1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5// This file implements unsigned multi-precision integers (natural 6// numbers). They are the building blocks for the implementation 7// of signed integers, rationals, and floating-point numbers. 8// 9// Caution: This implementation relies on the function "alias" 10// which assumes that (nat) slice capacities are never 11// changed (no 3-operand slice expressions). If that 12// changes, alias needs to be updated for correctness. 13 14package big 15 16import ( 17 "encoding/binary" 18 "math/bits" 19 "math/rand" 20 "sync" 21) 22 23// An unsigned integer x of the form 24// 25// x = x[n-1]*_B^(n-1) + x[n-2]*_B^(n-2) + ... + x[1]*_B + x[0] 26// 27// with 0 <= x[i] < _B and 0 <= i < n is stored in a slice of length n, 28// with the digits x[i] as the slice elements. 29// 30// A number is normalized if the slice contains no leading 0 digits. 31// During arithmetic operations, denormalized values may occur but are 32// always normalized before returning the final result. The normalized 33// representation of 0 is the empty or nil slice (length = 0). 34// 35type nat []Word 36 37var ( 38 natOne = nat{1} 39 natTwo = nat{2} 40 natFive = nat{5} 41 natTen = nat{10} 42) 43 44func (z nat) clear() { 45 for i := range z { 46 z[i] = 0 47 } 48} 49 50func (z nat) norm() nat { 51 i := len(z) 52 for i > 0 && z[i-1] == 0 { 53 i-- 54 } 55 return z[0:i] 56} 57 58func (z nat) make(n int) nat { 59 if n <= cap(z) { 60 return z[:n] // reuse z 61 } 62 if n == 1 { 63 // Most nats start small and stay that way; don't over-allocate. 64 return make(nat, 1) 65 } 66 // Choosing a good value for e has significant performance impact 67 // because it increases the chance that a value can be reused. 68 const e = 4 // extra capacity 69 return make(nat, n, n+e) 70} 71 72func (z nat) setWord(x Word) nat { 73 if x == 0 { 74 return z[:0] 75 } 76 z = z.make(1) 77 z[0] = x 78 return z 79} 80 81func (z nat) setUint64(x uint64) nat { 82 // single-word value 83 if w := Word(x); uint64(w) == x { 84 return z.setWord(w) 85 } 86 // 2-word value 87 z = z.make(2) 88 z[1] = Word(x >> 32) 89 z[0] = Word(x) 90 return z 91} 92 93func (z nat) set(x nat) nat { 94 z = z.make(len(x)) 95 copy(z, x) 96 return z 97} 98 99func (z nat) add(x, y nat) nat { 100 m := len(x) 101 n := len(y) 102 103 switch { 104 case m < n: 105 return z.add(y, x) 106 case m == 0: 107 // n == 0 because m >= n; result is 0 108 return z[:0] 109 case n == 0: 110 // result is x 111 return z.set(x) 112 } 113 // m > 0 114 115 z = z.make(m + 1) 116 c := addVV(z[0:n], x, y) 117 if m > n { 118 c = addVW(z[n:m], x[n:], c) 119 } 120 z[m] = c 121 122 return z.norm() 123} 124 125func (z nat) sub(x, y nat) nat { 126 m := len(x) 127 n := len(y) 128 129 switch { 130 case m < n: 131 panic("underflow") 132 case m == 0: 133 // n == 0 because m >= n; result is 0 134 return z[:0] 135 case n == 0: 136 // result is x 137 return z.set(x) 138 } 139 // m > 0 140 141 z = z.make(m) 142 c := subVV(z[0:n], x, y) 143 if m > n { 144 c = subVW(z[n:], x[n:], c) 145 } 146 if c != 0 { 147 panic("underflow") 148 } 149 150 return z.norm() 151} 152 153func (x nat) cmp(y nat) (r int) { 154 m := len(x) 155 n := len(y) 156 if m != n || m == 0 { 157 switch { 158 case m < n: 159 r = -1 160 case m > n: 161 r = 1 162 } 163 return 164 } 165 166 i := m - 1 167 for i > 0 && x[i] == y[i] { 168 i-- 169 } 170 171 switch { 172 case x[i] < y[i]: 173 r = -1 174 case x[i] > y[i]: 175 r = 1 176 } 177 return 178} 179 180func (z nat) mulAddWW(x nat, y, r Word) nat { 181 m := len(x) 182 if m == 0 || y == 0 { 183 return z.setWord(r) // result is r 184 } 185 // m > 0 186 187 z = z.make(m + 1) 188 z[m] = mulAddVWW(z[0:m], x, y, r) 189 190 return z.norm() 191} 192 193// basicMul multiplies x and y and leaves the result in z. 194// The (non-normalized) result is placed in z[0 : len(x) + len(y)]. 195func basicMul(z, x, y nat) { 196 z[0 : len(x)+len(y)].clear() // initialize z 197 for i, d := range y { 198 if d != 0 { 199 z[len(x)+i] = addMulVVW(z[i:i+len(x)], x, d) 200 } 201 } 202} 203 204// montgomery computes z mod m = x*y*2**(-n*_W) mod m, 205// assuming k = -1/m mod 2**_W. 206// z is used for storing the result which is returned; 207// z must not alias x, y or m. 208// See Gueron, "Efficient Software Implementations of Modular Exponentiation". 209// https://eprint.iacr.org/2011/239.pdf 210// In the terminology of that paper, this is an "Almost Montgomery Multiplication": 211// x and y are required to satisfy 0 <= z < 2**(n*_W) and then the result 212// z is guaranteed to satisfy 0 <= z < 2**(n*_W), but it may not be < m. 213func (z nat) montgomery(x, y, m nat, k Word, n int) nat { 214 // This code assumes x, y, m are all the same length, n. 215 // (required by addMulVVW and the for loop). 