- /*
- * @(#)BigInteger.java 1.43 01/02/16
- *
- * Copyright 1996-2001 Sun Microsystems, Inc. All Rights Reserved.
- *
- * This software is the proprietary information of Sun Microsystems, Inc.
- * Use is subject to license terms.
- *
- */
- package java.math;
- import java.util.Random;
- import java.io.*;
- /**
- * Immutable arbitrary-precision integers. All operations behave as if
- * BigIntegers were represented in two's-complement notation (like Java's
- * primitive integer types). BigInteger provides analogues to all of Java's
- * primitive integer operators, and all relevant methods from java.lang.Math.
- * Additionally, BigInteger provides operations for modular arithmetic, GCD
- * calculation, primality testing, prime generation, bit manipulation,
- * and a few other miscellaneous operations.
- * <p>
- * Semantics of arithmetic operations exactly mimic those of Java's integer
- * arithmetic operators, as defined in <i>The Java Language Specification</i>.
- * For example, division by zero throws an <tt>ArithmeticException</tt>, and
- * division of a negative by a positive yields a negative (or zero) remainder.
- * All of the details in the Spec concerning overflow are ignored, as
- * BigIntegers are made as large as necessary to accommodate the results of an
- * operation.
- * <p>
- * Semantics of shift operations extend those of Java's shift operators
- * to allow for negative shift distances. A right-shift with a negative
- * shift distance results in a left shift, and vice-versa. The unsigned
- * right shift operator (>>>) is omitted, as this operation makes
- * little sense in combination with the "infinite word size" abstraction
- * provided by this class.
- * <p>
- * Semantics of bitwise logical operations exactly mimic those of Java's
- * bitwise integer operators. The binary operators (<tt>and</tt>,
- * <tt>or</tt>, <tt>xor</tt>) implicitly perform sign extension on the shorter
- * of the two operands prior to performing the operation.
- * <p>
- * Comparison operations perform signed integer comparisons, analogous to
- * those performed by Java's relational and equality operators.
- * <p>
- * Modular arithmetic operations are provided to compute residues, perform
- * exponentiation, and compute multiplicative inverses. These methods always
- * return a non-negative result, between <tt>0</tt> and <tt>(modulus - 1)</tt>,
- * inclusive.
- * <p>
- * Bit operations operate on a single bit of the two's-complement
- * representation of their operand. If necessary, the operand is sign-
- * extended so that it contains the designated bit. None of the single-bit
- * operations can produce a BigInteger with a different sign from the
- * BigInteger being operated on, as they affect only a single bit, and the
- * "infinite word size" abstraction provided by this class ensures that there
- * are infinitely many "virtual sign bits" preceding each BigInteger.
- * <p>
- * For the sake of brevity and clarity, pseudo-code is used throughout the
- * descriptions of BigInteger methods. The pseudo-code expression
- * <tt>(i + j)</tt> is shorthand for "a BigInteger whose value is
- * that of the BigInteger <tt>i</tt> plus that of the BigInteger <tt>j</tt>."
- * The pseudo-code expression <tt>(i == j)</tt> is shorthand for
- * "<tt>true</tt> if and only if the BigInteger <tt>i</tt> represents the same
- * value as the the BigInteger <tt>j</tt>." Other pseudo-code expressions are
- * interpreted similarly.
- *
- * @see BigDecimal
- * @version 1.43, 02/16/01
- * @author Josh Bloch
- * @author Michael McCloskey
- * @since JDK1.1
- */
- public class BigInteger extends Number implements Comparable {
- /**
- * The signum of this BigInteger: -1 for negative, 0 for zero, or
- * 1 for positive. Note that the BigInteger zero <i>must</i> have
- * a signum of 0. This is necessary to ensures that there is exactly one
- * representation for each BigInteger value.
- *
- * @serial
- */
- int signum;
- /**
- * The magnitude of this BigInteger, in <i>big-endian</i> order: the
- * zeroth element of this array is the most-significant int of the
- * magnitude. The magnitude must be "minimal" in that the most-significant
- * int (<tt>mag[0]</tt>) must be non-zero. This is necessary to
- * ensure that there is exactly one representation for each BigInteger
- * value. Note that this implies that the BigInteger zero has a
- * zero-length mag array.
- */
- transient int[] mag;
- /**
- * This field is required for historical reasons. The magnitude of a
- * BigInteger used to be in a byte representation, and is still serialized
- * that way. The mag field is used in all real computations but the
- * magnitude field is required for storage.
- *
- * @serial
- */
- private byte[] magnitude;
- // These "redundant fields" are initialized with recognizable nonsense
- // values, and cached the first time they are needed (or never, if they
- // aren't needed).
- /**
- * The bitCount of this BigInteger, as returned by bitCount(), or -1
- * (either value is acceptable).
- *
- * @serial
- * @see #bitCount
- */
- private int bitCount = -1;
- /**
- * The bitLength of this BigInteger, as returned by bitLength(), or -1
- * (either value is acceptable).
- *
- * @serial
- * @see #bitLength
- */
- private int bitLength = -1;
- /**
- * The lowest set bit of this BigInteger, as returned by getLowestSetBit(),
- * or -2 (either value is acceptable).
- *
- * @serial
- * @see #getLowestSetBit
- */
- private int lowestSetBit = -2;
- /**
- * The index of the lowest-order byte in the magnitude of this BigInteger
- * that contains a nonzero byte, or -2 (either value is acceptable). The
- * least significant byte has int-number 0, the next byte in order of
- * increasing significance has byte-number 1, and so forth.
- *
- * @serial
- */
- private int firstNonzeroByteNum = -2;
- /**
- * The index of the lowest-order int in the magnitude of this BigInteger
- * that contains a nonzero int, or -2 (either value is acceptable). The
- * least significant int has int-number 0, the next int in order of
- * increasing significance has int-number 1, and so forth.
- */
- private transient int firstNonzeroIntNum = -2;
- /**
- * This mask is used to obtain the value of an int as if it were unsigned.
- */
- private final static long LONG_MASK = 0xffffffffL;
- //Constructors
- /**
- * Translates a byte array containing the two's-complement binary
- * representation of a BigInteger into a BigInteger. The input array is
- * assumed to be in <i>big-endian</i> byte-order: the most significant
- * byte is in the zeroth element.
