1 /**
2 * Number Theory Functions
3 * 
4 * Copyright:
5 * (C) 1999-2007 Jack Lloyd
6 * (C) 2014-2015 Etienne Cimon
7 *
8 * License:
9 * Botan is released under the Simplified BSD License (see LICENSE.md)
10 */
11 module botan.math.numbertheory.numthry;
12 
13 import botan.constants;
14 static if (BOTAN_HAS_PUBLIC_KEY_CRYPTO):
15 
16 public import botan.math.bigint.bigint;
17 public import botan.math.numbertheory.pow_mod;
18 public import botan.math.numbertheory.primes;
19 public import botan.utils.types;
20 import botan.rng.rng;
21 import botan.hash.hash;
22 import botan.utils.parsing;
23 import std.algorithm;
24 import botan.math.numbertheory.reducer;
25 import botan.utils.bit_ops;
26 import botan.math.mp.mp_core;
27 import botan.utils.rounding;
28 import botan.algo_factory.algo_factory : AlgorithmFactory;
29 import botan.constants;
30 import std.conv : to;
31 import std.traits : isPointer;
32 
33 /**
34 * Fused multiply-add
35 * Params:
36 *  a = an integer
37 *  b = an integer
38 *  c = an integer
39 * Returns: (a*b)+c
40 */
41 /*
42 * Multiply-Add Operation
43 */
44 BigInt mulAdd(const(BigInt)* a, const(BigInt)* b, const(BigInt)* c)
45 {
46     if (c.isNegative() || c.isZero())
47         throw new InvalidArgument("mulAdd: Third argument must be > 0");
48     
49     BigInt.Sign sign = BigInt.Positive;
50     if (a.sign() != b.sign())
51         sign = BigInt.Negative;
52     
53     const size_t a_sw = a.sigWords();
54     const size_t b_sw = b.sigWords();
55     const size_t c_sw = c.sigWords();
56     
57     BigInt r = BigInt(sign, std.algorithm.max(a.length + b.length, c_sw) + 1);
58     SecureVector!word workspace = SecureVector!word(r.length);
59     
60     bigint_mul(r.mutablePtr(), r.length, workspace.ptr, a.ptr, a.length, a_sw, b.ptr, b.length, b_sw);
61     
62     const size_t r_size = std.algorithm.max(r.sigWords(), c_sw);
63     bigint_add2(r.mutablePtr(), r_size, c.ptr, c_sw);
64     return r;
65 }
66 
67 
68 /**
69 * Fused subtract-multiply
70 * Params:
71 *  a = an integer
72 *  b = an integer
73 *  c = an integer
74 * Returns: (a-b)*c
75 */
76 BigInt subMul(const(BigInt)* a, const(BigInt)* b, const(BigInt)* c)
77 {
78     if (a.isNegative() || b.isNegative())
79         throw new InvalidArgument("subMul: First two arguments must be >= 0");
80     
81     BigInt r = a.dup;
82     r -= b;
83     r *= c;
84     return r.move();
85 }
86 
87 /**
88 * Return the absolute value
89 * Params:
90 *  n = an integer
91 * Returns: absolute value of n
92 */
93  BigInt abs(const(BigInt)* n) { return n.abs(); }
94 
95 /**
96 * Compute the greatest common divisor
97 * Params:
98 *  a = positive integer x
99 *  b = positive integer y
100 * Returns: gcd(x,y)
101 */
102 BigInt gcd(const(BigInt)* a, const(BigInt)* b)
103 {
104     if (a.isZero() || b.isZero()) return BigInt(0);
105     if (*a == 1 || *b == 1)         return BigInt(1);
106     
107     BigInt x = a.dup, y = b.dup;
108     x.setSign(BigInt.Positive);
109     y.setSign(BigInt.Positive);
110     size_t shift = std.algorithm.min(lowZeroBits(&x), lowZeroBits(&y));
