...

# Source file src/math/big/nat.go

## Documentation: math/big

```     1  // Copyright 2009 The Go Authors. All rights reserved.
2  // Use of this source code is governed by a BSD-style
4
5  // This file implements unsigned multi-precision integers (natural
6  // numbers). They are the building blocks for the implementation
7  // of signed integers, rationals, and floating-point numbers.
8  //
9  // Caution: This implementation relies on the function "alias"
10  //          which assumes that (nat) slice capacities are never
11  //          changed (no 3-operand slice expressions). If that
12  //          changes, alias needs to be updated for correctness.
13
14  package big
15
16  import (
17  	"encoding/binary"
18  	"math/bits"
19  	"math/rand"
20  	"sync"
21  )
22
23  // An unsigned integer x of the form
24  //
25  //   x = x[n-1]*_B^(n-1) + x[n-2]*_B^(n-2) + ... + x[1]*_B + x[0]
26  //
27  // with 0 <= x[i] < _B and 0 <= i < n is stored in a slice of length n,
28  // with the digits x[i] as the slice elements.
29  //
30  // A number is normalized if the slice contains no leading 0 digits.
31  // During arithmetic operations, denormalized values may occur but are
32  // always normalized before returning the final result. The normalized
33  // representation of 0 is the empty or nil slice (length = 0).
34  //
35  type nat []Word
36
37  var (
38  	natOne = nat{1}
39  	natTwo = nat{2}
40  	natTen = nat{10}
41  )
42
43  func (z nat) clear() {
44  	for i := range z {
45  		z[i] = 0
46  	}
47  }
48
49  func (z nat) norm() nat {
50  	i := len(z)
51  	for i > 0 && z[i-1] == 0 {
52  		i--
53  	}
54  	return z[0:i]
55  }
56
57  func (z nat) make(n int) nat {
58  	if n <= cap(z) {
59  		return z[:n] // reuse z
60  	}
61  	if n == 1 {
62  		// Most nats start small and stay that way; don't over-allocate.
63  		return make(nat, 1)
64  	}
65  	// Choosing a good value for e has significant performance impact
66  	// because it increases the chance that a value can be reused.
67  	const e = 4 // extra capacity
68  	return make(nat, n, n+e)
69  }
70
71  func (z nat) setWord(x Word) nat {
72  	if x == 0 {
73  		return z[:0]
74  	}
75  	z = z.make(1)
76  	z[0] = x
77  	return z
78  }
79
80  func (z nat) setUint64(x uint64) nat {
81  	// single-word value
82  	if w := Word(x); uint64(w) == x {
83  		return z.setWord(w)
84  	}
85  	// 2-word value
86  	z = z.make(2)
87  	z[1] = Word(x >> 32)
88  	z[0] = Word(x)
89  	return z
90  }
91
92  func (z nat) set(x nat) nat {
93  	z = z.make(len(x))
94  	copy(z, x)
95  	return z
96  }
97
98  func (z nat) add(x, y nat) nat {
99  	m := len(x)
100  	n := len(y)
101
102  	switch {
103  	case m < n:
105  	case m == 0:
106  		// n == 0 because m >= n; result is 0
107  		return z[:0]
108  	case n == 0:
109  		// result is x
110  		return z.set(x)
111  	}
112  	// m > 0
113
114  	z = z.make(m + 1)
115  	c := addVV(z[0:n], x, y)
116  	if m > n {
117  		c = addVW(z[n:m], x[n:], c)
118  	}
119  	z[m] = c
120
121  	return z.norm()
122  }
123
124  func (z nat) sub(x, y nat) nat {
125  	m := len(x)
126  	n := len(y)
127
128  	switch {
129  	case m < n:
130  		panic("underflow")
131  	case m == 0:
132  		// n == 0 because m >= n; result is 0
133  		return z[:0]
134  	case n == 0:
135  		// result is x
136  		return z.set(x)
137  	}
138  	// m > 0
139
140  	z = z.make(m)
141  	c := subVV(z[0:n], x, y)
142  	if m > n {
143  		c = subVW(z[n:], x[n:], c)
144  	}
145  	if c != 0 {
146  		panic("underflow")
147  	}
148
149  	return z.norm()
150  }
151
152  func (x nat) cmp(y nat) (r int) {
153  	m := len(x)
154  	n := len(y)
155  	if m != n || m == 0 {
156  		switch {
157  		case m < n:
158  			r = -1
159  		case m > n:
160  			r = 1
161  		}
162  		return
163  	}
164
165  	i := m - 1
166  	for i > 0 && x[i] == y[i] {
167  		i--
168  	}
169
170  	switch {
171  	case x[i] < y[i]:
172  		r = -1
173  	case x[i] > y[i]:
174  		r = 1
175  	}
176  	return
177  }
178
179  func (z nat) mulAddWW(x nat, y, r Word) nat {
180  	m := len(x)
181  	if m == 0 || y == 0 {
182  		return z.setWord(r) // result is r
183  	}
184  	// m > 0
185
186  	z = z.make(m + 1)
187  	z[m] = mulAddVWW(z[0:m], x, y, r)
188
189  	return z.norm()
190  }
191
192  // basicMul multiplies x and y and leaves the result in z.
193  // The (non-normalized) result is placed in z[0 : len(x) + len(y)].
194  func basicMul(z, x, y nat) {
195  	z[0 : len(x)+len(y)].clear() // initialize z
196  	for i, d := range y {
197  		if d != 0 {
198  			z[len(x)+i] = addMulVVW(z[i:i+len(x)], x, d)
199  		}
200  	}
201  }
202
203  // montgomery computes z mod m = x*y*2**(-n*_W) mod m,
204  // assuming k = -1/m mod 2**_W.
205  // z is used for storing the result which is returned;
206  // z must not alias x, y or m.