- *
- * @param val big-endian two's-complement binary representation of
- * BigInteger.
- * @throws NumberFormatException <tt>val</tt> is zero bytes long.
- */
- public BigInteger(byte[] val) {
- if (val.length == 0)
- throw new NumberFormatException("Zero length BigInteger");
- if (val[0] < 0) {
- mag = makePositive(val);
- signum = -1;
- } else {
- mag = stripLeadingZeroBytes(val);
- signum = (mag.length == 0 ? 0 : 1);
- }
- }
- /**
- * This private constructor translates an int array containing the
- * two's-complement binary representation of a BigInteger into a
- * BigInteger. The input array is assumed to be in <i>big-endian</i>
- * int-order: the most significant int is in the zeroth element.
- */
- private BigInteger(int[] val) {
- if (val.length == 0)
- throw new NumberFormatException("Zero length BigInteger");
- if (val[0] < 0) {
- mag = makePositive(val);
- signum = -1;
- } else {
- mag = trustedStripLeadingZeroInts(val);
- signum = (mag.length == 0 ? 0 : 1);
- }
- }
- /**
- * Translates the sign-magnitude representation of a BigInteger into a
- * BigInteger. The sign is represented as an integer signum value: -1 for
- * negative, 0 for zero, or 1 for positive. The magnitude is a byte array
- * in <i>big-endian</i> byte-order: the most significant byte is in the
- * zeroth element. A zero-length magnitude array is permissible, and will
- * result in in a BigInteger value of 0, whether signum is -1, 0 or 1.
- *
- * @param signum signum of the number (-1 for negative, 0 for zero, 1
- * for positive).
- * @param magnitude big-endian binary representation of the magnitude of
- * the number.
- * @throws NumberFormatException <tt>signum</tt> is not one of the three
- * legal values (-1, 0, and 1), or <tt>signum</tt> is 0 and
- * <tt>magnitude</tt> contains one or more non-zero bytes.
- */
- public BigInteger(int signum, byte[] magnitude) {
- this.mag = stripLeadingZeroBytes(magnitude);
- if (signum < -1 || signum > 1)
- throw(new NumberFormatException("Invalid signum value"));
- if (this.mag.length==0) {
- this.signum = 0;
- } else {
- if (signum == 0)
- throw(new NumberFormatException("signum-magnitude mismatch"));
- this.signum = signum;
- }
- }
- /**
- * A constructor for internal use that translates the sign-magnitude
- * representation of a BigInteger into a BigInteger. It checks the
- * arguments and copies the magnitude so this constructor would be
- * safe for external use.
- */
- private BigInteger(int signum, int[] magnitude) {
- this.mag = stripLeadingZeroInts(magnitude);
- if (signum < -1 || signum > 1)
- throw(new NumberFormatException("Invalid signum value"));
- if (this.mag.length==0) {
- this.signum = 0;
- } else {
- if (signum == 0)
- throw(new NumberFormatException("signum-magnitude mismatch"));
- this.signum = signum;
- }
- }
- /**
- * Translates the String representation of a BigInteger in the specified
- * radix into a BigInteger. The String representation consists of an
- * optional minus sign followed by a sequence of one or more digits in the
- * specified radix. The character-to-digit mapping is provided by
- * <tt>Character.digit</tt>. The String may not contain any extraneous
- * characters (whitespace, for example).
- *
- * @param val String representation of BigInteger.
- * @param radix radix to be used in interpreting <tt>val</tt>.
- * @throws NumberFormatException <tt>val</tt> is not a valid representation
- * of a BigInteger in the specified radix, or <tt>radix</tt> is
- * outside the range from <tt>Character.MIN_RADIX</tt> (2) to
- * <tt>Character.MAX_RADIX</tt> (36), inclusive.
- * @see Character#digit
- */
- public BigInteger(String val, int radix) {
- int cursor = 0, numDigits;
- int len = val.length();
- if (radix < Character.MIN_RADIX || radix > Character.MAX_RADIX)
- throw new NumberFormatException("Radix out of range");
- if (val.length() == 0)
- throw new NumberFormatException("Zero length BigInteger");
- // Check for leading minus sign
- signum = 1;
- if (val.charAt(0) == '-') {
- if (val.length() == 1)
- throw new NumberFormatException("Zero length BigInteger");
- signum = -1;
- cursor = 1;
- }
- // Skip leading zeros and compute number of digits in magnitude
- while (cursor < len &&
- Character.digit(val.charAt(cursor),radix) == 0)
- cursor++;
- if (cursor == len) {
- signum = 0;
- mag = ZERO.mag;
- return;
- } else {
- numDigits = len - cursor;
- }
- // Pre-allocate array of expected size. May be too large but can
- // never be too small. Typically exact.
- int numBits = (int)(((numDigits * bitsPerDigit[radix]) >>> 10) + 1);
- int numWords = (numBits + 31) /32;
- mag = new int[numWords];
- // Process first (potentially short) digit group
- int firstGroupLen = numDigits % digitsPerInt[radix];
- if (firstGroupLen == 0)
- firstGroupLen = digitsPerInt[radix];
- String group = val.substring(cursor, cursor += firstGroupLen);
- mag[mag.length - 1] = Integer.parseInt(group, radix);
- // Process remaining digit groups
- int superRadix = intRadix[radix];
- int groupVal = 0;
- while (cursor < val.length()) {
- group = val.substring(cursor, cursor += digitsPerInt[radix]);
- groupVal = Integer.parseInt(group, radix);
- destructiveMulAdd(mag, superRadix, groupVal);
- }
- // Required for cases where the array was overallocated.