216 // It also assumes that x, y are already reduced mod m, 217 // or else the result will not be properly reduced. 218 if len(x) != n || len(y) != n || len(m) != n { 219 panic("math/big: mismatched montgomery number lengths") 220 } 221 z = z.make(n * 2) 222 z.clear() 223 var c Word 224 for i := 0; i < n; i++ { 225 d := y[i] 226 c2 := addMulVVW(z[i:n+i], x, d) 227 t := z[i] * k 228 c3 := addMulVVW(z[i:n+i], m, t) 229 cx := c + c2 230 cy := cx + c3 231 z[n+i] = cy 232 if cx < c2 || cy < c3 { 233 c = 1 234 } else { 235 c = 0 236 } 237 } 238 if c != 0 { 239 subVV(z[:n], z[n:], m) 240 } else { 241 copy(z[:n], z[n:]) 242 } 243 return z[:n] 244} 245 246// Fast version of z[0:n+n>>1].add(z[0:n+n>>1], x[0:n]) w/o bounds checks. 247// Factored out for readability - do not use outside karatsuba. 248func karatsubaAdd(z, x nat, n int) { 249 if c := addVV(z[0:n], z, x); c != 0 { 250 addVW(z[n:n+n>>1], z[n:], c) 251 } 252} 253 254// Like karatsubaAdd, but does subtract. 255func karatsubaSub(z, x nat, n int) { 256 if c := subVV(z[0:n], z, x); c != 0 { 257 subVW(z[n:n+n>>1], z[n:], c) 258 } 259} 260 261// Operands that are shorter than karatsubaThreshold are multiplied using 262// "grade school" multiplication; for longer operands the Karatsuba algorithm 263// is used. 264var karatsubaThreshold = 40 // computed by calibrate_test.go 265 266// karatsuba multiplies x and y and leaves the result in z. 267// Both x and y must have the same length n and n must be a 268// power of 2. The result vector z must have len(z) >= 6*n. 269// The (non-normalized) result is placed in z[0 : 2*n]. 270func karatsuba(z, x, y nat) { 271 n := len(y) 272 273 // Switch to basic multiplication if numbers are odd or small. 274 // (n is always even if karatsubaThreshold is even, but be 275 // conservative) 276 if n&1 != 0 || n < karatsubaThreshold || n < 2 { 277 basicMul(z, x, y) 278 return 279 } 280 // n&1 == 0 && n >= karatsubaThreshold && n >= 2 281 282 // Karatsuba multiplication is based on the observation that 283 // for two numbers x and y with: 284 // 285 // x = x1*b + x0 286 // y = y1*b + y0 287 // 288 // the product x*y can be obtained with 3 products z2, z1, z0 289 // instead of 4: 290 // 291 // x*y = x1*y1*b*b + (x1*y0 + x0*y1)*b + x0*y0 292 // = z2*b*b + z1*b + z0 293 // 294 // with: 295 // 296 // xd = x1 - x0 297 // yd = y0 - y1 298 // 299 // z1 = xd*yd + z2 + z0 300 // = (x1-x0)*(y0 - y1) + z2 + z0 301 // = x1*y0 - x1*y1 - x0*y0 + x0*y1 + z2 + z0 302 // = x1*y0 - z2 - z0 + x0*y1 + z2 + z0 303 // = x1*y0 + x0*y1 304 305 // split x, y into "digits" 306 n2 := n >> 1 // n2 >= 1 307 x1, x0 := x[n2:], x[0:n2] // x = x1*b + y0 308 y1, y0 := y[n2:], y[0:n2] // y = y1*b + y0 309 310 // z is used for the result and temporary storage: 311 // 312 // 6*n 5*n 4*n 3*n 2*n 1*n 0*n 313 // z = [z2 copy|z0 copy| xd*yd | yd:xd | x1*y1 | x0*y0 ] 314 // 315 // For each recursive call of karatsuba, an unused slice of 316 // z is passed in that has (at least) half the length of the 317 // caller's z. 318 319 // compute z0 and z2 with the result "in place" in z 320 karatsuba(z, x0, y0) // z0 = x0*y0 321 karatsuba(z[n:], x1, y1) // z2 = x1*y1 322 323 // compute xd (or the negative value if underflow occurs) 324 s := 1 // sign of product xd*yd 325 xd := z[2*n : 2*n+n2] 326 if subVV(xd, x1, x0) != 0 { // x1-x0 327 s = -s 328 subVV(xd, x0, x1) // x0-x1 329 } 330 331 // compute yd (or the negative value if underflow occurs) 332 yd := z[2*n+n2 : 3*n] 333 if subVV(yd, y0, y1) != 0 { // y0-y1 334 s = -s 335 subVV(yd, y1, y0) // y1-y0 336 } 337 338 // p = (x1-x0)*(y0-y1) == x1*y0 - x1*y1 - x0*y0 + x0*y1 for s > 0 339 // p = (x0-x1)*(y0-y1) == x0*y0 - x0*y1 - x1*y0 + x1*y1 for s < 0 340 p := z[n*3:] 341 karatsuba(p, xd, yd) 342 343 // save original z2:z0 344 // (ok to use upper half of z since we're done recursing) 345 r := z[n*4:] 346 copy(r, z[:n*2]) 347 348 // add up all partial products 349 // 350 // 2*n n 0 351 // z = [ z2 | z0 ] 352 // + [ z0 ] 353 // + [ z2 ] 354 // + [ p ] 355 // 356 karatsubaAdd(z[n2:], r, n) 357 karatsubaAdd(z[n2:], r[n:], n) 358 if s > 0 { 359 karatsubaAdd(z[n2:], p, n) 360 } else { 361 karatsubaSub(z[n2:], p, n) 362 } 363} 364 365// alias reports whether x and y share the same base array. 366// Note: alias assumes that the capacity of underlying arrays 367// is never changed for nat values; i.e. that there are 368// no 3-operand slice expressions in this code (or worse, 369// reflect-based operations to the same effect). 370func alias(x, y nat) bool { 371 return cap(x) > 0 && cap(y) > 0 && &x[0:cap(x)][cap(x)-1] == &y[0:cap(y)][cap(y)-1] 372} 373 374// addAt implements z += x<<(_W*i); z must be long enough. 