111     
112     x >>= shift;
113     y >>= shift;
114     
115     while (x.isNonzero())
116     {
117         x >>= lowZeroBits(&x);
118         y >>= lowZeroBits(&y);
119         if (x >= y) { x -= y; x >>= 1; }
120         else         { y -= x; y >>= 1; }
121     }
122     
123     return (y << shift);
124 }
125 
126 /**
127 * Least common multiple
128 * Params:
129 *  a = a positive integer x
130 *  b = a positive integer y
131 * Returns: z, smallest integer such that z % x == 0 and z % y == 0
132 */
133 BigInt lcm(const(BigInt)* a, const(BigInt)* b)
134 {
135 	auto a_b = (*a * b);
136 	auto gcd_a_b = gcd(a, b);
137     return a_b/gcd_a_b;
138 }
139 
140 BigInt lcm(const(BigInt) a, const(BigInt) b)
141 {
142     return (lcm(&a, &b));
143 }
144 /**
145 * Params:
146 *  x = an integer
147 * Returns: (x*x)
148 */
149 BigInt square(const(BigInt)* x)
150 {
151     const size_t x_sw = x.sigWords();
152     
153     BigInt z = BigInt(BigInt.Positive, roundUp!size_t(2*x_sw, 16));
154     SecureVector!word workspace = SecureVector!word(z.length);
155     
156     bigint_sqr(z.mutablePtr(), z.length, workspace.ptr, x.ptr, x.length, x_sw);
157     return z;
158 }
159 
160 /**
161 * Modular inversion
162 * Params:
163 *  n = a positive integer x
164 *  mod = a positive integer modulus
165 * Returns: y st (x*y) % modulus == 1
166 */
167 BigInt inverseMod(const(BigInt)* n, const(BigInt)* mod)
168 {
169     if (mod.isZero())
170         throw new BigInt.DivideByZero();
171     if (mod.isNegative() || n.isNegative())
172         throw new InvalidArgument("inverseMod: arguments must be non-negative");
173     
174     if (n.isZero() || (n.isEven() && mod.isEven()))
175         return BigInt(0); // fast fail checks
176     
177     if (mod.isOdd())
178         return inverseModOddModulus(n, mod);
179     
180     BigInt u = mod.dup, v = n.dup;
181     BigInt A = BigInt(1);
182     BigInt B = BigInt(0);
183     BigInt C = BigInt(0);
184     BigInt D = BigInt(1);
185     
186     while (u.isNonzero())
187     {
188         const size_t u_zero_bits = lowZeroBits(&u);
189         u >>= u_zero_bits;
190         foreach (size_t i; 0 .. u_zero_bits)
191         {
192             if (A.isOdd() || B.isOdd())
193             { A += *n; B -= *mod; }
194             A >>= 1; B >>= 1;
195         }
196         
197         const size_t v_zero_bits = lowZeroBits(&v);
198         v >>= v_zero_bits;
199         foreach (size_t i; 0 .. v_zero_bits)
200         {
201             if (C.isOdd() || D.isOdd())
202             { C += *n; D -= *mod; }
203             C >>= 1; D >>= 1;
204         }
205         
206         if (u >= v) { u -= v; A -= C; B -= D; }
207         else         { v -= u; C -= A; D -= B; }
208     }
209     
210     if (v != 1)
211         return BigInt(0); // no modular inverse
212     
213     while (D.isNegative()) D += *mod;
214     while (D >= *mod) D -= *mod;
215     
216     return D.move();
217 }
218 
219 
220 /**
221 * Compute the Jacobi symbol. If n is prime, this is equivalent
222 * to the Legendre symbol.