- mag = trustedStripLeadingZeroInts(mag);
- }
- // Constructs a new BigInteger using a char array with radix=10
- BigInteger(char[] val) {
- int cursor = 0, numDigits;
- int len = val.length;
- // Check for leading minus sign
- signum = 1;
- if (val[0] == '-') {
- if (len == 1)
- throw new NumberFormatException("Zero length BigInteger");
- signum = -1;
- cursor = 1;
- }
- // Skip leading zeros and compute number of digits in magnitude
- while (cursor < len && Character.digit(val[cursor], 10) == 0)
- cursor++;
- if (cursor == len) {
- signum = 0;
- mag = ZERO.mag;
- return;
- } else {
- numDigits = len - cursor;
- }
- // Pre-allocate array of expected size
- int numWords;
- if (len < 10) {
- numWords = 1;
- } else {
- int numBits = (int)(((numDigits * bitsPerDigit[10]) >>> 10) + 1);
- numWords = (numBits + 31) /32;
- }
- mag = new int[numWords];
- // Process first (potentially short) digit group
- int firstGroupLen = numDigits % digitsPerInt[10];
- if (firstGroupLen == 0)
- firstGroupLen = digitsPerInt[10];
- mag[mag.length-1] = parseInt(val, cursor, cursor += firstGroupLen);
- // Process remaining digit groups
- while (cursor < len) {
- int groupVal = parseInt(val, cursor, cursor += digitsPerInt[10]);
- destructiveMulAdd(mag, intRadix[10], groupVal);
- }
- mag = trustedStripLeadingZeroInts(mag);
- }
- // Create an integer with the digits between the two indexes
- // Assumes start < end. The result may be negative, but it
- // is to be treated as an unsigned value.
- private int parseInt(char[] source, int start, int end) {
- int result = Character.digit(source[start++], 10);
- if (result == -1)
- throw new NumberFormatException(new String(source));
- for (int index = start; index<end; index++) {
- int nextVal = Character.digit(source[index], 10);
- if (nextVal == -1)
- throw new NumberFormatException(new String(source));
- result = 10*result + nextVal;
- }
- return result;
- }
- // bitsPerDigit in the given radix times 1024
- // Rounded up to avoid underallocation.
- private static long bitsPerDigit[] = { 0, 0,
- 1024, 1624, 2048, 2378, 2648, 2875, 3072, 3247, 3402, 3543, 3672,
- 3790, 3899, 4001, 4096, 4186, 4271, 4350, 4426, 4498, 4567, 4633,
- 4696, 4756, 4814, 4870, 4923, 4975, 5025, 5074, 5120, 5166, 5210,
- 5253, 5295};
- // Multiply x array times word y in place, and add word z
- private static void destructiveMulAdd(int[] x, int y, int z) {
- // Perform the multiplication word by word
- long ylong = y & LONG_MASK;
- long zlong = z & LONG_MASK;
- int len = x.length;
- long product = 0;
- long carry = 0;
- for (int i = len-1; i >= 0; i--) {
- product = ylong * (x[i] & LONG_MASK) + carry;
- x[i] = (int)product;
- carry = product >>> 32;
- }
- // Perform the addition
- long sum = (x[len-1] & LONG_MASK) + zlong;
- x[len-1] = (int)sum;
- carry = sum >>> 32;
- for (int i = len-2; i >= 0; i--) {
- sum = (x[i] & LONG_MASK) + carry;
- x[i] = (int)sum;
- carry = sum >>> 32;
- }
- }
- /**
- * Translates the decimal String representation of a BigInteger into a
- * BigInteger. The String representation consists of an optional minus
- * sign followed by a sequence of one or more decimal digits. The
- * character-to-digit mapping is provided by <tt>Character.digit</tt>.
- * The String may not contain any extraneous characters (whitespace, for
- * example).
- *
- * @param val decimal String representation of BigInteger.
- * @throws NumberFormatException <tt>val</tt> is not a valid representation
- * of a BigInteger.
- * @see Character#digit
- */
- public BigInteger(String val) {
- this(val, 10);
- }
- /**
- * Constructs a randomly generated BigInteger, uniformly distributed over
- * the range <tt>0</tt> to <tt>(2<sup>numBits</sup> - 1)</tt>, inclusive.
- * The uniformity of the distribution assumes that a fair source of random
- * bits is provided in <tt>rnd</tt>. Note that this constructor always
- * constructs a non-negative BigInteger.
- *
- * @param numBits maximum bitLength of the new BigInteger.
- * @param rnd source of randomness to be used in computing the new
- * BigInteger.
- * @throws IllegalArgumentException <tt>numBits</tt> is negative.
- * @see #bitLength
- */
- public BigInteger(int numBits, Random rnd) {
- this(1, randomBits(numBits, rnd));
- }
- private static byte[] randomBits(int numBits, Random rnd) {
- if (numBits < 0)
- throw new IllegalArgumentException("numBits must be non-negative");
- int numBytes = (numBits+7)/8;
- byte[] randomBits = new byte[numBytes];
- // Generate random bytes and mask out any excess bits
- if (numBytes > 0) {
- rnd.nextBytes(randomBits);
- int excessBits = 8*numBytes - numBits;
- randomBits[0] &= (1 << (8-excessBits)) - 1;
- }
- return randomBits;
- }
- /**
- * Constructs a randomly generated positive BigInteger that is probably
- * prime, with the specified bitLength.<p>
- *
- * It is recommended that the probablePrime method be used in preference
- * to this constructor unless there is a compelling need to specify a
- * certainty.
- *
- * @param bitLength bitLength of the returned BigInteger.
- * @param certainty a measure of the uncertainty that the caller is
- * willing to tolerate. The probability that the new BigInteger
- * represents a prime number will exceed
- * <tt>(1 - 1/2<sup>certainty</sup></tt>). The execution time of
- * this constructor is proportional to the value of this parameter.
- * @param rnd source of random bits used to select candidates to be
- * tested for primality.
- * @throws ArithmeticException <tt>bitLength < 2</tt>.
- * @see #bitLength
- */
- public BigInteger(int bitLength, int certainty, Random rnd) {
- BigInteger prime;
- if (bitLength < 2)
- throw new ArithmeticException("bitLength < 2");
- // The cutoff of 95 was chosen empirically for best performance
- prime = (bitLength < 95 ? smallPrime(bitLength, certainty, rnd)
- : largePrime(bitLength, certainty, rnd));
- signum = 1;
- mag = prime.mag;
- }
- /**
- * Returns a positive BigInteger that is probably prime, with the
- * specified bitLength. The probability that a BigInteger returned
- * by this method is composite does not exceed 2<sup>-100</sup>.
- *
- * @param bitLength bitLength of the returned BigInteger.
- * @param rnd source of random bits used to select candidates to be
- * tested for primality.
- * @throws ArithmeticException <tt>bitLength < 2</tt>.