375// (we don't use nat.add because we need z to stay the same 376// slice, and we don't need to normalize z after each addition) 377func addAt(z, x nat, i int) { 378 if n := len(x); n > 0 { 379 if c := addVV(z[i:i+n], z[i:], x); c != 0 { 380 j := i + n 381 if j < len(z) { 382 addVW(z[j:], z[j:], c) 383 } 384 } 385 } 386} 387 388func max(x, y int) int { 389 if x > y { 390 return x 391 } 392 return y 393} 394 395// karatsubaLen computes an approximation to the maximum k <= n such that 396// k = p<<i for a number p <= threshold and an i >= 0. Thus, the 397// result is the largest number that can be divided repeatedly by 2 before 398// becoming about the value of threshold. 399func karatsubaLen(n, threshold int) int { 400 i := uint(0) 401 for n > threshold { 402 n >>= 1 403 i++ 404 } 405 return n << i 406} 407 408func (z nat) mul(x, y nat) nat { 409 m := len(x) 410 n := len(y) 411 412 switch { 413 case m < n: 414 return z.mul(y, x) 415 case m == 0 || n == 0: 416 return z[:0] 417 case n == 1: 418 return z.mulAddWW(x, y[0], 0) 419 } 420 // m >= n > 1 421 422 // determine if z can be reused 423 if alias(z, x) || alias(z, y) { 424 z = nil // z is an alias for x or y - cannot reuse 425 } 426 427 // use basic multiplication if the numbers are small 428 if n < karatsubaThreshold { 429 z = z.make(m + n) 430 basicMul(z, x, y) 431 return z.norm() 432 } 433 // m >= n && n >= karatsubaThreshold && n >= 2 434 435 // determine Karatsuba length k such that 436 // 437 // x = xh*b + x0 (0 <= x0 < b) 438 // y = yh*b + y0 (0 <= y0 < b) 439 // b = 1<<(_W*k) ("base" of digits xi, yi) 440 // 441 k := karatsubaLen(n, karatsubaThreshold) 442 // k <= n 443 444 // multiply x0 and y0 via Karatsuba 445 x0 := x[0:k] // x0 is not normalized 446 y0 := y[0:k] // y0 is not normalized 447 z = z.make(max(6*k, m+n)) // enough space for karatsuba of x0*y0 and full result of x*y 448 karatsuba(z, x0, y0) 449 z = z[0 : m+n] // z has final length but may be incomplete 450 z[2*k:].clear() // upper portion of z is garbage (and 2*k <= m+n since k <= n <= m) 451 452 // If xh != 0 or yh != 0, add the missing terms to z. For 453 // 454 // xh = xi*b^i + ... + x2*b^2 + x1*b (0 <= xi < b) 455 // yh = y1*b (0 <= y1 < b) 456 // 457 // the missing terms are 458 // 459 // x0*y1*b and xi*y0*b^i, xi*y1*b^(i+1) for i > 0 460 // 461 // since all the yi for i > 1 are 0 by choice of k: If any of them 462 // were > 0, then yh >= b^2 and thus y >= b^2. Then k' = k*2 would 463 // be a larger valid threshold contradicting the assumption about k. 464 // 465 if k < n || m != n { 466 tp := getNat(3 * k) 467 t := *tp 468 469 // add x0*y1*b 470 x0 := x0.norm() 471 y1 := y[k:] // y1 is normalized because y is 472 t = t.mul(x0, y1) // update t so we don't lose t's underlying array 473 addAt(z, t, k) 474 475 // add xi*y0<<i, xi*y1*b<<(i+k) 476 y0 := y0.norm() 477 for i := k; i < len(x); i += k { 478 xi := x[i:] 479 if len(xi) > k { 480 xi = xi[:k] 481 } 482 xi = xi.norm() 483 t = t.mul(xi, y0) 484 addAt(z, t, i) 485 t = t.mul(xi, y1) 486 addAt(z, t, i+k) 487 } 488 489 putNat(tp) 490 } 491 492 return z.norm() 493} 494 495// basicSqr sets z = x*x and is asymptotically faster than basicMul 496// by about a factor of 2, but slower for small arguments due to overhead. 497// Requirements: len(x) > 0, len(z) == 2*len(x) 498// The (non-normalized) result is placed in z. 499func basicSqr(z, x nat) { 500 n := len(x) 501 tp := getNat(2 * n) 502 t := *tp // temporary variable to hold the products 503 t.clear() 504 z[1], z[0] = mulWW(x[0], x[0]) // the initial square 505 for i := 1; i < n; i++ { 506 d := x[i] 507 // z collects the squares x[i] * x[i] 508 z[2*i+1], z[2*i] = mulWW(d, d) 509 // t collects the products x[i] * x[j] where j < i 510 t[2*i] = addMulVVW(t[i:2*i], x[0:i], d) 511 } 512 t[2*n-1] = shlVU(t[1:2*n-1], t[1:2*n-1], 1) // double the j < i products 513 addVV(z, z, t) // combine the result 514 putNat(tp) 515} 516 517// karatsubaSqr squares x and leaves the result in z. 518// len(x) must be a power of 2 and len(z) >= 6*len(x). 519// The (non-normalized) result is placed in z[0 : 2*len(x)]. 520// 521// The algorithm and the layout of z are the same as for karatsuba. 522func karatsubaSqr(z, x nat) { 523 n := len(x) 524 525 if n&1 != 0 || n < karatsubaSqrThreshold || n < 2 { 526 basicSqr(z[:2*n], x) 527 return 528 } 529 530 n2 := n >> 1 531 x1, x0 := x[n2:], x[0:n2] 532 533 karatsubaSqr(z, x0) 534 karatsubaSqr(z[n:], x1) 535 536 // s = sign(xd*yd) == -1 for xd != 0; s == 1 for xd == 0 537 xd := z[2*n : 2*n+n2] 538 if subVV(xd, x1, x0) != 0 { 539 subVV(xd, x0, x1) 540 } 541 542 p := z[n*3:] 543 karatsubaSqr(p, xd) 544 545 r := z[n*4:] 546 copy(r, z[:n*2]) 547 548 karatsubaAdd(z[n2:], r, n) 549 karatsubaAdd(z[n2:], r[n:], n) 550 karatsubaSub(z[n2:], p, n) // s == -1 for p != 0; s == 1 for p == 0 551} 552 553// Operands that are shorter than basicSqrThreshold are squared using 554// "grade school" multiplication; for operands longer than karatsubaSqrThreshold 555// we use the Karatsuba algorithm