207  // See Gueron, "Efficient Software Implementations of Modular Exponentiation".
208  // https://eprint.iacr.org/2011/239.pdf
209  // In the terminology of that paper, this is an "Almost Montgomery Multiplication":
210  // x and y are required to satisfy 0 <= z < 2**(n*_W) and then the result
211  // z is guaranteed to satisfy 0 <= z < 2**(n*_W), but it may not be < m.
212  func (z nat) montgomery(x, y, m nat, k Word, n int) nat {
213  	// This code assumes x, y, m are all the same length, n.
214  	// (required by addMulVVW and the for loop).
215  	// It also assumes that x, y are already reduced mod m,
216  	// or else the result will not be properly reduced.
217  	if len(x) != n || len(y) != n || len(m) != n {
218  		panic("math/big: mismatched montgomery number lengths")
219  	}
220  	z = z.make(n * 2)
221  	z.clear()
222  	var c Word
223  	for i := 0; i < n; i++ {
224  		d := y[i]
225  		c2 := addMulVVW(z[i:n+i], x, d)
226  		t := z[i] * k
227  		c3 := addMulVVW(z[i:n+i], m, t)
228  		cx := c + c2
229  		cy := cx + c3
230  		z[n+i] = cy
231  		if cx < c2 || cy < c3 {
232  			c = 1
233  		} else {
234  			c = 0
235  		}
236  	}
237  	if c != 0 {
238  		subVV(z[:n], z[n:], m)
239  	} else {
240  		copy(z[:n], z[n:])
241  	}
242  	return z[:n]
243  }
244
245  // Fast version of z[0:n+n>>1].add(z[0:n+n>>1], x[0:n]) w/o bounds checks.
246  // Factored out for readability - do not use outside karatsuba.
247  func karatsubaAdd(z, x nat, n int) {
248  	if c := addVV(z[0:n], z, x); c != 0 {
250  	}
251  }
252
253  // Like karatsubaAdd, but does subtract.
254  func karatsubaSub(z, x nat, n int) {
255  	if c := subVV(z[0:n], z, x); c != 0 {
256  		subVW(z[n:n+n>>1], z[n:], c)
257  	}
258  }
259
260  // Operands that are shorter than karatsubaThreshold are multiplied using
261  // "grade school" multiplication; for longer operands the Karatsuba algorithm
262  // is used.
263  var karatsubaThreshold = 40 // computed by calibrate_test.go
264
265  // karatsuba multiplies x and y and leaves the result in z.
266  // Both x and y must have the same length n and n must be a
267  // power of 2. The result vector z must have len(z) >= 6*n.
268  // The (non-normalized) result is placed in z[0 : 2*n].
269  func karatsuba(z, x, y nat) {
270  	n := len(y)
271
272  	// Switch to basic multiplication if numbers are odd or small.
273  	// (n is always even if karatsubaThreshold is even, but be
274  	// conservative)
275  	if n&1 != 0 || n < karatsubaThreshold || n < 2 {
276  		basicMul(z, x, y)
277  		return
278  	}
279  	// n&1 == 0 && n >= karatsubaThreshold && n >= 2
280
281  	// Karatsuba multiplication is based on the observation that
282  	// for two numbers x and y with:
283  	//
284  	//   x = x1*b + x0
285  	//   y = y1*b + y0
286  	//
287  	// the product x*y can be obtained with 3 products z2, z1, z0
289  	//
290  	//   x*y = x1*y1*b*b + (x1*y0 + x0*y1)*b + x0*y0
291  	//       =    z2*b*b +              z1*b +    z0
292  	//
293  	// with:
294  	//
295  	//   xd = x1 - x0
296  	//   yd = y0 - y1
297  	//
298  	//   z1 =      xd*yd                    + z2 + z0
299  	//      = (x1-x0)*(y0 - y1)             + z2 + z0
300  	//      = x1*y0 - x1*y1 - x0*y0 + x0*y1 + z2 + z0
301  	//      = x1*y0 -    z2 -    z0 + x0*y1 + z2 + z0
302  	//      = x1*y0                 + x0*y1
303
304  	// split x, y into "digits"
305  	n2 := n >> 1              // n2 >= 1
306  	x1, x0 := x[n2:], x[0:n2] // x = x1*b + y0
307  	y1, y0 := y[n2:], y[0:n2] // y = y1*b + y0
308
309  	// z is used for the result and temporary storage:
310  	//
311  	//   6*n     5*n     4*n     3*n     2*n     1*n     0*n
312  	// z = [z2 copy|z0 copy| xd*yd | yd:xd | x1*y1 | x0*y0 ]
313  	//
314  	// For each recursive call of karatsuba, an unused slice of
315  	// z is passed in that has (at least) half the length of the
316  	// caller's z.
317
318  	// compute z0 and z2 with the result "in place" in z
319  	karatsuba(z, x0, y0)     // z0 = x0*y0
320  	karatsuba(z[n:], x1, y1) // z2 = x1*y1
321
322  	// compute xd (or the negative value if underflow occurs)
323  	s := 1 // sign of product xd*yd
324  	xd := z[2*n : 2*n+n2]
325  	if subVV(xd, x1, x0) != 0 { // x1-x0
326  		s = -s
327  		subVV(xd, x0, x1) // x0-x1
328  	}
329
330  	// compute yd (or the negative value if underflow occurs)
331  	yd := z[2*n+n2 : 3*n]
332  	if subVV(yd, y0, y1) != 0 { // y0-y1
333  		s = -s
334  		subVV(yd, y1, y0) // y1-y0
335  	}
336
337  	// p = (x1-x0)*(y0-y1) == x1*y0 - x1*y1 - x0*y0 + x0*y1 for s > 0
338  	// p = (x0-x1)*(y0-y1) == x0*y0 - x0*y1 - x1*y0 + x1*y1 for s < 0
339  	p := z[n*3:]
340  	karatsuba(p, xd, yd)
341
342  	// save original z2:z0
343  	// (ok to use upper half of z since we're done recursing)
344  	r := z[n*4:]
345  	copy(r, z[:n*2])
346
347  	// add up all partial products
348  	//
349  	//   2*n     n     0
350  	// z = [ z2  | z0  ]
351  	//   +    [ z0  ]
352  	//   +    [ z2  ]
353  	//   +    [  p  ]
354  	//
357  	if s > 0 {
359  	} else {
360  		karatsubaSub(z[n2:], p, n)
361  	}
362  }
363
364  // alias reports whether x and y share the same base array.