- * @see #bitLength
- */
- private static BigInteger probablePrime(int bitLength, Random rnd) {
- if (bitLength < 2)
- throw new ArithmeticException("bitLength < 2");
- // The cutoff of 95 was chosen empirically for best performance
- return (bitLength < 95 ? smallPrime(bitLength, 100, rnd)
- : largePrime(bitLength, 100, rnd));
- }
- /**
- * Find a random number of the specified bitLength that is probably prime.
- * This method is used for smaller primes, its performance degrades on
- * larger bitlengths.
- *
- * This method assumes bitLength > 1.
- */
- private static BigInteger smallPrime(int bitLength, int certainty, Random rnd) {
- int magLen = (bitLength + 31) >>> 5;
- int temp[] = new int[magLen];
- int highBit = 1 << ((bitLength+31) & 0x1f); // High bit of high int
- int highMask = (highBit << 1) - 1; // Bits to keep in high int
- while(true) {
- // Construct a candidate
- for (int i=0; i<magLen; i++)
- temp[i] = rnd.nextInt();
- temp[0] = (temp[0] & highMask) | highBit; // Ensure exact length
- if (bitLength > 2)
- temp[magLen-1] |= 1; // Make odd if bitlen > 2
- BigInteger p = new BigInteger(temp, 1);
- // Do cheap "pre-test" if applicable
- if (bitLength > 6) {
- long r = p.remainder(SMALL_PRIME_PRODUCT).longValue();
- if ((r%3==0) || (r%5==0) || (r%7==0) || (r%11==0) ||
- (r%13==0) || (r%17==0) || (r%19==0) || (r%23==0) ||
- (r%29==0) || (r%31==0) || (r%37==0) || (r%41==0))
- continue; // Candidate is composite; try another
- }
- // All candidates of bitLength 2 and 3 are prime by this point
- if (bitLength < 4)
- return p;
- // Do expensive test if we survive pre-test (or it's inapplicable)
- if (p.primeToCertainty(certainty))
- return p;
- }
- }
- private static final BigInteger SMALL_PRIME_PRODUCT
- = valueOf(3*5*7*11*13*17*19*23*29*31*37*41);
- /**
- * Find a random number of the specified bitLength that is probably prime.
- * This method is more appropriate for larger bitlengths since it uses
- * a sieve to eliminate most composites before using a more expensive
- * test.
- */
- private static BigInteger largePrime(int bitLength, int certainty, Random rnd) {
- BigInteger p;
- p = new BigInteger(bitLength, rnd).setBit(bitLength-1);
- p.mag[p.mag.length-1] &= 0xfffffffe;
- // Use a sieve length likely to contain the next prime number
- int searchLen = (bitLength / 20) * 64;
- BitSieve searchSieve = new BitSieve(p, searchLen);
- BigInteger candidate = searchSieve.retrieve(p, certainty);
- while ((candidate == null) || (candidate.bitLength() != bitLength)) {
- p = p.add(BigInteger.valueOf(2*searchLen));
- if (p.bitLength() != bitLength)
- p = new BigInteger(bitLength, rnd).setBit(bitLength-1);
- p.mag[p.mag.length-1] &= 0xfffffffe;
- searchSieve = new BitSieve(p, searchLen);
- candidate = searchSieve.retrieve(p, certainty);
- }
- return candidate;
- }
- /**
- * Returns <tt>true</tt> if this BigInteger is probably prime,
- * <tt>false</tt> if it's definitely composite.
- *
- * This method assumes bitLength > 2.
- *
- * @param certainty a measure of the uncertainty that the caller is
- * willing to tolerate: if the call returns <tt>true</tt>
- * the probability that this BigInteger is prime exceeds
- * <tt>(1 - 1/2<sup>certainty</sup>)</tt>. The execution time of
- * this method is proportional to the value of this parameter.
- * @return <tt>true</tt> if this BigInteger is probably prime,
- * <tt>false</tt> if it's definitely composite.
- */
- boolean primeToCertainty(int certainty) {
- int rounds = 0;
- int n = (certainty+1)/2;
- // The relationship between the certainty and the number of rounds
- // we perform is given in the draft standard ANSI X9.80, "PRIME
- // NUMBER GENERATION, PRIMALITY TESTING, AND PRIMALITY CERTIFICATES".
- int sizeInBits = this.bitLength();
- if (sizeInBits < 100) {
- rounds = 50;
- rounds = n < rounds ? n : rounds;
- return passesMillerRabin(rounds);
- }
- if (sizeInBits < 256) {
- rounds = 27;
- } else if (sizeInBits < 512) {
- rounds = 15;
- } else if (sizeInBits < 768) {
- rounds = 8;
- } else if (sizeInBits < 1024) {
- rounds = 4;
- } else {
- rounds = 2;
- }
- rounds = n < rounds ? n : rounds;
- return passesMillerRabin(rounds) && passesLucasLehmer();
- }
- /**
- * Returns true iff this BigInteger is a Lucas-Lehmer probable prime.
- *
- * The following assumptions are made:
- * This BigInteger is a positive, odd number.
- */
- private boolean passesLucasLehmer() {
- BigInteger thisPlusOne = this.add(ONE);
- // Step 1
- int d = 5;
- int sign = 1;
- while (jacobiSymbol(Math.abs(d), this) != -1) {
- d += 2;
- sign = -sign;
- }
- d = d * sign;
- // Step 2
- BigInteger u = lucasLehmerSequence(d, thisPlusOne, this);
- // Step 3
- return u.mod(this).equals(ZERO);
- }
- /**
- * Computes Jacobi(p,n).
- * Assumes n is positive, odd.
- */
- int jacobiSymbol(int p, BigInteger n) {
- if (p == 0)
- return 0;
- // Algorithm and comments adapted from Colin Plumb's C library.
- int j = 1;
- int u = n.mag[n.mag.length-1];
- // First, get rid of factors of 2 in p
- while ((p & 3) == 0)
- p >>= 2;
- if ((p & 1) == 0) {
- p >>= 1;
- if (((u ^ u>>1) & 2) != 0)
- j = -j; // 3 (011) or 5 (101) mod 8
- }
- if (p == 1)
- return j;
- // Then, apply quadratic reciprocity
- if ((p & u & 2) != 0) // p = u = 3 (mod 4)?