optimized for x == y. 556var basicSqrThreshold = 20 // computed by calibrate_test.go 557var karatsubaSqrThreshold = 260 // computed by calibrate_test.go 558 559// z = x*x 560func (z nat) sqr(x nat) nat { 561 n := len(x) 562 switch { 563 case n == 0: 564 return z[:0] 565 case n == 1: 566 d := x[0] 567 z = z.make(2) 568 z[1], z[0] = mulWW(d, d) 569 return z.norm() 570 } 571 572 if alias(z, x) { 573 z = nil // z is an alias for x - cannot reuse 574 } 575 576 if n < basicSqrThreshold { 577 z = z.make(2 * n) 578 basicMul(z, x, x) 579 return z.norm() 580 } 581 if n < karatsubaSqrThreshold { 582 z = z.make(2 * n) 583 basicSqr(z, x) 584 return z.norm() 585 } 586 587 // Use Karatsuba multiplication optimized for x == y. 588 // The algorithm and layout of z are the same as for mul. 589 590 // z = (x1*b + x0)^2 = x1^2*b^2 + 2*x1*x0*b + x0^2 591 592 k := karatsubaLen(n, karatsubaSqrThreshold) 593 594 x0 := x[0:k] 595 z = z.make(max(6*k, 2*n)) 596 karatsubaSqr(z, x0) // z = x0^2 597 z = z[0 : 2*n] 598 z[2*k:].clear() 599 600 if k < n { 601 tp := getNat(2 * k) 602 t := *tp 603 x0 := x0.norm() 604 x1 := x[k:] 605 t = t.mul(x0, x1) 606 addAt(z, t, k) 607 addAt(z, t, k) // z = 2*x1*x0*b + x0^2 608 t = t.sqr(x1) 609 addAt(z, t, 2*k) // z = x1^2*b^2 + 2*x1*x0*b + x0^2 610 putNat(tp) 611 } 612 613 return z.norm() 614} 615 616// mulRange computes the product of all the unsigned integers in the 617// range [a, b] inclusively. If a > b (empty range), the result is 1. 618func (z nat) mulRange(a, b uint64) nat { 619 switch { 620 case a == 0: 621 // cut long ranges short (optimization) 622 return z.setUint64(0) 623 case a > b: 624 return z.setUint64(1) 625 case a == b: 626 return z.setUint64(a) 627 case a+1 == b: 628 return z.mul(nat(nil).setUint64(a), nat(nil).setUint64(b)) 629 } 630 m := (a + b) / 2 631 return z.mul(nat(nil).mulRange(a, m), nat(nil).mulRange(m+1, b)) 632} 633 634// q = (x-r)/y, with 0 <= r < y 635func (z nat) divW(x nat, y Word) (q nat, r Word) { 636 m := len(x) 637 switch { 638 case y == 0: 639 panic("division by zero") 640 case y == 1: 641 q = z.set(x) // result is x 642 return 643 case m == 0: 644 q = z[:0] // result is 0 645 return 646 } 647 // m > 0 648 z = z.make(m) 649 r = divWVW(z, 0, x, y) 650 q = z.norm() 651 return 652} 653 654func (z nat) div(z2, u, v nat) (q, r nat) { 655 if len(v) == 0 { 656 panic("division by zero") 657 } 658 659 if u.cmp(v) < 0 { 660 q = z[:0] 661 r = z2.set(u) 662 return 663 } 664 665 if len(v) == 1 { 666 var r2 Word 667 q, r2 = z.divW(u, v[0]) 668 r = z2.setWord(r2) 669 return 670 } 671 672 q, r = z.divLarge(z2, u, v) 673 return 674} 675 676// getNat returns a *nat of len n. The contents may not be zero. 677// The pool holds *nat to avoid allocation when converting to interface{}. 678func getNat(n int) *nat { 679 var z *nat 680 if v := natPool.Get(); v != nil { 681 z = v.(*nat) 682 } 683 if z == nil { 684 z = new(nat) 685 } 686 *z = z.make(n) 687 return z 688} 689 690func putNat(x *nat) { 691 natPool.Put(x) 692} 693 694var natPool sync.Pool 695 696// q = (uIn-r)/vIn, with 0 <= r < vIn 697// Uses z as storage for q, and u as storage for r if possible. 698// See Knuth, Volume 2, section 4.3.1, Algorithm D. 699// Preconditions: 700// len(vIn) >= 2 701// len(uIn) >= len(vIn) 702// u must not alias z 703func (z nat) divLarge(u, uIn, vIn nat) (q, r nat) { 704 n := len(vIn) 705 m := len(uIn) - n 706 707 // D1. 708 shift := nlz(vIn[n-1]) 709 // do not modify vIn, it may be used by another goroutine simultaneously 710 vp := getNat(n) 711 v := *vp 712 shlVU(v, vIn, shift) 713 714 // u may safely alias uIn or vIn, the value of uIn is used to set u and vIn was already used 715 u = u.make(len(uIn) + 1) 716 u[len(uIn)] = shlVU(u[0:len(uIn)], uIn, shift) 717 718 // z may safely alias uIn or vIn, both values were used already 719 if alias(z, u) { 720 z = nil // z is an alias for u - cannot reuse 721 } 722 q = z.make(m + 1) 723 724 if n < divRecursiveThreshold { 725 q.divBasic(u, v) 726 } else { 727 q.divRecursive(u, v) 728 } 729 putNat(vp) 730 731 q = q.norm() 732 shrVU(u, u, shift) 733 r = u.norm() 734 735 return q, r 736} 737 738// divBasic performs word-by-word division of u by v. 739// The quotient is written in pre-allocated q. 740// The remainder overwrites input u. 741// 742// Precondition: 743// - q is large enough to hold the quotient u / v 744// which has a maximum length of len(u)-len(v)+1. 745func (q nat) divBasic(u, v nat) { 746 n := len(v) 747 m := len(u) - n 748 749 qhatvp := getNat(n + 1) 750 qhatv := *qhatvp 751 752 // D2. 753 vn1 := v[n-1] 754 for j := m; j >= 0; j-- { 755 // D3. 