223 * @see http://mathworld.wolfram.com/JacobiSymbol.html
224 *
225 * Params:
226 *  a = is a non-negative integer
227 *  n = is an odd integer > 1
228 * Returns: (n / m)
229 */
230 int jacobi(const(BigInt)* a, const(BigInt)* n)
231 {
232     if (a.isNegative())
233         throw new InvalidArgument("jacobi: first argument must be non-negative");
234     if (n.isEven() || (*n) < 2)
235         throw new InvalidArgument("jacobi: second argument must be odd and > 1");
236     
237     BigInt x = (*a).dup, y = (*n).dup;
238     int J = 1;
239     
240     while (y > 1)
241     {
242         x %= y;
243         if (x > y / 2)
244         {
245             x = y - x;
246             if (y % 4 == 3)
247                 J = -J;
248         }
249         if (x.isZero())
250             return 0;
251         
252         size_t shifts = lowZeroBits(&x);
253         x >>= shifts;
254         if (shifts % 2)
255         {
256             word y_mod_8 = y % 8;
257             if (y_mod_8 == 3 || y_mod_8 == 5)
258                 J = -J;
259         }
260         
261         if (x % 4 == 3 && y % 4 == 3)
262             J = -J;
263         std.algorithm.swap(x, y);
264     }
265     return J;
266 }
267 
268 /**
269 * Modular exponentation
270 * Params:
271 *  base = an integer base b
272 *  exp = a positive exponent x
273 *  mod = a positive modulus m
274 * Returns: (b^x) % m
275 */
276 BigInt powerMod(const(BigInt)* base, const(BigInt)* exp, const(BigInt)* mod)
277 {
278 	auto pow_mod = scoped!PowerMod(mod);
279 
280     /*
281     * Calling setBase before setExponent means we end up using a
282     * minimal window. This makes sense given that here we know that any
283     * precomputation is wasted.
284     */
285     pow_mod.setBase(base);
286     pow_mod.setExponent(exp);
287     return pow_mod.execute();
288 }
289 
290 
291 /**
292 * Compute the square root of x modulo a prime using the
293 * Shanks-Tonnelli algorithm
294 *
295 * Params:
296 *  a = the input x
297 *  p = the prime p
298 * Returns: y such that (y*y)%p == x, or -1 if no such integer
299 */
300 
301 /*
302 * Shanks-Tonnelli algorithm
303 */
304 BigInt ressol(const(BigInt)* a, const(BigInt)* p)
305 {
306     if (*a == 0)
307         return BigInt(0);
308 	else if (*a < 0)
309 		throw new InvalidArgument("ressol(): a to solve for must be positive");
310 
311     if (*p == 2)
312         return a.dup;
313 	else if (*p <= 1)
314 		throw new InvalidArgument("ressol(): prime must be > 1");
315 	else if(p.isEven())
316 	   throw new InvalidArgument("ressol(): invalid prime");
317     if (jacobi(a, p) != 1) { // not a quadratic residue
318         auto bi = -BigInt(1);
319         return bi.move();
320     }
321     
322     if ((*p) % 4 == 3) {
323         auto p_mod = (((*p)+1) >> 2);       
324         return powerMod(a, &p_mod, p);
325     }
326     auto s_diff = (*p) - 1;
327     size_t s = lowZeroBits(&s_diff);
328     BigInt q = (*p) >> s;
329     
330     q -= 1;
331     q >>= 1;
332     
333     ModularReducer mod_p = ModularReducer(*p);
334     
335     BigInt r = powerMod(a, &q, p);
336     auto r_1 = mod_p.square(&r);
337     BigInt n = mod_p.multiply(a, &r_1);
338     r = mod_p.multiply(&r, a);
339     
340     if (n == 1)
341         return r.move();
342     
343     // find random non quadratic residue z
344     BigInt z = 2;
345     while (jacobi(&z, p) == 1) // while z quadratic residue
346         ++z;
347     auto c_0 = (q << 1) + 1;
348     BigInt c = powerMod(&z, &c_0, p);
349     
350     while (n > 1)
351     {
352         q = n.dup();
353         
354         size_t i = 0;
355         while (q != 1)
356         {
357             q = mod_p.square(&q);
358 			++i;
359 			if (i >= s) {
360 				auto bi = -BigInt(1);
361 				return bi.move();
362 			}
363         }        
364         auto c_1 = BigInt.powerOf2(s-i-1);
365         c = powerMod(&c, &c_1, p);
366         r = mod_p.multiply(&r, &c);
367         c = mod_p.square(&c);
368         n = mod_p.multiply(&n, &c);
369         s = i;
370     }
371     
372     return r.move();
373 }
374 
375 /*
376 * Compute -input^-1 mod 2^MP_WORD_BITS. Returns zero if input
377 * is even. If input is odd, input and 2^n are relatively prime
378 * and an inverse exists.