365  // Note: alias assumes that the capacity of underlying arrays
366  //       is never changed for nat values; i.e. that there are
367  //       no 3-operand slice expressions in this code (or worse,
368  //       reflect-based operations to the same effect).
369  func alias(x, y nat) bool {
370  	return cap(x) > 0 && cap(y) > 0 && &x[0:cap(x)][cap(x)-1] == &y[0:cap(y)][cap(y)-1]
371  }
372
373  // addAt implements z += x<<(_W*i); z must be long enough.
374  // (we don't use nat.add because we need z to stay the same
375  // slice, and we don't need to normalize z after each addition)
376  func addAt(z, x nat, i int) {
377  	if n := len(x); n > 0 {
378  		if c := addVV(z[i:i+n], z[i:], x); c != 0 {
379  			j := i + n
380  			if j < len(z) {
382  			}
383  		}
384  	}
385  }
386
387  func max(x, y int) int {
388  	if x > y {
389  		return x
390  	}
391  	return y
392  }
393
394  // karatsubaLen computes an approximation to the maximum k <= n such that
395  // k = p<<i for a number p <= threshold and an i >= 0. Thus, the
396  // result is the largest number that can be divided repeatedly by 2 before
397  // becoming about the value of threshold.
398  func karatsubaLen(n, threshold int) int {
399  	i := uint(0)
400  	for n > threshold {
401  		n >>= 1
402  		i++
403  	}
404  	return n << i
405  }
406
407  func (z nat) mul(x, y nat) nat {
408  	m := len(x)
409  	n := len(y)
410
411  	switch {
412  	case m < n:
413  		return z.mul(y, x)
414  	case m == 0 || n == 0:
415  		return z[:0]
416  	case n == 1:
418  	}
419  	// m >= n > 1
420
421  	// determine if z can be reused
422  	if alias(z, x) || alias(z, y) {
423  		z = nil // z is an alias for x or y - cannot reuse
424  	}
425
426  	// use basic multiplication if the numbers are small
427  	if n < karatsubaThreshold {
428  		z = z.make(m + n)
429  		basicMul(z, x, y)
430  		return z.norm()
431  	}
432  	// m >= n && n >= karatsubaThreshold && n >= 2
433
434  	// determine Karatsuba length k such that
435  	//
436  	//   x = xh*b + x0  (0 <= x0 < b)
437  	//   y = yh*b + y0  (0 <= y0 < b)
438  	//   b = 1<<(_W*k)  ("base" of digits xi, yi)
439  	//
440  	k := karatsubaLen(n, karatsubaThreshold)
441  	// k <= n
442
443  	// multiply x0 and y0 via Karatsuba
444  	x0 := x[0:k]              // x0 is not normalized
445  	y0 := y[0:k]              // y0 is not normalized
446  	z = z.make(max(6*k, m+n)) // enough space for karatsuba of x0*y0 and full result of x*y
447  	karatsuba(z, x0, y0)
448  	z = z[0 : m+n]  // z has final length but may be incomplete
449  	z[2*k:].clear() // upper portion of z is garbage (and 2*k <= m+n since k <= n <= m)
450
451  	// If xh != 0 or yh != 0, add the missing terms to z. For
452  	//
453  	//   xh = xi*b^i + ... + x2*b^2 + x1*b (0 <= xi < b)
454  	//   yh =                         y1*b (0 <= y1 < b)
455  	//
456  	// the missing terms are
457  	//
458  	//   x0*y1*b and xi*y0*b^i, xi*y1*b^(i+1) for i > 0
459  	//
460  	// since all the yi for i > 1 are 0 by choice of k: If any of them
461  	// were > 0, then yh >= b^2 and thus y >= b^2. Then k' = k*2 would
462  	// be a larger valid threshold contradicting the assumption about k.
463  	//
464  	if k < n || m != n {
465  		var t nat
466
468  		x0 := x0.norm()
469  		y1 := y[k:]       // y1 is normalized because y is
470  		t = t.mul(x0, y1) // update t so we don't lose t's underlying array
472
474  		y0 := y0.norm()
475  		for i := k; i < len(x); i += k {
476  			xi := x[i:]
477  			if len(xi) > k {
478  				xi = xi[:k]
479  			}
480  			xi = xi.norm()
481  			t = t.mul(xi, y0)
483  			t = t.mul(xi, y1)
485  		}
486  	}
487
488  	return z.norm()
489  }
490
491  // basicSqr sets z = x*x and is asymptotically faster than basicMul
492  // by about a factor of 2, but slower for small arguments due to overhead.
493  // Requirements: len(x) > 0, len(z) == 2*len(x)
494  // The (non-normalized) result is placed in z.