- j = -j;
- // And reduce u mod p
- u = n.mod(BigInteger.valueOf(p)).intValue();
- // Now compute Jacobi(u,p), u < p
- while (u != 0) {
- while ((u & 3) == 0)
- u >>= 2;
- if ((u & 1) == 0) {
- u >>= 1;
- if (((p ^ p>>1) & 2) != 0)
- j = -j; // 3 (011) or 5 (101) mod 8
- }
- if (u == 1)
- return j;
- // Now both u and p are odd, so use quadratic reciprocity
- if (u < p) {
- int t = u; u = p; p = t;
- if ((u & p & 2) != 0)// u = p = 3 (mod 4)?
- j = -j;
- }
- // Now u >= p, so it can be reduced
- u %= p;
- }
- return 0;
- }
- private static BigInteger lucasLehmerSequence(int z, BigInteger k, BigInteger n) {
- BigInteger d = BigInteger.valueOf(z);
- BigInteger u = ONE; BigInteger u2;
- BigInteger v = ONE; BigInteger v2;
- for (int i=k.bitLength()-2; i>=0; i--) {
- u2 = u.multiply(v).mod(n);
- v2 = v.square().add(d.multiply(u.square())).mod(n);
- if (v2.testBit(0)) {
- v2 = n.subtract(v2);
- v2.signum = - v2.signum;
- }
- v2 = v2.shiftRight(1);
- u = u2; v = v2;
- if (k.testBit(i)) {
- u2 = u.add(v).mod(n);
- if (u2.testBit(0)) {
- u2 = n.subtract(u2);
- u2.signum = - u2.signum;
- }
- u2 = u2.shiftRight(1);
- v2 = v.add(d.multiply(u)).mod(n);
- if (v2.testBit(0)) {
- v2 = n.subtract(v2);
- v2.signum = - v2.signum;
- }
- v2 = v2.shiftRight(1);
- u = u2; v = v2;
- }
- }
- return u;
- }
- /**
- * Returns true iff this BigInteger passes the specified number of
- * Miller-Rabin tests. This test is taken from the DSA spec (NIST FIPS
- * 186-2).
- *
- * The following assumptions are made:
- * This BigInteger is a positive, odd number greater than 2.
- * iterations<=50.
- */
- private boolean passesMillerRabin(int iterations) {
- // Find a and m such that m is odd and this == 1 + 2**a * m
- BigInteger thisMinusOne = this.subtract(ONE);
- BigInteger m = thisMinusOne;
- int a = m.getLowestSetBit();
- m = m.shiftRight(a);
- // Do the tests
- Random rnd = new Random();
- for (int i=0; i<iterations; i++) {
- // Generate a uniform random on (1, this)
- BigInteger b;
- do {
- b = new BigInteger(this.bitLength(), rnd);
- } while (b.compareTo(ONE) <= 0 || b.compareTo(this) >= 0);
- int j = 0;
- BigInteger z = b.modPow(m, this);
- while(!((j==0 && z.equals(ONE)) || z.equals(thisMinusOne))) {
- if (j>0 && z.equals(ONE) || ++j==a)
- return false;
- z = z.modPow(TWO, this);
- }
- }
- return true;
- }
- /**
- * This private constructor differs from its public cousin
- * with the arguments reversed in two ways: it assumes that its
- * arguments are correct, and it doesn't copy the magnitude array.
- */
- private BigInteger(int[] magnitude, int signum) {
- this.signum = (magnitude.length==0 ? 0 : signum);
- this.mag = magnitude;
- }
- /**
- * This private constructor is for internal use and assumes that its
- * arguments are correct.
- */
- private BigInteger(byte[] magnitude, int signum) {
- this.signum = (magnitude.length==0 ? 0 : signum);
- this.mag = stripLeadingZeroBytes(magnitude);
- }
- /**
- * This private constructor is for internal use in converting
- * from a MutableBigInteger object into a BigInteger.
- */
- BigInteger(MutableBigInteger val, int sign) {
- if (val.offset > 0 || val.value.length != val.intLen) {
- mag = new int[val.intLen];
- for(int i=0; i<val.intLen; i++)
- mag[i] = val.value[val.offset+i];
- } else {
- mag = val.value;
- }
- this.signum = (val.intLen == 0) ? 0 : sign;
- }
- //Static Factory Methods
- /**
- * Returns a BigInteger whose value is equal to that of the specified
- * long. This "static factory method" is provided in preference to a
- * (long) constructor because it allows for reuse of frequently used
- * BigIntegers.
- *
- * @param val value of the BigInteger to return.
- * @return a BigInteger with the specified value.
- */
- public static BigInteger valueOf(long val) {
- // If -MAX_CONSTANT < val < MAX_CONSTANT, return stashed constant
- if (val == 0)
- return ZERO;
- if (val > 0 && val <= MAX_CONSTANT)
- return posConst[(int) val];
- else if (val < 0 && val >= -MAX_CONSTANT)
- return negConst[(int) -val];
- return new BigInteger(val);
- }
- /**
- * Constructs a BigInteger with the specified value, which may not be zero.
- */
- private BigInteger(long val) {
- if (val < 0) {
- signum = -1;
- val = -val;
- } else {
- signum = 1;
- }
- int highWord = (int)(val >>> 32);
- if (highWord==0) {
- mag = new int[1];
- mag[0] = (int)val;
- } else {
- mag = new int[2];
- mag[0] = highWord;
- mag[1] = (int)val;
- }
- }
- /**
- * Returns a BigInteger with the given two's complement representation.
- * Assumes that the input array will not be modified (the returned
- * BigInteger will reference the input array if feasible).
- */
- private static BigInteger valueOf(int val[]) {
- return (val[0]>0 ? new BigInteger(val, 1) : new BigInteger(val));
- }
- // Constants
- /**
- * Initialize static constant array when class is loaded.
- */
- private final static int MAX_CONSTANT = 16;
- private static BigInteger posConst[] = new BigInteger[MAX_CONSTANT+1];
- private static BigInteger negConst[] = new BigInteger[MAX_CONSTANT+1];
- static {
- for (int i = 1; i <= MAX_CONSTANT; i++) {
- int[] magnitude = new int[1];
- magnitude[0] = (int) i;
- posConst[i] = new BigInteger(magnitude, 1);
- negConst[i] = new BigInteger(magnitude, -1);
- }
- }
- /**
- * The BigInteger constant zero.