379 */
380 word montyInverse(word input)
381 {
382     word b = input;
383     word x2 = 1, x1 = 0, y2 = 0, y1 = 1;
384     
385     // First iteration, a = n+1
386     word q = bigint_divop(1, 0, b);
387     word r = (MP_WORD_MAX - q*b) + 1;
388     word x = x2 - q*x1;
389     word y = y2 - q*y1;
390     
391     word a = b;
392     b = r;
393     x2 = x1;
394     x1 = x;
395     y2 = y1;
396     y1 = y;
397     
398     while (b > 0)
399     {
400         q = a / b;
401         r = a - q*b;
402         x = x2 - q*x1;
403         y = y2 - q*y1;
404         
405         a = b;
406         b = r;
407         x2 = x1;
408         x1 = x;
409         y2 = y1;
410         y1 = y;
411     }
412     
413     // Now invert in addition space
414     y2 = (MP_WORD_MAX - y2) + 1;
415     
416     return y2;
417 }
418 
419 /**
420 * Params:
421 *  n = a positive integer x
422 * Returns: count of the zero bits in x, or, equivalently, the largest
423 *            value of n such that 2^n divides x evenly. Returns zero if
424 *            n is less than or equal to zero.
425 */
426 size_t lowZeroBits(const(BigInt)* n)
427 {
428     size_t low_zero = 0;
429     
430     if (n.isPositive() && n.isNonzero())
431     {
432         for (size_t i = 0; i != n.length; ++i)
433         {
434             const word x = n.wordAt(i);
435             
436             if (x)
437             {
438                 low_zero += ctz(x);
439                 break;
440             }
441             else
442                 low_zero += BOTAN_MP_WORD_BITS;
443         }
444     }
445     
446     return low_zero;
447 }
448 
449 /**
450 * Check for primality using Miller-Rabin
451 * Params:
452 *  n = a positive integer to test for primality
453 *  rng = a random number generator
454 *  prob = chance of false positive is bounded by 1/2**prob
455 *  is_random = true if n was randomly chosen by us
456 * Returns: true if all primality tests passed, otherwise false
457 */
458 bool isPrime(const(BigInt)* n, RandomNumberGenerator rng, size_t prob = 56, bool is_random = false)
459 {
460     import std.range : assumeSorted, SortedRange, empty;
461     if (*n == 2)
462         return true;
463     if (*n <= 1 || n.isEven())
464         return false;
465     
466     // Fast path testing for small numbers (<= 65521)
467     if (*n <= PRIMES[PRIME_TABLE_SIZE-1])
468     {
469         const ushort num = cast(ushort) n.wordAt(0);
470         auto r = assumeSorted(PRIMES[0..$]);
471         return !r.equalRange(num).empty;
472     }
473 
474     const size_t test_iterations = mrTestIterations(n.bits(), prob, is_random);
475     const BigInt n_minus_1 = (*n) - 1;
476     const size_t s = lowZeroBits(&n_minus_1);
477     auto left_shift = n_minus_1 >> s;
478     auto pow_mod = scoped!FixedExponentPowerModImpl(cast(BigInt*)&left_shift, cast(BigInt*)n);
479     ModularReducer reducer = ModularReducer(*n);
480     
481     foreach (size_t i; 0 .. test_iterations)
482     {
483         auto bi = BigInt(2);
484         const BigInt a = BigInt.randomInteger(rng, bi, n_minus_1);
485         BigInt y = cast(BigInt)pow_mod.opCall(cast(BigInt*)&a);
486         if (mrWitness(y, reducer, &n_minus_1, s))
487             return false;
488     }
489     
490     return true;
491 }
492 
493 bool quickCheckPrime(const(BigInt)* n, RandomNumberGenerator rng)
494 { return isPrime(n, rng, 32); }
495 
496 bool checkPrime(const(BigInt)* n, RandomNumberGenerator rng)
497 { return isPrime(n, rng, 56); }
498 
499 bool verifyPrime(const(BigInt)* n, RandomNumberGenerator rng)
500 { return isPrime(n, rng, 80); }
501 
502 /**
503 * Randomly generate a prime
504 * Params:
505 *  rng = a random number generator
506 *  bits = how large the resulting prime should be in bits
507 *  coprime = a positive integer the result should be coprime to
508 *  equiv = a non-negative number that the result should be
509                     equivalent to modulo equiv_mod
510 *  modulo = the modulus equiv should be checked against
511 * Returns: random prime with the specified criteria
512 */
513 BigInt randomPrime(RandomNumberGenerator rng,
514                      size_t bits, const(BigInt)* coprime,
515                      size_t equiv = 1, size_t modulo = 2)
516 {
517     if (bits <= 1)
518         throw new InvalidArgument("randomPrime: Can't make a prime of " ~ to!string(bits) ~ " bits");
519     else if (bits == 2)
520         return ((rng.nextByte() % 2) ? BigInt(2) : BigInt(3));
521     else if (bits == 3)
522         return ((rng.nextByte() % 2) ? BigInt(5) : BigInt(7));
523     else if (bits == 4)
524         return ((rng.nextByte() % 2) ? BigInt(11) : BigInt(13));
525     
526     if (*coprime <= 0)
527         throw new InvalidArgument("randomPrime: coprime must be > 0");
528     if (modulo % 2 == 1 || modulo == 0)
529         throw new InvalidArgument("randomPrime: Invalid modulo value");
530     if (equiv >= modulo || equiv % 2 == 0)
531         throw new InvalidArgument("randomPrime: equiv must be < modulo, and odd");
532     
533     while (true)
534     {
535         BigInt p = BigInt(rng, bits);
536         
537         // Force lowest and two top bits on
538         p.setBit(bits - 1);
539         p.setBit(bits - 2);
540         p.setBit(0);
541         
542         if (p % modulo != equiv)
543             p += (modulo - p % modulo) + equiv;
544         
545         const size_t sieve_size = std.algorithm.min(bits / 2, PRIME_TABLE_SIZE);
546         SecureVector!ushort sieve = SecureVector!ushort(sieve_size);
547         
548         for (size_t j = 0; j != sieve.length; ++j)
549             sieve[j] = cast(ushort)( p % PRIMES[j]);
550         
551         size_t counter = 0;
552         while (true)
553         {
554             if (counter == 4096 || p.bits() > bits)
555                 break;
556             
557             bool passes_sieve = true;
558             ++counter;
559             p += modulo;
560             
561             if (p.bits() > bits)
562                 break;
563             
564             for (size_t j = 0; j != sieve.length; ++j)
565             {
566                 sieve[j] = cast(ushort)((sieve[j] + modulo) % PRIMES[j]);
567                 if (sieve[j] == 0)
568                     passes_sieve = false;
569             }
570 			auto one = BigInt(1);
571 			auto p_1 = p - one;
572 			auto gcd_coprime = gcd(&p_1, coprime);
573             if (!passes_sieve || gcd_coprime != one)
574                 continue;
575             if (isPrime(&p, rng, 64, true))
576                 return p.move;
577         }
578     }
579 }
580 
581 /// ditto
582 BigInt randomPrime(RandomNumberGenerator rng,
583     size_t bits, const BigInt coprime = BigInt(1),
584     size_t equiv = 1, size_t modulo = 2)
585 {
586     return randomPrime(rng, bits, &coprime, equiv, modulo);
587 }
588 
589 /**
590 * Return a random 'safe' prime, of the form p=2*q+1 with q prime
591 * Params:
592 *  rng = a random number generator
593 *  bits = is how long the resulting prime should be
594 * Returns: prime randomly chosen from safe primes of length bits
595 */
596 BigInt randomSafePrime(RandomNumberGenerator rng, size_t bits)
597 {
598     if (bits <= 64)
599         throw new InvalidArgument("randomSafePrime: Can't make a prime of " ~ to!string(bits) ~ " bits");
600     