495  func basicSqr(z, x nat) {
496  	n := len(x)
497  	t := make(nat, 2*n)            // temporary variable to hold the products
498  	z[1], z[0] = mulWW(x[0], x[0]) // the initial square
499  	for i := 1; i < n; i++ {
500  		d := x[i]
501  		// z collects the squares x[i] * x[i]
502  		z[2*i+1], z[2*i] = mulWW(d, d)
503  		// t collects the products x[i] * x[j] where j < i
504  		t[2*i] = addMulVVW(t[i:2*i], x[0:i], d)
505  	}
506  	t[2*n-1] = shlVU(t[1:2*n-1], t[1:2*n-1], 1) // double the j < i products
507  	addVV(z, z, t)                              // combine the result
508  }
509
510  // karatsubaSqr squares x and leaves the result in z.
511  // len(x) must be a power of 2 and len(z) >= 6*len(x).
512  // The (non-normalized) result is placed in z[0 : 2*len(x)].
513  //
514  // The algorithm and the layout of z are the same as for karatsuba.
515  func karatsubaSqr(z, x nat) {
516  	n := len(x)
517
518  	if n&1 != 0 || n < karatsubaSqrThreshold || n < 2 {
519  		basicSqr(z[:2*n], x)
520  		return
521  	}
522
523  	n2 := n >> 1
524  	x1, x0 := x[n2:], x[0:n2]
525
526  	karatsubaSqr(z, x0)
527  	karatsubaSqr(z[n:], x1)
528
529  	// s = sign(xd*yd) == -1 for xd != 0; s == 1 for xd == 0
530  	xd := z[2*n : 2*n+n2]
531  	if subVV(xd, x1, x0) != 0 {
532  		subVV(xd, x0, x1)
533  	}
534
535  	p := z[n*3:]
536  	karatsubaSqr(p, xd)
537
538  	r := z[n*4:]
539  	copy(r, z[:n*2])
540
543  	karatsubaSub(z[n2:], p, n) // s == -1 for p != 0; s == 1 for p == 0
544  }
545
546  // Operands that are shorter than basicSqrThreshold are squared using
547  // "grade school" multiplication; for operands longer than karatsubaSqrThreshold
548  // we use the Karatsuba algorithm optimized for x == y.
549  var basicSqrThreshold = 20      // computed by calibrate_test.go
550  var karatsubaSqrThreshold = 260 // computed by calibrate_test.go
551
552  // z = x*x
553  func (z nat) sqr(x nat) nat {
554  	n := len(x)
555  	switch {
556  	case n == 0:
557  		return z[:0]
558  	case n == 1:
559  		d := x[0]
560  		z = z.make(2)
561  		z[1], z[0] = mulWW(d, d)
562  		return z.norm()
563  	}
564
565  	if alias(z, x) {
566  		z = nil // z is an alias for x - cannot reuse
567  	}
568
569  	if n < basicSqrThreshold {
570  		z = z.make(2 * n)
571  		basicMul(z, x, x)
572  		return z.norm()
573  	}
574  	if n < karatsubaSqrThreshold {
575  		z = z.make(2 * n)
576  		basicSqr(z, x)
577  		return z.norm()
578  	}
579
580  	// Use Karatsuba multiplication optimized for x == y.
581  	// The algorithm and layout of z are the same as for mul.
582
583  	// z = (x1*b + x0)^2 = x1^2*b^2 + 2*x1*x0*b + x0^2
584
585  	k := karatsubaLen(n, karatsubaSqrThreshold)
586
587  	x0 := x[0:k]
588  	z = z.make(max(6*k, 2*n))
589  	karatsubaSqr(z, x0) // z = x0^2
590  	z = z[0 : 2*n]
591  	z[2*k:].clear()
592
593  	if k < n {
594  		var t nat
595  		x0 := x0.norm()
596  		x1 := x[k:]
597  		t = t.mul(x0, x1)
599  		addAt(z, t, k) // z = 2*x1*x0*b + x0^2
600  		t = t.sqr(x1)
601  		addAt(z, t, 2*k) // z = x1^2*b^2 + 2*x1*x0*b + x0^2
602  	}
603
604  	return z.norm()
605  }
606
607  // mulRange computes the product of all the unsigned integers in the
608  // range [a, b] inclusively. If a > b (empty range), the result is 1.
609  func (z nat) mulRange(a, b uint64) nat {
610  	switch {
611  	case a == 0:
612  		// cut long ranges short (optimization)
613  		return z.setUint64(0)
614  	case a > b:
615  		return z.setUint64(1)
616  	case a == b:
617  		return z.setUint64(a)
618  	case a+1 == b:
619  		return z.mul(nat(nil).setUint64(a), nat(nil).setUint64(b))
620  	}
621  	m := (a + b) / 2
622  	return z.mul(nat(nil).mulRange(a, m), nat(nil).mulRange(m+1, b))
623  }
624
625  // q = (x-r)/y, with 0 <= r < y
626  func (z nat) divW(x nat, y Word) (q nat, r Word) {
627  	m := len(x)
628  	switch {
629  	case y == 0:
630  		panic("division by zero")
631  	case y == 1:
632  		q = z.set(x) // result is x
633  		return
634  	case m == 0:
635  		q = z[:0] // result is 0
636  		return
637  	}
638  	// m > 0
639  	z = z.make(m)
640  	r = divWVW(z, 0, x, y)
641  	q = z.norm()
642  	return
643  }
644
645  func (z nat) div(z2, u, v nat) (q, r nat) {
646  	if len(v) == 0 {
647  		panic("division by zero")
648  	}
649
650  	if u.cmp(v) < 0 {
651  		q = z[:0]
652  		r = z2.set(u)
653  		return
654  	}
655
656  	if len(v) == 1 {
657  		var r2 Word
658  		q, r2 = z.divW(u, v[0])
659  		r = z2.setWord(r2)
660  		return
661  	}
662
663  	q, r = z.divLarge(z2, u, v)
664  	return
665  }
666
667  // getNat returns a *nat of len n. The contents may not be zero.
668  // The pool holds *nat to avoid allocation when converting to interface{}.