756 qhat := Word(_M) 757 var ujn Word 758 if j+n < len(u) { 759 ujn = u[j+n] 760 } 761 if ujn != vn1 { 762 var rhat Word 763 qhat, rhat = divWW(ujn, u[j+n-1], vn1) 764 765 // x1 | x2 = q̂v_{n-2} 766 vn2 := v[n-2] 767 x1, x2 := mulWW(qhat, vn2) 768 // test if q̂v_{n-2} > br̂ + u_{j+n-2} 769 ujn2 := u[j+n-2] 770 for greaterThan(x1, x2, rhat, ujn2) { 771 qhat-- 772 prevRhat := rhat 773 rhat += vn1 774 // v[n-1] >= 0, so this tests for overflow. 775 if rhat < prevRhat { 776 break 777 } 778 x1, x2 = mulWW(qhat, vn2) 779 } 780 } 781 782 // D4. 783 // Compute the remainder u - (q̂*v) << (_W*j). 784 // The subtraction may overflow if q̂ estimate was off by one. 785 qhatv[n] = mulAddVWW(qhatv[0:n], v, qhat, 0) 786 qhl := len(qhatv) 787 if j+qhl > len(u) && qhatv[n] == 0 { 788 qhl-- 789 } 790 c := subVV(u[j:j+qhl], u[j:], qhatv) 791 if c != 0 { 792 c := addVV(u[j:j+n], u[j:], v) 793 // If n == qhl, the carry from subVV and the carry from addVV 794 // cancel out and don't affect u[j+n]. 795 if n < qhl { 796 u[j+n] += c 797 } 798 qhat-- 799 } 800 801 if j == m && m == len(q) && qhat == 0 { 802 continue 803 } 804 q[j] = qhat 805 } 806 807 putNat(qhatvp) 808} 809 810const divRecursiveThreshold = 100 811 812// divRecursive performs word-by-word division of u by v. 813// The quotient is written in pre-allocated z. 814// The remainder overwrites input u. 815// 816// Precondition: 817// - len(z) >= len(u)-len(v) 818// 819// See Burnikel, Ziegler, "Fast Recursive Division", Algorithm 1 and 2. 820func (z nat) divRecursive(u, v nat) { 821 // Recursion depth is less than 2 log2(len(v)) 822 // Allocate a slice of temporaries to be reused across recursion. 823 recDepth := 2 * bits.Len(uint(len(v))) 824 // large enough to perform Karatsuba on operands as large as v 825 tmp := getNat(3 * len(v)) 826 temps := make([]*nat, recDepth) 827 z.clear() 828 z.divRecursiveStep(u, v, 0, tmp, temps) 829 for _, n := range temps { 830 if n != nil { 831 putNat(n) 832 } 833 } 834 putNat(tmp) 835} 836 837// divRecursiveStep computes the division of u by v. 838// - z must be large enough to hold the quotient 839// - the quotient will overwrite z 840// - the remainder will overwrite u 841func (z nat) divRecursiveStep(u, v nat, depth int, tmp *nat, temps []*nat) { 842 u = u.norm() 843 v = v.norm() 844 845 if len(u) == 0 { 846 z.clear() 847 return 848 } 849 n := len(v) 850 if n < divRecursiveThreshold { 851 z.divBasic(u, v) 852 return 853 } 854 m := len(u) - n 855 if m < 0 { 856 return 857 } 858 859 // Produce the quotient by blocks of B words. 860 // Division by v (length n) is done using a length n/2 division 861 // and a length n/2 multiplication for each block. The final 862 // complexity is driven by multiplication complexity. 863 B := n / 2 864 865 // Allocate a nat for qhat below. 866 if temps[depth] == nil { 867 temps[depth] = getNat(n) 868 } else { 869 *temps[depth] = temps[depth].make(B + 1) 870 } 871 872 j := m 873 for j > B { 874 // Divide u[j-B:j+n] by vIn. Keep remainder in u 875 // for next block. 876 // 877 // The following property will be used (Lemma 2): 878 // if u = u1 << s + u0 879 // v = v1 << s + v0 880 // then floor(u1/v1) >= floor(u/v) 881 // 882 // Moreover, the difference is at most 2 if len(v1) >= len(u/v) 883 // We choose s = B-1 since len(v)-B >= B+1 >= len(u/v) 884 s := (B - 1) 885 // Except for the first step, the top bits are always 886 // a division remainder, so the quotient length is <= n. 887 uu := u[j-B:] 888 889 qhat := *temps[depth] 890 qhat.clear() 891 qhat.divRecursiveStep(uu[s:B+n], v[s:], depth+1, tmp, temps) 892 qhat = qhat.norm() 893 // Adjust the quotient: 894 // u = u_h << s + u_l 895 // v = v_h << s + v_l 896 // u_h = q̂ v_h + rh 897 // u = q̂ (v - v_l) + rh << s + u_l 898 // After the above step, u contains a remainder: 899 // u = rh << s + u_l 900 // and we need to subtract q̂ v_l 901 // 902 // But it may be a bit too large, in which case q̂ needs to be smaller. 903 qhatv := tmp.make(3 * n) 904 qhatv.clear() 905 qhatv = qhatv.mul(qhat, v[:s]) 906 for i := 0; i < 2; i++ { 907 e := qhatv.cmp(uu.norm()) 908 if e <= 0 { 909 break 910 } 911 subVW(qhat, qhat, 1) 912 c := subVV(qhatv[:s], qhatv[:s], v[:s]) 913 if len(qhatv) > s { 914 subVW(qhatv[s:], qhatv[s:], c) 915 } 916 addAt(uu[s:], v[s:], 0) 917 } 918 if qhatv.cmp(uu.norm()) > 0 { 919 panic("impossible") 920 } 921 c := subVV(uu[:len(qhatv)], uu[:len(qhatv)], qhatv) 922 if c > 0 { 923 subVW(uu[len(qhatv):], uu[len(qhatv):], c) 924 } 925 addAt(z, qhat, j-B) 926 j -= B 927 } 928 929 // Now u < (v<<B), compute lower bits in the same way. 930 // Choose shift = B-1 again. 931 s := B 932 qhat := *temps[depth] 933 qhat.clear() 934 qhat.divRecursiveStep(u[s:].norm(), v[s:], depth+1, tmp, temps) 935 qhat = qhat.norm() 936 qhatv := tmp.make(3 * n) 937 qhatv.clear() 938 qhatv = qhatv.mul(qhat, v[:s]) 939 // Set the correct remainder as before. 