601     BigInt p;
602     do
603         p = (randomPrime(rng, bits - 1) << 1) + 1;
604     while (!isPrime(&p, rng, 64, true));
605     return p;
606 }
607 
608 /**
609 * Generate DSA parameters using the FIPS 186 kosherizer
610 * Params:
611 *  rng = a random number generator
612 *  af = an algorithm factory
613 *  p_out = where the prime p will be stored
614 *  q_out = where the prime q will be stored
615 *  pbits = how long p will be in bits
616 *  qbits = how long q will be in bits
617 * Returns: random seed used to generate this parameter set
618 */
619 Vector!ubyte generateDsaPrimes(RandomNumberGenerator rng,
620                                AlgorithmFactory af,
621                                ref BigInt p_out, ref BigInt q_out,
622                                size_t pbits, size_t qbits)
623 {
624     while (true)
625     {
626         Vector!ubyte seed = Vector!ubyte(qbits / 8);
627         rng.randomize(seed.ptr, seed.length);
628         
629         if (generateDsaPrimes(rng, af, p_out, q_out, pbits, qbits, seed))
630             return seed;
631     }
632 }
633 
634 
635 /**
636 * Generate DSA parameters using the FIPS 186 kosherizer
637 * Params:
638 *  rng = a random number generator
639 *  af = an algorithm factory
640 *  p_out = where the prime p will be stored
641 *  q_out = where the prime q will be stored
642 *  pbits = how long p will be in bits
643 *  qbits = how long q will be in bits
644 *  seed_c = the seed used to generate the parameters
645 * Returns: true if seed generated a valid DSA parameter set, otherwise
646              false. p_out and q_out are only valid if true was returned.
647 */
648 bool generateDsaPrimes()(RandomNumberGenerator rng,
649                          AlgorithmFactory af,
650                          ref BigInt p_out, ref BigInt q_out,
651                          size_t pbits, size_t qbits,
652                          auto const ref Vector!ubyte seed_c)
653 {
654     if (!fips1863ValidSize(pbits, qbits))
655         throw new InvalidArgument(
656             "FIPS 186-3 does not allow DSA domain parameters of " ~ to!string(pbits) ~ "/" ~ to!string(qbits) ~ " bits long");
657     
658     if (seed_c.length * 8 < qbits)
659         throw new InvalidArgument("Generating a DSA parameter set with a " ~ to!string(qbits) ~ 
660                                    "long q requires a seed at least as many bits long");
661     
662     Unique!HashFunction hash = af.makeHashFunction("SHA-" ~ to!string(qbits));
663     
664     const size_t HASH_SIZE = hash.outputLength;
665     
666     struct Seed
667     {
668     public:
669         this(const(Vector!ubyte)* s) { m_seed = s.dup(); }
670         
671         ref T opCast(T : Vector!ubyte)() { return m_seed; }
672         
673         alias m_seed this;
674         
675         ref Seed opUnary(string op)()
676             if (op == "++")
677         {
678             for (size_t j = m_seed.length; j > 0; --j)
679                 if (++m_seed[j-1])
680                     break;
681             return this;
682         }
683     private:
684         Vector!ubyte m_seed;
685     }
686     
687     Seed seed = Seed(&seed_c);
688     
689     q_out.binaryDecode(hash.process(seed));
690     q_out.setBit(qbits-1);
691     q_out.setBit(0);
692     
693     if (!isPrime(&q_out, rng))
694         return false;
695     
696     const size_t n = (pbits-1) / (HASH_SIZE * 8), b = (pbits-1) % (HASH_SIZE * 8);
697     
698     BigInt X;
699     Vector!ubyte V = Vector!ubyte(HASH_SIZE * (n+1));
700     
701     foreach (size_t j; 0 .. 4096)
702     {
703         for (size_t k = 0; k <= n; ++k)
704         {