669  func getNat(n int) *nat {
670  	var z *nat
671  	if v := natPool.Get(); v != nil {
672  		z = v.(*nat)
673  	}
674  	if z == nil {
675  		z = new(nat)
676  	}
677  	*z = z.make(n)
678  	return z
679  }
680
681  func putNat(x *nat) {
682  	natPool.Put(x)
683  }
684
685  var natPool sync.Pool
686
687  // q = (uIn-r)/vIn, with 0 <= r < y
688  // Uses z as storage for q, and u as storage for r if possible.
689  // See Knuth, Volume 2, section 4.3.1, Algorithm D.
690  // Preconditions:
691  //    len(vIn) >= 2
692  //    len(uIn) >= len(vIn)
693  //    u must not alias z
694  func (z nat) divLarge(u, uIn, vIn nat) (q, r nat) {
695  	n := len(vIn)
696  	m := len(uIn) - n
697
698  	// D1.
699  	shift := nlz(vIn[n-1])
700  	// do not modify vIn, it may be used by another goroutine simultaneously
701  	vp := getNat(n)
702  	v := *vp
703  	shlVU(v, vIn, shift)
704
705  	// u may safely alias uIn or vIn, the value of uIn is used to set u and vIn was already used
706  	u = u.make(len(uIn) + 1)
707  	u[len(uIn)] = shlVU(u[0:len(uIn)], uIn, shift)
708
709  	// z may safely alias uIn or vIn, both values were used already
710  	if alias(z, u) {
711  		z = nil // z is an alias for u - cannot reuse
712  	}
713  	q = z.make(m + 1)
714
715  	qhatvp := getNat(n + 1)
716  	qhatv := *qhatvp
717
718  	// D2.
719  	vn1 := v[n-1]
720  	for j := m; j >= 0; j-- {
721  		// D3.
722  		qhat := Word(_M)
723  		if ujn := u[j+n]; ujn != vn1 {
724  			var rhat Word
725  			qhat, rhat = divWW(ujn, u[j+n-1], vn1)
726
727  			// x1 | x2 = q̂v_{n-2}
728  			vn2 := v[n-2]
729  			x1, x2 := mulWW(qhat, vn2)
730  			// test if q̂v_{n-2} > br̂ + u_{j+n-2}
731  			ujn2 := u[j+n-2]
732  			for greaterThan(x1, x2, rhat, ujn2) {
733  				qhat--
734  				prevRhat := rhat
735  				rhat += vn1
736  				// v[n-1] >= 0, so this tests for overflow.
737  				if rhat < prevRhat {
738  					break
739  				}
740  				x1, x2 = mulWW(qhat, vn2)
741  			}
742  		}
743
744  		// D4.
745  		qhatv[n] = mulAddVWW(qhatv[0:n], v, qhat, 0)
746
747  		c := subVV(u[j:j+len(qhatv)], u[j:], qhatv)
748  		if c != 0 {
749  			c := addVV(u[j:j+n], u[j:], v)
750  			u[j+n] += c
751  			qhat--
752  		}
753
754  		q[j] = qhat
755  	}
756
757  	putNat(vp)
758  	putNat(qhatvp)
759
760  	q = q.norm()
761  	shrVU(u, u, shift)
762  	r = u.norm()
763
764  	return q, r
765  }
766
767  // Length of x in bits. x must be normalized.
768  func (x nat) bitLen() int {
769  	if i := len(x) - 1; i >= 0 {
770  		return i*_W + bits.Len(uint(x[i]))
771  	}
772  	return 0
773  }
774
775  // trailingZeroBits returns the number of consecutive least significant zero
776  // bits of x.
777  func (x nat) trailingZeroBits() uint {
778  	if len(x) == 0 {
779  		return 0
780  	}
781  	var i uint
782  	for x[i] == 0 {
783  		i++
784  	}
785  	// x[i] != 0
786  	return i*_W + uint(bits.TrailingZeros(uint(x[i])))
787  }
788
789  func same(x, y nat) bool {
790  	return len(x) == len(y) && len(x) > 0 && &x[0] == &y[0]
791  }
792
793  // z = x << s
794  func (z nat) shl(x nat, s uint) nat {
795  	if s == 0 {
796  		if same(z, x) {
797  			return z
798  		}
799  		if !alias(z, x) {
800  			return z.set(x)
801  		}
802  	}
803
804  	m := len(x)
805  	if m == 0 {
806  		return z[:0]
807  	}
808  	// m > 0
809
810  	n := m + int(s/_W)
811  	z = z.make(n + 1)
812  	z[n] = shlVU(z[n-m:n], x, s%_W)
813  	z[0 : n-m].clear()
814
815  	return z.norm()
816  }
817
818  // z = x >> s
819  func (z nat) shr(x nat, s uint) nat {
820  	if s == 0 {
821  		if same(z, x) {
822  			return z
823  		}
824  		if !alias(z, x) {
825  			return z.set(x)
826  		}
827  	}
828
829  	m := len(x)
830  	n := m - int(s/_W)
831  	if n <= 0 {
832  		return z[:0]
833  	}
834  	// n > 0
835
836  	z = z.make(n)
837  	shrVU(z, x[m-n:], s%_W)
838
839  	return z.norm()
840  }
841
842  func (z nat) setBit(x nat, i uint, b uint) nat {
843  	j := int(i / _W)
844  	m := Word(1) << (i % _W)
845  	n := len(x)
846  	switch b {
847  	case 0:
848  		z = z.make(n)
849  		copy(z, x)
850  		if j >= n {
851  			// no need to grow
852  			return z
853  		}
854  		z[j] &^= m
855  		return z.norm()
856  	case 1:
857  		if j >= n {
858  			z = z.make(j + 1)
859  			z[n:].clear()
860  		} else {
861  			z = z.make(n)
862  		}
863  		copy(z, x)
864  		z[j] |= m
865  		// no need to normalize
866  		return z
867  	}
868  	panic("set bit is not 0 or 1")
869  }
870
871  // bit returns the value of the i'th bit, with lsb == bit 0.