940 for i := 0; i < 2; i++ { 941 if e := qhatv.cmp(u.norm()); e > 0 { 942 subVW(qhat, qhat, 1) 943 c := subVV(qhatv[:s], qhatv[:s], v[:s]) 944 if len(qhatv) > s { 945 subVW(qhatv[s:], qhatv[s:], c) 946 } 947 addAt(u[s:], v[s:], 0) 948 } 949 } 950 if qhatv.cmp(u.norm()) > 0 { 951 panic("impossible") 952 } 953 c := subVV(u[0:len(qhatv)], u[0:len(qhatv)], qhatv) 954 if c > 0 { 955 c = subVW(u[len(qhatv):], u[len(qhatv):], c) 956 } 957 if c > 0 { 958 panic("impossible") 959 } 960 961 // Done! 962 addAt(z, qhat.norm(), 0) 963} 964 965// Length of x in bits. x must be normalized. 966func (x nat) bitLen() int { 967 if i := len(x) - 1; i >= 0 { 968 return i*_W + bits.Len(uint(x[i])) 969 } 970 return 0 971} 972 973// trailingZeroBits returns the number of consecutive least significant zero 974// bits of x. 975func (x nat) trailingZeroBits() uint { 976 if len(x) == 0 { 977 return 0 978 } 979 var i uint 980 for x[i] == 0 { 981 i++ 982 } 983 // x[i] != 0 984 return i*_W + uint(bits.TrailingZeros(uint(x[i]))) 985} 986 987func same(x, y nat) bool { 988 return len(x) == len(y) && len(x) > 0 && &x[0] == &y[0] 989} 990 991// z = x << s 992func (z nat) shl(x nat, s uint) nat { 993 if s == 0 { 994 if same(z, x) { 995 return z 996 } 997 if !alias(z, x) { 998 return z.set(x) 999 } 1000 } 1001 1002 m := len(x) 1003 if m == 0 { 1004 return z[:0] 1005 } 1006 // m > 0 1007 1008 n := m + int(s/_W) 1009 z = z.make(n + 1) 1010 z[n] = shlVU(z[n-m:n], x, s%_W) 1011 z[0 : n-m].clear() 1012 1013 return z.norm() 1014} 1015 1016// z = x >> s 1017func (z nat) shr(x nat, s uint) nat { 1018 if s == 0 { 1019 if same(z, x) { 1020 return z 1021 } 1022 if !alias(z, x) { 1023 return z.set(x) 1024 } 1025 } 1026 1027 m := len(x) 1028 n := m - int(s/_W) 1029 if n <= 0 { 1030 return z[:0] 1031 } 1032 // n > 0 1033 1034 z = z.make(n) 1035 shrVU(z, x[m-n:], s%_W) 1036 1037 return z.norm() 1038} 1039 1040func (z nat) setBit(x nat, i uint, b uint) nat { 1041 j := int(i / _W) 1042 m := Word(1) << (i % _W) 1043 n := len(x) 1044 switch b { 1045 case 0: 1046 z = z.make(n) 1047 copy(z, x) 1048 if j >= n { 1049 // no need to grow 1050 return z 1051 } 1052 z[j] &^= m 1053 return z.norm() 1054 case 1: 1055 if j >= n { 1056 z = z.make(j + 1) 1057 z[n:].clear() 1058 } else { 1059 z = z.make(n) 1060 } 1061 copy(z, x) 1062 z[j] |= m 1063 // no need to normalize 1064 return z 1065 } 1066 panic("set bit is not 0 or 1") 1067} 1068 1069// bit returns the value of the i'th bit, with lsb == bit 0. 1070func (x nat) bit(i uint) uint { 1071 j := i / _W 1072 if j >= uint(len(x)) { 1073 return 0 1074 } 1075 // 0 <= j < len(x) 1076 return uint(x[j] >> (i % _W) & 1) 1077} 1078 1079// sticky returns 1 if there's a 1 bit within the 1080// i least significant bits, otherwise it returns 0. 1081func (x nat) sticky(i uint) uint { 1082 j := i / _W 1083 if j >= uint(len(x)) { 1084 if len(x) == 0 { 1085 return 0 1086 } 1087 return 1 1088 } 1089 // 0 <= j < len(x) 1090 for _, x := range x[:j] { 1091 if x != 0 { 1092 return 1 1093 } 1094 } 1095 if x[j]<<(_W-i%_W) != 0 { 1096 return 1 1097 } 1098 return 0 1099} 1100 1101func (z nat) and(x, y nat) nat { 1102 m := len(x) 1103 n := len(y) 1104 if m > n { 1105 m = n 1106 } 1107 // m <= n 1108 1109 z = z.make(m) 1110 for i := 0; i < m; i++ { 1111 z[i] = x[i] & y[i] 1112 } 1113 1114 return z.norm() 1115} 1116 1117func (z nat) andNot(x, y nat) nat { 1118 m := len(x) 1119 n := len(y) 1120 if n > m { 1121 n = m 1122 } 1123 // m >= n 1124 1125 z = z.make(m) 1126 for i := 0; i < n; i++ { 1127 z[i] = x[i] &^ y[i] 1128 } 1129 copy(z[n:m], x[n:m]) 1130 1131 return z.norm() 1132} 1133 1134func (z nat) or(x, y nat) nat { 1135 m := len(x) 1136 n := len(y) 1137 s := x 1138 if m < n { 1139 n, m = m, n 1140 s = y 1141 } 1142 // m >= n 1143 1144 z = z.make(m) 1145 for i := 0; i < n; i++ { 1146 z[i] = x[i] | y[i] 1147 } 1148 copy(z[n:m], s[n:m]) 1149 1150 return z.norm() 1151} 1152 1153func (z nat) xor(x, y nat) nat { 1154 m := len(x) 1155 n := len(y) 1156 s := x 1157 if m < n { 1158 n, m = m, n 1159 s = y 1160 } 1161 // m >= n 1162 1163 z = z.make(m) 1164 for i := 0; i < n; i++ { 1165 z[i] = x[i] ^ y[i] 1166 } 1167 copy(z[n:m], s[n:m]) 1168 1169 return z.norm() 1170} 1171 1172// greaterThan reports whether (x1<<_W + x2) > (y1<<_W + y2) 1173func greaterThan(x1, x2, y1, y2 Word) bool { 1174 return x1 > y1 || x1 == y1 && x2 > y2 1175} 1176 1177// modW returns x % d. 1178func (x nat) modW(d Word) (r Word) { 1179 // TODO(agl): we don't actually need to store the q value. 1180 var q nat 1181 q = q.make(len(x)) 1182 return divWVW(q, 0, x, d) 1183} 1184 1185// random creates a random integer in [0..limit), using the space in z if 1186// possible. n is the bit length of limit. 