat) sqrt(x nat) nat {
1337  	if x.cmp(natOne) <= 0 {
1338  		return z.set(x)
1339  	}
1340  	if alias(z, x) {
1341  		z = nil
1342  	}
1343
1344  	// Start with value known to be too large and repeat "z = ⌊(z + ⌊x/z⌋)/2⌋" until it stops getting smaller.
1345  	// See Brent and Zimmermann, Modern Computer Arithmetic, Algorithm 1.13 (SqrtInt).
1346  	// https://members.loria.fr/PZimmermann/mca/pub226.html
1347  	// If x is one less than a perfect square, the sequence oscillates between the correct z and z+1;
1348  	// otherwise it converges to the correct z and stays there.
1349  	var z1, z2 nat
1350  	z1 = z
1351  	z1 = z1.setUint64(1)
1352  	z1 = z1.shl(z1, uint(x.bitLen()/2+1)) // must be ≥ √x
1353  	for n := 0; ; n++ {
1354  		z2, _ = z2.div(nil, x, z1)
1356  		z2 = z2.shr(z2, 1)
1357  		if z2.cmp(z1) >= 0 {