872  func (x nat) bit(i uint) uint {
873  	j := i / _W
874  	if j >= uint(len(x)) {
875  		return 0
876  	}
877  	// 0 <= j < len(x)
878  	return uint(x[j] >> (i % _W) & 1)
879  }
880
881  // sticky returns 1 if there's a 1 bit within the
882  // i least significant bits, otherwise it returns 0.
883  func (x nat) sticky(i uint) uint {
884  	j := i / _W
885  	if j >= uint(len(x)) {
886  		if len(x) == 0 {
887  			return 0
888  		}
889  		return 1
890  	}
891  	// 0 <= j < len(x)
892  	for _, x := range x[:j] {
893  		if x != 0 {
894  			return 1
895  		}
896  	}
897  	if x[j]<<(_W-i%_W) != 0 {
898  		return 1
899  	}
900  	return 0
901  }
902
903  func (z nat) and(x, y nat) nat {
904  	m := len(x)
905  	n := len(y)
906  	if m > n {
907  		m = n
908  	}
909  	// m <= n
910
911  	z = z.make(m)
912  	for i := 0; i < m; i++ {
913  		z[i] = x[i] & y[i]
914  	}
915
916  	return z.norm()
917  }
918
919  func (z nat) andNot(x, y nat) nat {
920  	m := len(x)
921  	n := len(y)
922  	if n > m {
923  		n = m
924  	}
925  	// m >= n
926
927  	z = z.make(m)
928  	for i := 0; i < n; i++ {
929  		z[i] = x[i] &^ y[i]
930  	}
931  	copy(z[n:m], x[n:m])
932
933  	return z.norm()
934  }
935
936  func (z nat) or(x, y nat) nat {
937  	m := len(x)
938  	n := len(y)
939  	s := x
940  	if m < n {
941  		n, m = m, n
942  		s = y
943  	}
944  	// m >= n
945
946  	z = z.make(m)
947  	for i := 0; i < n; i++ {
948  		z[i] = x[i] | y[i]
949  	}
950  	copy(z[n:m], s[n:m])
951
952  	return z.norm()
953  }
954
955  func (z nat) xor(x, y nat) nat {
956  	m := len(x)
957  	n := len(y)
958  	s := x
959  	if m < n {
960  		n, m = m, n
961  		s = y
962  	}
963  	// m >= n
964
965  	z = z.make(m)
966  	for i := 0; i < n; i++ {
967  		z[i] = x[i] ^ y[i]
968  	}
969  	copy(z[n:m], s[n:m])
970
971  	return z.norm()
972  }
973
974  // greaterThan reports whether (x1<<_W + x2) > (y1<<_W + y2)
975  func greaterThan(x1, x2, y1, y2 Word) bool {
976  	return x1 > y1 || x1 == y1 && x2 > y2
977  }
978
979  // modW returns x % d.
980  func (x nat) modW(d Word) (r Word) {
981  	// TODO(agl): we don't actually need to store the q value.
982  	var q nat
983  	q = q.make(len(x))
984  	return divWVW(q, 0, x, d)
985  }
986
987  // random creates a random integer in [0..limit), using the space in z if
988  // possible. n is the bit length of limit.
989  func (z nat) random(rand *rand.Rand, limit nat, n int) nat {
990  	if alias(z, limit) {
991  		z = nil // z is an alias for limit - cannot reuse
992  	}
993  	z = z.make(len(limit))
994
995  	bitLengthOfMSW := uint(n % _W)
996  	if bitLengthOfMSW == 0 {
997  		bitLengthOfMSW = _W
998  	}
999  	mask := Word((1 << bitLengthOfMSW) - 1)
1000
1001  	for {
1002  		switch _W {
1003  		case 32:
1004  			for i := range z {
1005  				z[i] = Word(rand.Uint32())
1006  			}
1007  		case 64:
1008  			for i := range z {
1009  				z[i] = Word(rand.Uint32()) | Word(rand.Uint32())<<32
1010  			}
1011  		default:
1012  			panic("unknown word size")
1013  		}
1015  		if z.cmp(limit) < 0 {
1016  			break
1017  		}
1018  	}
1019
1020  	return z.norm()
1021  }
1022
1023  // If m != 0 (i.e., len(m) != 0), expNN sets z to x**y mod m;
1024  // otherwise it sets z to x**y. The result is the value of z.
1025  func (z nat) expNN(x, y, m nat) nat {
1026  	if alias(z, x) || alias(z, y) {
1027  		// We cannot allow in-place modification of x or y.
1028  		z = nil
1029  	}
1030
1031  	// x**y mod 1 == 0
1032  	if len(m) == 1 && m[0] == 1 {
1033  		return z.setWord(0)
1034  	}
1035  	// m == 0 || m > 1
1036
1037  	// x**0 == 1
1038  	if len(y) == 0 {
1039  		return z.setWord(1)
1040  	}
1041  	// y > 0
1042
1043  	// x**1 mod m == x mod m
1044  	if len(y) == 1 && y[0] == 1 && len(m) != 0 {
1045  		_, z = nat(nil).div(z, x, m)
1046  		return z
1047  	}
1048  	// y > 1
1049
1050  	if len(m) != 0 {
1051  		// We likely end up being as long as the modulus.
1052  		z = z.make(len(m))
1053  	}
1054  	z = z.set(x)
1055
1056  	// If the base is non-trivial and the exponent is large, we use
1057  	// 4-bit, windowed exponentiation. This involves precomputing 14 values
1058  	// (x^2...x^15) but then reduces the number of multiply-reduces by a
1059  	// third. Even for a 32-bit exponent, this reduces the number of
1060  	// operations. Uses Montgomery method for odd moduli.