1187func (z nat) random(rand *rand.Rand, limit nat, n int) nat { 1188 if alias(z, limit) { 1189 z = nil // z is an alias for limit - cannot reuse 1190 } 1191 z = z.make(len(limit)) 1192 1193 bitLengthOfMSW := uint(n % _W) 1194 if bitLengthOfMSW == 0 { 1195 bitLengthOfMSW = _W 1196 } 1197 mask := Word((1 << bitLengthOfMSW) - 1) 1198 1199 for { 1200 switch _W { 1201 case 32: 1202 for i := range z { 1203 z[i] = Word(rand.Uint32()) 1204 } 1205 case 64: 1206 for i := range z { 1207 z[i] = Word(rand.Uint32()) | Word(rand.Uint32())<<32 1208 } 1209 default: 1210 panic("unknown word size") 1211 } 1212 z[len(limit)-1] &= mask 1213 if z.cmp(limit) < 0 { 1214 break 1215 } 1216 } 1217 1218 return z.norm() 1219} 1220 1221// If m != 0 (i.e., len(m) != 0), expNN sets z to x**y mod m; 1222// otherwise it sets z to x**y. The result is the value of z. 1223func (z nat) expNN(x, y, m nat) nat { 1224 if alias(z, x) || alias(z, y) { 1225 // We cannot allow in-place modification of x or y. 1226 z = nil 1227 } 1228 1229 // x**y mod 1 == 0 1230 if len(m) == 1 && m[0] == 1 { 1231 return z.setWord(0) 1232 } 1233 // m == 0 || m > 1 1234 1235 // x**0 == 1 1236 if len(y) == 0 { 1237 return z.setWord(1) 1238 } 1239 // y > 0 1240 1241 // x**1 mod m == x mod m 1242 if len(y) == 1 && y[0] == 1 && len(m) != 0 { 1243 _, z = nat(nil).div(z, x, m) 1244 return z 1245 } 1246 // y > 1 1247 1248 if len(m) != 0 { 1249 // We likely end up being as long as the modulus. 1250 z = z.make(len(m)) 1251 } 1252 z = z.set(x) 1253 1254 // If the base is non-trivial and the exponent is large, we use 1255 // 4-bit, windowed exponentiation. This involves precomputing 14 values 1256 // (x^2...x^15) but then reduces the number of multiply-reduces by a 1257 // third. Even for a 32-bit exponent, this reduces the number of 1258 // operations. Uses Montgomery method for odd moduli. 1259 if x.cmp(natOne) > 0 && len(y) > 1 && len(m) > 0 { 1260 if m[0]&1 == 1 { 1261 return z.expNNMontgomery(x, y, m) 1262 } 1263 return z.expNNWindowed(x, y, m) 1264 } 1265 1266 v := y[len(y)-1] // v > 0 because y is normalized and y > 0 1267 shift := nlz(v) + 1 1268 v <<= shift 1269 var q nat 1270 1271 const mask = 1 << (_W - 1) 1272 1273 // We walk through the bits of the exponent one by one. Each time we 1274 // see a bit, we square, thus doubling the power. If the bit is a one, 1275 // we also multiply by x, thus adding one to the power. 1276 1277 w := _W - int(shift) 1278 // zz and r are used to avoid allocating in mul and div as 1279 // otherwise the arguments would alias. 1280 var zz, r nat 1281 for j := 0; j < w; j++ { 1282 zz = zz.sqr(z) 1283 zz, z = z, zz 1284 1285 if v&mask != 0 { 1286 zz = zz.mul(z, x) 1287 zz, z = z, zz 1288 } 1289 1290 if len(m) != 0 { 1291 zz, r = zz.div(r, z, m) 1292 zz, r, q, z = q, z, zz, r 1293 } 1294 1295 v <<= 1 1296 } 1297 1298 for i := len(y) - 2; i >= 0; i-- { 1299 v = y[i] 1300 1301 for j := 0; j < _W; j++ { 1302 zz = zz.sqr(z) 1303 zz, z = z, zz 1304 1305 if v&mask != 0 { 1306 zz = zz.mul(z, x) 1307 zz, z = z, zz 1308 } 1309 1310 if len(m) != 0 { 1311 zz, r = zz.div(r, z, m) 1312 zz, r, q, z = q, z, zz, r 1313 } 1314 1315 v <<= 1 1316 } 1317 } 1318 1319 return z.norm() 1320} 1321 1322// expNNWindowed calculates x**y mod m using a fixed, 4-bit window. 1323func (z nat) expNNWindowed(x, y, m nat) nat { 1324 // zz and r are used to avoid allocating in mul and div as otherwise 1325 // the arguments would alias. 1326 var zz, r nat 1327 1328 const n = 4 1329 // powers[i] contains x^i. 1330 var powers [1 << n]nat 1331 powers[0] = natOne 1332 powers[1] = x 1333 for i := 2; i < 1<<n; i += 2 { 1334 p2, p, p1 := &powers[i/2], &powers[i], &powers[i+1] 1335 *p = p.sqr(*p2) 1336 zz, r = zz.div(r, *p, m) 1337 *p, r = r, *p 1338 *p1 = p1.mul(*p, x) 1339 zz, r = zz.div(r, *p1, m) 1340 *p1, r = r, *p1 1341 } 1342 1343 z = z.setWord(1) 1344 1345 for i := len(y) - 1; i >= 0; i-- { 1346 yi := y[i] 1347 for j := 0; j < _W; j += n { 1348 if i != len(y)-1 || j != 0 { 1349 // Unrolled loop for significant performance 1350 // gain. Use go test -bench=".*" in crypto/rsa 1351 // to check performance before making changes. 1352 zz = zz.sqr(z) 1353 zz, z = z, zz 1354 zz, r = zz.div(r, z, m) 1355 z, r = r, z 1356 1357 zz = zz.sqr(z) 1358 zz, z = z, zz 1359 zz, r = zz.div(r, z, m) 1360 z, r = r, z 1361 1362 zz = zz.sqr(z) 1363 zz, z = z, zz 1364 zz, r = zz.div(r, z, m) 1365 z, r = r, z 1366 1367 zz = zz.sqr(z) 1368 zz, z = z, zz 1369 zz, r = zz.div(r, z, m) 1370 z, r = r, z 1371 } 1372 1373 zz = zz.mul(z, powers[yi>>(_W-n)]) 1374 zz, z = z, zz 1375 zz, r = zz.div(r, z, m) 1376 z, r = r, z 1377 1378 yi <<= n 1379 } 1380 } 1381 1382 return z.norm() 1383} 1384 1385// expNNMontgomery calculates x**y mod m using a fixed, 4-bit window. 1386// Uses Montgomery representation. 1387func (z nat) expNNMontgomery(x, y, m nat) nat { 1388 numWords := len(m) 1389 1390 // We want the lengths of x and m to be equal. 1391 // It is OK if x >= m as long as len(x) == len(m). 1392 if len(x) > numWords { 1393 _, x = nat(nil).div(nil, x, m) 1394 // Note: now len(x) <= numWords, not guaranteed ==. 