- *
- * @since 1.2
- */
- public static final BigInteger ZERO = new BigInteger(new int[0], 0);
- /**
- * The BigInteger constant one.
- *
- * @since 1.2
- */
- public static final BigInteger ONE = valueOf(1);
- /**
- * The BigInteger constant two. (Not exported.)
- */
- private static final BigInteger TWO = valueOf(2);
- // Arithmetic Operations
- /**
- * Returns a BigInteger whose value is <tt>(this + val)</tt>.
- *
- * @param val value to be added to this BigInteger.
- * @return <tt>this + val</tt>
- */
- public BigInteger add(BigInteger val) {
- int[] resultMag;
- if (val.signum == 0)
- return this;
- if (signum == 0)
- return val;
- if (val.signum == signum)
- return new BigInteger(add(mag, val.mag), signum);
- int cmp = intArrayCmp(mag, val.mag);
- if (cmp==0)
- return ZERO;
- resultMag = (cmp>0 ? subtract(mag, val.mag)
- : subtract(val.mag, mag));
- resultMag = trustedStripLeadingZeroInts(resultMag);
- return new BigInteger(resultMag, cmp*signum);
- }
- /**
- * Adds the contents of the int arrays x and y. This method allocates
- * a new int array to hold the answer and returns a reference to that
- * array.
- */
- private static int[] add(int[] x, int[] y) {
- // If x is shorter, swap the two arrays
- if (x.length < y.length) {
- int[] tmp = x;
- x = y;
- y = tmp;
- }
- int xIndex = x.length;
- int yIndex = y.length;
- int result[] = new int[xIndex];
- long sum = 0;
- // Add common parts of both numbers
- while(yIndex > 0) {
- sum = (x[--xIndex] & LONG_MASK) +
- (y[--yIndex] & LONG_MASK) + (sum >>> 32);
- result[xIndex] = (int)sum;
- }
- // Copy remainder of longer number while carry propagation is required
- boolean carry = (sum >>> 32 != 0);
- while (xIndex > 0 && carry)
- carry = ((result[--xIndex] = x[xIndex] + 1) == 0);
- // Copy remainder of longer number
- while (xIndex > 0)
- result[--xIndex] = x[xIndex];
- // Grow result if necessary
- if (carry) {
- int newLen = result.length + 1;
- int temp[] = new int[newLen];
- for (int i = 1; i<newLen; i++)
- temp[i] = result[i-1];
- temp[0] = 0x01;
- result = temp;
- }
- return result;
- }
- /**
- * Returns a BigInteger whose value is <tt>(this - val)</tt>.
- *
- * @param val value to be subtracted from this BigInteger.
- * @return <tt>this - val</tt>
- */
- public BigInteger subtract(BigInteger val) {
- int[] resultMag;
- if (val.signum == 0)
- return this;
- if (signum == 0)
- return val.negate();
- if (val.signum != signum)
- return new BigInteger(add(mag, val.mag), signum);
- int cmp = intArrayCmp(mag, val.mag);
- if (cmp==0)
- return ZERO;
- resultMag = (cmp>0 ? subtract(mag, val.mag)
- : subtract(val.mag, mag));
- resultMag = trustedStripLeadingZeroInts(resultMag);
- return new BigInteger(resultMag, cmp*signum);
- }
- /**
- * Subtracts the contents of the second int arrays (little) from the
- * first (big). The first int array (big) must represent a larger number
- * than the second. This method allocates the space necessary to hold the
- * answer.
- */
- private static int[] subtract(int[] big, int[] little) {
- int bigIndex = big.length;
- int result[] = new int[bigIndex];
- int littleIndex = little.length;
- long difference = 0;
- // Subtract common parts of both numbers
- while(littleIndex > 0) {
- difference = (big[--bigIndex] & LONG_MASK) -
- (little[--littleIndex] & LONG_MASK) +
- (difference >> 32);
- result[bigIndex] = (int)difference;
- }
- // Subtract remainder of longer number while borrow propagates
- boolean borrow = (difference >> 32 != 0);
- while (bigIndex > 0 && borrow)
- borrow = ((result[--bigIndex] = big[bigIndex] - 1) == -1);
- // Copy remainder of longer number
- while (bigIndex > 0)
- result[--bigIndex] = big[bigIndex];
- return result;
- }
- /**
- * Returns a BigInteger whose value is <tt>(this * val)</tt>.
- *
- * @param val value to be multiplied by this BigInteger.
- * @return <tt>this * val</tt>
- */
- public BigInteger multiply(BigInteger val) {
- if (signum == 0 || val.signum==0)
- return ZERO;
- int[] result = multiplyToLen(mag, mag.length,
- val.mag, val.mag.length, null);
- result = trustedStripLeadingZeroInts(result);
- return new BigInteger(result, signum*val.signum);
- }
- /**
- * Multiplies int arrays x and y to the specified lengths and places
- * the result into z.
- */
- private int[] multiplyToLen(int[] x, int xlen, int[] y, int ylen, int[] z) {
- int xstart = xlen - 1;
- int ystart = ylen - 1;
- if (z == null || z.length < (xlen+ ylen))
- z = new int[xlen+ylen];
- long carry = 0;
- for (int j=ystart, k=ystart+1+xstart; j>=0; j--, k--) {
- long product = (y[j] & LONG_MASK) *
- (x[xstart] & LONG_MASK) + carry;
- z[k] = (int)product;
- carry = product >>> 32;
- }
- z[xstart] = (int)carry;
- for (int i = xstart-1; i >= 0; i--) {
- carry = 0;
- for (int j=ystart, k=ystart+1+i; j>=0; j--, k--) {
- long product = (y[j] & LONG_MASK) *
- (x[i] & LONG_MASK) +
- (z[k] & LONG_MASK) + carry;
- z[k] = (int)product;
- carry = product >>> 32;
- }
- z[i] = (int)carry;
- }
- return z;
- }
- /**
- * Returns a BigInteger whose value is <tt>(this<sup>2</sup>)</tt>.
- *
- * @return <tt>this<sup>2</sup></tt>
- */
- private BigInteger square() {
- if (signum == 0)
- return ZERO;
- int[] z = squareToLen(mag, mag.length, null);
- return new BigInteger(trustedStripLeadingZeroInts(z), 1);
- }
- /**
- * Squares the contents of the int array x. The result is placed into the
- * int array z. The contents of x are not changed.