1061  	if x.cmp(natOne) > 0 && len(y) > 1 && len(m) > 0 {
1062  		if m[0]&1 == 1 {
1063  			return z.expNNMontgomery(x, y, m)
1064  		}
1065  		return z.expNNWindowed(x, y, m)
1066  	}
1067
1068  	v := y[len(y)-1] // v > 0 because y is normalized and y > 0
1069  	shift := nlz(v) + 1
1070  	v <<= shift
1071  	var q nat
1072
1073  	const mask = 1 << (_W - 1)
1074
1075  	// We walk through the bits of the exponent one by one. Each time we
1076  	// see a bit, we square, thus doubling the power. If the bit is a one,
1077  	// we also multiply by x, thus adding one to the power.
1078
1079  	w := _W - int(shift)
1080  	// zz and r are used to avoid allocating in mul and div as
1081  	// otherwise the arguments would alias.
1082  	var zz, r nat
1083  	for j := 0; j < w; j++ {
1084  		zz = zz.sqr(z)
1085  		zz, z = z, zz
1086
1087  		if v&mask != 0 {
1088  			zz = zz.mul(z, x)
1089  			zz, z = z, zz
1090  		}
1091
1092  		if len(m) != 0 {
1093  			zz, r = zz.div(r, z, m)
1094  			zz, r, q, z = q, z, zz, r
1095  		}
1096
1097  		v <<= 1
1098  	}
1099
1100  	for i := len(y) - 2; i >= 0; i-- {
1101  		v = y[i]
1102
1103  		for j := 0; j < _W; j++ {
1104  			zz = zz.sqr(z)
1105  			zz, z = z, zz
1106
1107  			if v&mask != 0 {
1108  				zz = zz.mul(z, x)
1109  				zz, z = z, zz
1110  			}
1111
1112  			if len(m) != 0 {
1113  				zz, r = zz.div(r, z, m)
1114  				zz, r, q, z = q, z, zz, r
1115  			}
1116
1117  			v <<= 1
1118  		}
1119  	}
1120
1121  	return z.norm()
1122  }
1123
1124  // expNNWindowed calculates x**y mod m using a fixed, 4-bit window.
1125  func (z nat) expNNWindowed(x, y, m nat) nat {
1126  	// zz and r are used to avoid allocating in mul and div as otherwise
1127  	// the arguments would alias.
1128  	var zz, r nat
1129
1130  	const n = 4
1131  	// powers[i] contains x^i.
1132  	var powers [1 << n]nat
1133  	powers[0] = natOne
1134  	powers[1] = x
1135  	for i := 2; i < 1<<n; i += 2 {
1136  		p2, p, p1 := &powers[i/2], &powers[i], &powers[i+1]
1137  		*p = p.sqr(*p2)
1138  		zz, r = zz.div(r, *p, m)
1139  		*p, r = r, *p
1140  		*p1 = p1.mul(*p, x)
1141  		zz, r = zz.div(r, *p1, m)
1142  		*p1, r = r, *p1
1143  	}
1144
1145  	z = z.setWord(1)
1146
1147  	for i := len(y) - 1; i >= 0; i-- {
1148  		yi := y[i]
1149  		for j := 0; j < _W; j += n {
1150  			if i != len(y)-1 || j != 0 {
1151  				// Unrolled loop for significant performance
1152  				// gain. Use go test -bench=".*" in crypto/rsa
1153  				// to check performance before making changes.
1154  				zz = zz.sqr(z)
1155  				zz, z = z, zz
1156  				zz, r = zz.div(r, z, m)
1157  				z, r = r, z
1158
1159  				zz = zz.sqr(z)
1160  				zz, z = z, zz
1161  				zz, r = zz.div(r, z, m)
1162  				z, r = r, z
1163
1164  				zz = zz.sqr(z)
1165  				zz, z = z, zz
1166  				zz, r = zz.div(r, z, m)
1167  				z, r = r, z
1168
1169  				zz = zz.sqr(z)
1170  				zz, z = z, zz
1171  				zz, r = zz.div(r, z, m)
1172  				z, r = r, z
1173  			}
1174
1175  			zz = zz.mul(z, powers[yi>>(_W-n)])
1176  			zz, z = z, zz
1177  			zz, r = zz.div(r, z, m)
1178  			z, r = r, z
1179
1180  			yi <<= n
1181  		}
1182  	}
1183
1184  	return z.norm()
1185  }
1186
1187  // expNNMontgomery calculates x**y mod m using a fixed, 4-bit window.
1188  // Uses Montgomery representation.
1189  func (z nat) expNNMontgomery(x, y, m nat) nat {
1190  	numWords := len(m)
1191
1192  	// We want the lengths of x and m to be equal.
1193  	// It is OK if x >= m as long as len(x) == len(m).
1194  	if len(x) > numWords {
1195  		_, x = nat(nil).div(nil, x, m)
1196  		// Note: now len(x) <= numWords, not guaranteed ==.
1197  	}
1198  	if len(x) < numWords {
1199  		rr := make(nat, numWords)
1200  		copy(rr, x)
1201  		x = rr
1202  	}
1203
1204  	// Ideally the precomputations would be performed outside, and reused
1205  	// k0 = -m**-1 mod 2**_W. Algorithm from: Dumas, J.G. "On Newton–Raphson
1206  	// Iteration for Multiplicative Inverses Modulo Prime Powers".