1395 } 1396 if len(x) < numWords { 1397 rr := make(nat, numWords) 1398 copy(rr, x) 1399 x = rr 1400 } 1401 1402 // Ideally the precomputations would be performed outside, and reused 1403 // k0 = -m**-1 mod 2**_W. Algorithm from: Dumas, J.G. "On Newton–Raphson 1404 // Iteration for Multiplicative Inverses Modulo Prime Powers". 1405 k0 := 2 - m[0] 1406 t := m[0] - 1 1407 for i := 1; i < _W; i <<= 1 { 1408 t *= t 1409 k0 *= (t + 1) 1410 } 1411 k0 = -k0 1412 1413 // RR = 2**(2*_W*len(m)) mod m 1414 RR := nat(nil).setWord(1) 1415 zz := nat(nil).shl(RR, uint(2*numWords*_W)) 1416 _, RR = nat(nil).div(RR, zz, m) 1417 if len(RR) < numWords { 1418 zz = zz.make(numWords) 1419 copy(zz, RR) 1420 RR = zz 1421 } 1422 // one = 1, with equal length to that of m 1423 one := make(nat, numWords) 1424 one[0] = 1 1425 1426 const n = 4 1427 // powers[i] contains x^i 1428 var powers [1 << n]nat 1429 powers[0] = powers[0].montgomery(one, RR, m, k0, numWords) 1430 powers[1] = powers[1].montgomery(x, RR, m, k0, numWords) 1431 for i := 2; i < 1<<n; i++ { 1432 powers[i] = powers[i].montgomery(powers[i-1], powers[1], m, k0, numWords) 1433 } 1434 1435 // initialize z = 1 (Montgomery 1) 1436 z = z.make(numWords) 1437 copy(z, powers[0]) 1438 1439 zz = zz.make(numWords) 1440 1441 // same windowed exponent, but with Montgomery multiplications 1442 for i := len(y) - 1; i >= 0; i-- { 1443 yi := y[i] 1444 for j := 0; j < _W; j += n { 1445 if i != len(y)-1 || j != 0 { 1446 zz = zz.montgomery(z, z, m, k0, numWords) 1447 z = z.montgomery(zz, zz, m, k0, numWords) 1448 zz = zz.montgomery(z, z, m, k0, numWords) 1449 z = z.montgomery(zz, zz, m, k0, numWords) 1450 } 1451 zz = zz.montgomery(z, powers[yi>>(_W-n)], m, k0, numWords) 1452 z, zz = zz, z 1453 yi <<= n 1454 } 1455 } 1456 // convert to regular number 1457 zz = zz.montgomery(z, one, m, k0, numWords) 1458 1459 // One last reduction, just in case. 1460 // See golang.org/issue/13907. 1461 if zz.cmp(m) >= 0 { 1462 // Common case is m has high bit set; in that case, 1463 // since zz is the same length as m, there can be just 1464 // one multiple of m to remove. Just subtract. 1465 // We think that the subtract should be sufficient in general, 1466 // so do that unconditionally, but double-check, 1467 // in case our beliefs are wrong. 1468 // The div is not expected to be reached. 1469 zz = zz.sub(zz, m) 1470 if zz.cmp(m) >= 0 { 1471 _, zz = nat(nil).div(nil, zz, m) 1472 } 1473 } 1474 1475 return zz.norm() 1476} 1477 1478// bytes writes the value of z into buf using big-endian encoding. 1479// len(buf) must be >= len(z)*_S. The value of z is encoded in the 1480// slice buf[i:]. The number i of unused bytes at the beginning of 1481// buf is returned as result. 1482func (z nat) bytes(buf []byte) (i int) { 1483 i = len(buf) 1484 for _, d := range z { 1485 for j := 0; j < _S; j++ { 1486 i-- 1487 buf[i] = byte(d) 1488 d >>= 8 1489 } 1490 } 1491 1492 for i < len(buf) && buf[i] == 0 { 1493 i++ 1494 } 1495 1496 return 1497} 1498 1499// bigEndianWord returns the contents of buf interpreted as a big-endian encoded Word value. 1500func bigEndianWord(buf []byte) Word { 1501 if _W == 64 { 1502 return Word(binary.BigEndian.Uint64(buf)) 1503 } 1504 return Word(binary.BigEndian.Uint32(buf)) 1505} 1506 1507// setBytes interprets buf as the bytes of a big-endian unsigned 1508// integer, sets z to that value, and returns z. 1509func (z nat) setBytes(buf []byte) nat { 1510 z = z.make((len(buf) + _S - 1) / _S) 1511 1512 i := len(buf) 1513 for k := 0; i >= _S; k++ { 1514 z[k] = bigEndianWord(buf[i-_S : i]) 1515 i -= _S 1516 } 1517 if i > 0 { 1518 var d Word 1519 for s := uint(0); i > 0; s += 8 { 1520 d |= Word(buf[i-1]) << s 1521 i-- 1522 } 1523 z[len(z)-1] = d 1524 } 1525 1526 return z.norm() 1527} 1528 1529// sqrt sets z = ⌊√x⌋ 1530func (z nat) sqrt(x nat) nat { 1531 if x.cmp(natOne) <= 0 { 1532 return z.set(x) 1533 } 1534 if alias(z, x) { 1535 z = nil 1536 } 1537 1538 // Start with value known to be too large and repeat "z = ⌊(z + ⌊x/z⌋)/2⌋" until it stops getting smaller. 1539 // See Brent and Zimmermann, Modern Computer Arithmetic, Algorithm 1.13 (SqrtInt). 1540 // https://members.loria.fr/PZimmermann/mca/pub226.html 1541 // If x is one less than a perfect square, the sequence oscillates between the correct z and z+1; 1542 // otherwise it converges to the correct z and stays there. 1543 var z1, z2 nat 1544 z1 = z 1545 z1 = z1.setUint64(1) 1546 z1 = z1.shl(z1, uint(x.bitLen()+1)/2) // must be ≥ √x 1547 for n := 0; ; n++ { 1548 z2, _ = z2.div(nil, x, z1) 1549 z2 = z2.add(z2, z1) 1550 z2 = z2.shr(z2, 1) 1551 if z2.cmp(z1) >= 0 { 1552 // z1 is answer. 1553 // Figure out whether z1 or z2 is currently aliased to z by looking at loop count. 1554 if n&1 == 0 { 1555 return z1 1556 } 1557 return z.set(z1) 1558 } 1559 z1, z2 = z2, z1 1560 } 1561} 1562