- */
- private static final int[] squareToLen(int[] x, int len, int[] z) {
- /*
- * The algorithm used here is adapted from Colin Plumb's C library.
- * Technique: Consider the partial products in the multiplication
- * of "abcde" by itself:
- *
- * a b c d e
- * * a b c d e
- * ==================
- * ae be ce de ee
- * ad bd cd dd de
- * ac bc cc cd ce
- * ab bb bc bd be
- * aa ab ac ad ae
- *
- * Note that everything above the main diagonal:
- * ae be ce de = (abcd) * e
- * ad bd cd = (abc) * d
- * ac bc = (ab) * c
- * ab = (a) * b
- *
- * is a copy of everything below the main diagonal:
- * de
- * cd ce
- * bc bd be
- * ab ac ad ae
- *
- * Thus, the sum is 2 * (off the diagonal) + diagonal.
- *
- * This is accumulated beginning with the diagonal (which
- * consist of the squares of the digits of the input), which is then
- * divided by two, the off-diagonal added, and multiplied by two
- * again. The low bit is simply a copy of the low bit of the
- * input, so it doesn't need special care.
- */
- int zlen = len << 1;
- if (z == null || z.length < zlen)
- z = new int[zlen];
- // Store the squares, right shifted one bit (i.e., divided by 2)
- int lastProductLowWord = 0;
- for (int j=0, i=0; j<len; j++) {
- long piece = (x[j] & LONG_MASK);
- long product = piece * piece;
- z[i++] = (lastProductLowWord << 31) | (int)(product >>> 33);
- z[i++] = (int)(product >>> 1);
- lastProductLowWord = (int)product;
- }
- // Add in off-diagonal sums
- for (int i=len, offset=1; i>0; i--, offset+=2) {
- int t = x[i-1];
- t = mulAdd(z, x, offset, i-1, t);
- addOne(z, offset-1, i, t);
- }
- // Shift back up and set low bit
- primitiveLeftShift(z, zlen, 1);
- z[zlen-1] |= x[len-1] & 1;
- return z;
- }
- /**
- * Returns a BigInteger whose value is <tt>(this / val)</tt>.
- *
- * @param val value by which this BigInteger is to be divided.
- * @return <tt>this / val</tt>
- * @throws ArithmeticException <tt>val==0</tt>
- */
- public BigInteger divide(BigInteger val) {
- MutableBigInteger q = new MutableBigInteger(),
- r = new MutableBigInteger(),
- a = new MutableBigInteger(this.mag),
- b = new MutableBigInteger(val.mag);
- a.divide(b, q, r);
- return new BigInteger(q, this.signum * val.signum);
- }
- /**
- * Returns an array of two BigIntegers containing <tt>(this / val)</tt>
- * followed by <tt>(this % val)</tt>.
- *
- * @param val value by which this BigInteger is to be divided, and the
- * remainder computed.
- * @return an array of two BigIntegers: the quotient <tt>(this / val)</tt>
- * is the initial element, and the remainder <tt>(this % val)</tt>
- * is the final element.
- * @throws ArithmeticException <tt>val==0</tt>
- */
- public BigInteger[] divideAndRemainder(BigInteger val) {
- BigInteger[] result = new BigInteger[2];
- MutableBigInteger q = new MutableBigInteger(),
- r = new MutableBigInteger(),
- a = new MutableBigInteger(this.mag),
- b = new MutableBigInteger(val.mag);
- a.divide(b, q, r);
- result[0] = new BigInteger(q, this.signum * val.signum);
- result[1] = new BigInteger(r, this.signum);
- return result;
- }
- /**
- * Returns a BigInteger whose value is <tt>(this % val)</tt>.
- *
- * @param val value by which this BigInteger is to be divided, and the
- * remainder computed.
- * @return <tt>this % val</tt>
- * @throws ArithmeticException <tt>val==0</tt>
- */
- public BigInteger remainder(BigInteger val) {
- MutableBigInteger q = new MutableBigInteger(),
- r = new MutableBigInteger(),
- a = new MutableBigInteger(this.mag),
- b = new MutableBigInteger(val.mag);
- a.divide(b, q, r);
- return new BigInteger(r, this.signum);
- }
- /**
- * Returns a BigInteger whose value is <tt>(this<sup>exponent</sup>)</tt>.
- * Note that <tt>exponent</tt> is an integer rather than a BigInteger.
- *
- * @param exponent exponent to which this BigInteger is to be raised.
- * @return <tt>this<sup>exponent</sup></tt>
- * @throws ArithmeticException <tt>exponent</tt> is negative. (This would
- * cause the operation to yield a non-integer value.)
- */
- public BigInteger pow(int exponent) {
- if (exponent < 0)
- throw new ArithmeticException("Negative exponent");
- if (signum==0)
- return (exponent==0 ? ONE : this);
- // Perform exponentiation using repeated squaring trick
- int newSign = (signum<0 && (exponent&1)==1 ? -1 : 1);
- int[] baseToPow2 = this.mag;
- int[] result = {1};
- while (exponent != 0) {
- if ((exponent & 1)==1)
- result = multiplyToLen(result, result.length,
- baseToPow2, baseToPow2.length, null);
- if ((exponent >>>= 1) != 0)
- baseToPow2 = squareToLen(baseToPow2, baseToPow2.length, null);
- }
- result = trustedStripLeadingZeroInts(result);
- return new BigInteger(result, newSign);
- }
- /**
- * Returns a BigInteger whose value is the greatest common divisor of
- * <tt>abs(this)</tt> and <tt>abs(val)</tt>. Returns 0 if
- * <tt>this==0 && val==0</tt>.
- *
- * @param val value with with the GCD is to be computed.
- * @return <tt>GCD(abs(this), abs(val))</tt>
- */
- public BigInteger gcd(BigInteger val) {
- if (val.signum == 0)
- return this.abs();
- else if (this.signum == 0)
- return val.abs();
- MutableBigInteger a = new MutableBigInteger(this);
- MutableBigInteger b = new MutableBigInteger(val);
- MutableBigInteger result = a.hybridGCD(b);
- return new BigInteger(result, 1);
- }
- /**
- * Left shift int array a up to len by n bits. Returns the array that
- * results from the shift since space may have to be reallocated.