1207  	k0 := 2 - m[0]
1208  	t := m[0] - 1
1209  	for i := 1; i < _W; i <<= 1 {
1210  		t *= t
1211  		k0 *= (t + 1)
1212  	}
1213  	k0 = -k0
1214
1215  	// RR = 2**(2*_W*len(m)) mod m
1216  	RR := nat(nil).setWord(1)
1217  	zz := nat(nil).shl(RR, uint(2*numWords*_W))
1218  	_, RR = nat(nil).div(RR, zz, m)
1219  	if len(RR) < numWords {
1220  		zz = zz.make(numWords)
1221  		copy(zz, RR)
1222  		RR = zz
1223  	}
1224  	// one = 1, with equal length to that of m
1225  	one := make(nat, numWords)
1226  	one[0] = 1
1227
1228  	const n = 4
1229  	// powers[i] contains x^i
1230  	var powers [1 << n]nat
1231  	powers[0] = powers[0].montgomery(one, RR, m, k0, numWords)
1232  	powers[1] = powers[1].montgomery(x, RR, m, k0, numWords)
1233  	for i := 2; i < 1<<n; i++ {
1234  		powers[i] = powers[i].montgomery(powers[i-1], powers[1], m, k0, numWords)
1235  	}
1236
1237  	// initialize z = 1 (Montgomery 1)
1238  	z = z.make(numWords)
1239  	copy(z, powers[0])
1240
1241  	zz = zz.make(numWords)
1242
1243  	// same windowed exponent, but with Montgomery multiplications
1244  	for i := len(y) - 1; i >= 0; i-- {
1245  		yi := y[i]
1246  		for j := 0; j < _W; j += n {
1247  			if i != len(y)-1 || j != 0 {
1248  				zz = zz.montgomery(z, z, m, k0, numWords)
1249  				z = z.montgomery(zz, zz, m, k0, numWords)
1250  				zz = zz.montgomery(z, z, m, k0, numWords)
1251  				z = z.montgomery(zz, zz, m, k0, numWords)
1252  			}
1253  			zz = zz.montgomery(z, powers[yi>>(_W-n)], m, k0, numWords)
1254  			z, zz = zz, z
1255  			yi <<= n
1256  		}
1257  	}
1258  	// convert to regular number
1259  	zz = zz.montgomery(z, one, m, k0, numWords)
1260
1261  	// One last reduction, just in case.
1262  	// See golang.org/issue/13907.
1263  	if zz.cmp(m) >= 0 {
1264  		// Common case is m has high bit set; in that case,
1265  		// since zz is the same length as m, there can be just
1266  		// one multiple of m to remove. Just subtract.
1267  		// We think that the subtract should be sufficient in general,
1268  		// so do that unconditionally, but double-check,
1269  		// in case our beliefs are wrong.
1270  		// The div is not expected to be reached.
1271  		zz = zz.sub(zz, m)
1272  		if zz.cmp(m) >= 0 {
1273  			_, zz = nat(nil).div(nil, zz, m)
1274  		}
1275  	}
1276
1277  	return zz.norm()
1278  }
1279
1280  // bytes writes the value of z into buf using big-endian encoding.
1281  // len(buf) must be >= len(z)*_S. The value of z is encoded in the
1282  // slice buf[i:]. The number i of unused bytes at the beginning of
1283  // buf is returned as result.
1284  func (z nat) bytes(buf []byte) (i int) {
1285  	i = len(buf)
1286  	for _, d := range z {
1287  		for j := 0; j < _S; j++ {
1288  			i--
1289  			buf[i] = byte(d)
1290  			d >>= 8
1291  		}
1292  	}
1293
1294  	for i < len(buf) && buf[i] == 0 {
1295  		i++
1296  	}
1297
1298  	return
1299  }
1300
1301  // bigEndianWord returns the contents of buf interpreted as a big-endian encoded Word value.
1302  func bigEndianWord(buf []byte) Word {
1303  	if _W == 64 {
1304  		return Word(binary.BigEndian.Uint64(buf))
1305  	}
1306  	return Word(binary.BigEndian.Uint32(buf))
1307  }
1308
1309  // setBytes interprets buf as the bytes of a big-endian unsigned
1310  // integer, sets z to that value, and returns z.
1311  func (z nat) setBytes(buf []byte) nat {
1312  	z = z.make((len(buf) + _S - 1) / _S)
1313
1314  	i := len(buf)
1315  	for k := 0; i >= _S; k++ {
1316  		z[k] = bigEndianWord(buf[i-_S : i])
1317  		i -= _S
1318  	}
1319  	if i > 0 {
1320  		var d Word
1321  		for s := uint(0); i > 0; s += 8 {
1322  			d |= Word(buf[i-1]) << s
1323  			i--
1324  		}
1325  		z[len(z)-1] = d
1326  	}
1327
1328  	return z.norm()
1329  }
1330
1331  // sqrt sets z = ⌊√x⌋
1332  func (z nat) sqrt(x nat) nat {
1333  	if x.cmp(natOne) <= 0 {
1334  		return z.set(x)
1335  	}
1336  	if alias(z, x) {
1337  		z = nil
1338  	}
1339
1340  	// Start with value known to be too large and repeat "z = ⌊(z + ⌊x/z⌋)/2⌋" until it stops getting smaller.
1341  	// See Brent and Zimmermann, Modern Computer Arithmetic, Algorithm 1.13 (SqrtInt).
1342  	// https://members.loria.fr/PZimmermann/mca/pub226.html
1343  	// If x is one less than a perfect square, the sequence oscillates between the correct z and z+1;
1344  	// otherwise it converges to the correct z and stays there.
1345  	var z1, z2 nat
1346  	z1 = z
1347  	z1 = z1.setUint64(1)
1348  	z1 = z1.shl(z1, uint(x.bitLen()/2+1)) // must be ≥ √x
1349  	for n := 0; ; n++ {
1350  		z2, _ = z2.div(nil, x, z1)
1352  		z2 = z2.shr(z2, 1)
1353  		if z2.cmp(z1) >= 0 {