705             ++seed;
706             hash.update(seed);
707             hash.flushInto(&V[HASH_SIZE * (n-k)]);
708         }
709         
710         X.binaryDecode(&V[HASH_SIZE - 1 - b/8], V.length - (HASH_SIZE - 1 - b/8));
711         X.setBit(pbits-1);
712         
713         p_out = X - (X % (q_out*2) - 1);
714         
715         if (p_out.bits() == pbits && isPrime(&p_out, rng))
716             return true;
717     }
718     return false;
719 }
720 
721 /*
722 * Check if this size is allowed by FIPS 186-3
723 */
724 bool fips1863ValidSize(size_t pbits, size_t qbits)
725 {
726     if (qbits == 160)
727         return (pbits == 512 || pbits == 768 || pbits == 1024);
728     
729     if (qbits == 224)
730         return (pbits == 2048);
731     
732     if (qbits == 256)
733         return (pbits == 2048 || pbits == 3072);
734     
735     return false;
736 }
737 
738 /*
739 * If the modulus is odd, then we can avoid computing A and C. This is
740 * a critical path algorithm in some instances and an odd modulus is
741 * the common case for crypto, so worth special casing. See note 14.64
742 * in Handbook of Applied Cryptography for more details.
743 */
744 BigInt inverseModOddModulus(const(BigInt)* n, const(BigInt)* mod)
745 {
746     BigInt u = mod.dup;
747     BigInt v = n.dup;
748     BigInt B = BigInt(0);
749     BigInt D = BigInt(1);
750     
751     while (u.isNonzero())
752     {
753         const size_t u_zero_bits = lowZeroBits(&u);
754         u >>= u_zero_bits;
755         foreach (size_t i; 0 .. u_zero_bits)
756         {
757             if (B.isOdd())
758             { B -= *mod; }
759             B >>= 1;
760         }
761         
762         const size_t v_zero_bits = lowZeroBits(&v);
763         v >>= v_zero_bits;
764         foreach (size_t i; 0 .. v_zero_bits)
765         {
766             if (D.isOdd())
767             { D -= *mod; }
768             D >>= 1;
769         }
770         
771         if (u >= v) { u -= v; B -= D; }
772         else        { v -= u; D -= B; }
773     }
774     
775     if (v != 1)
776         return BigInt(0); // no modular inverse
777     
778     while (D.isNegative()) D += *mod;
779     while (D >= *mod) D -= *mod;
780     
781     return D.move();
782 }
783 
784 bool mrWitness(T : ModularReducer)(ref BigInt y,
785                                    auto ref T reducer_n,
786                                    const(BigInt)* n_minus_1, size_t s)
787 {
788     if (y == 1 || y == n_minus_1)
789         return false;
790     
791     foreach (size_t i; 1 .. s)
792     {
793         y = reducer_n.square(&y);
794         
795         if (y == 1) // found a non-trivial square root
796             return true;
797         if (y == n_minus_1) // -1, trivial square root, so give up
798             return false;
799     }
800     
801     return true; // fails Fermat test
802 }
803 
804 size_t mrTestIterations(size_t n_bits, size_t prob, bool random)
805 {
806     const size_t base = (prob + 2) / 2; // worst case 4^-t error rate
807     
808     /*
809     * For randomly chosen numbers we can use the estimates from
810     * http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf‎
811     *
812     * These values are derived from the inequality for p(k,t) given on
813     * the second page.
814     */
815     if (random && prob <= 80)
816     {
817         if (n_bits >= 1536)
818             return 2; // < 2^-89
819         if (n_bits >= 1024)
820             return 4; // < 2^-89
821         if (n_bits >= 512)
822             return 5; // < 2^-80
823         if (n_bits >= 256)
824             return 11; // < 2^-80
825     }
826     
827     return base;
828 }