- */
- private static int[] leftShift(int[] a, int len, int n) {
- int nInts = n >>> 5;
- int nBits = n&0x1F;
- int bitsInHighWord = bitLen(a[0]);
- // If shift can be done without recopy, do so
- if (n <= (32-bitsInHighWord)) {
- primitiveLeftShift(a, len, nBits);
- return a;
- } else { // Array must be resized
- if (nBits <= (32-bitsInHighWord)) {
- int result[] = new int[nInts+len];
- for (int i=0; i<len; i++)
- result[i] = a[i];
- primitiveLeftShift(result, result.length, nBits);
- return result;
- } else {
- int result[] = new int[nInts+len+1];
- for (int i=0; i<len; i++)
- result[i] = a[i];
- primitiveRightShift(result, result.length, 32 - nBits);
- return result;
- }
- }
- }
- // shifts a up to len right n bits assumes no leading zeros, 0<n<32
- static void primitiveRightShift(int[] a, int len, int n) {
- int n2 = 32 - n;
- for (int i=len-1, c=a[i]; i>0; i--) {
- int b = c;
- c = a[i-1];
- a[i] = (c << n2) | (b >>> n);
- }
- a[0] >>>= n;
- }
- // shifts a up to len left n bits assumes no leading zeros, 0<=n<32
- static void primitiveLeftShift(int[] a, int len, int n) {
- if (len == 0 || n == 0)
- return;
- int n2 = 32 - n;
- for (int i=0, c=a[i], m=i+len-1; i<m; i++) {
- int b = c;
- c = a[i+1];
- a[i] = (b << n) | (c >>> n2);
- }
- a[len-1] <<= n;
- }
- /**
- * Calculate bitlength of contents of the first len elements an int array,
- * assuming there are no leading zero ints.
- */
- private static int bitLength(int[] val, int len) {
- if (len==0)
- return 0;
- return ((len-1)<<5) + bitLen(val[0]);
- }
- /**
- * Returns a BigInteger whose value is the absolute value of this
- * BigInteger.
- *
- * @return <tt>abs(this)</tt>
- */
- public BigInteger abs() {
- return (signum >= 0 ? this : this.negate());
- }
- /**
- * Returns a BigInteger whose value is <tt>(-this)</tt>.
- *
- * @return <tt>-this</tt>
- */
- public BigInteger negate() {
- return new BigInteger(this.mag, -this.signum);
- }
- /**
- * Returns the signum function of this BigInteger.
- *
- * @return -1, 0 or 1 as the value of this BigInteger is negative, zero or
- * positive.
- */
- public int signum() {
- return this.signum;
- }
- // Modular Arithmetic Operations
- /**
- * Returns a BigInteger whose value is <tt>(this mod m</tt>). This method
- * differs from <tt>remainder</tt> in that it always returns a
- * <i>non-negative</i> BigInteger.
- *
- * @param m the modulus.
- * @return <tt>this mod m</tt>
- * @throws ArithmeticException <tt>m <= 0</tt>
- * @see #remainder
- */
- public BigInteger mod(BigInteger m) {
- if (m.signum <= 0)
- throw new ArithmeticException("BigInteger: modulus not positive");
- BigInteger result = this.remainder(m);
- return (result.signum >= 0 ? result : result.add(m));
- }
- /**
- * Returns a BigInteger whose value is
- * <tt>(this<sup>exponent</sup> mod m)</tt>. (Unlike <tt>pow</tt>, this
- * method permits negative exponents.)
- *
- * @param exponent the exponent.
- * @param m the modulus.
- * @return <tt>this<sup>exponent</sup> mod m</tt>
- * @throws ArithmeticException <tt>m <= 0</tt>
- * @see #modInverse
- */
- public BigInteger modPow(BigInteger exponent, BigInteger m) {
- if (m.signum <= 0)
- throw new ArithmeticException("BigInteger: modulus not positive");
- // Trivial cases
- if (exponent.signum == 0)
- return (m.equals(ONE) ? ZERO : ONE);
- if (this.equals(ONE))
- return (m.equals(ONE) ? ZERO : ONE);
- if (this.equals(ZERO) && exponent.signum >= 0)
- return ZERO;
- if (this.equals(negConst[1]) && (!exponent.testBit(0)))
- return (m.equals(ONE) ? ZERO : ONE);
- boolean invertResult;
- if ((invertResult = (exponent.signum < 0)))
- exponent = exponent.negate();
- BigInteger base = (this.signum < 0 || this.compareTo(m) >= 0
- ? this.mod(m) : this);
- BigInteger result;
- if (m.testBit(0)) { // odd modulus
- result = base.oddModPow(exponent, m);
- } else {
- /*
- * Even modulus. Tear it into an "odd part" (m1) and power of two
- * (m2), exponentiate mod m1, manually exponentiate mod m2, and
- * use Chinese Remainder Theorem to combine results.
- */
- // Tear m apart into odd part (m1) and power of 2 (m2)
- int p = m.getLowestSetBit(); // Max pow of 2 that divides m
- BigInteger m1 = m.shiftRight(p); // m/2**p
- BigInteger m2 = ONE.shiftLeft(p); // 2**p
- // Calculate new base from m1
- BigInteger base2 = (this.signum < 0 || this.compareTo(m1) >= 0
- ? this.mod(m1) : this);
- // Caculate (base ** exponent) mod m1.
- BigInteger a1 = (m1.equals(ONE) ? ZERO :
- base2.oddModPow(exponent, m1));
- // Calculate (this ** exponent) mod m2
- BigInteger a2 = base.modPow2(exponent, p);
- // Combine results using Chinese Remainder Theorem
- BigInteger y1 = m2.modInverse(m1);
- BigInteger y2 = m1.modInverse(m2);
- result = a1.multiply(m2).multiply(y1).add
- (a2.multiply(m1).multiply(y2)).mod(m);
- }
- return (invertResult ? result.modInverse(m) : result);
- }
- static int[] bnExpModThreshTable = {7, 25, 81, 241, 673, 1793,
- Integer.MAX_VALUE}; // Sentinel
- /**
- * Returns a BigInteger whose value is x to the power of y mod z.
- * Assumes: z is odd && x < z.
- */
- private BigInteger oddModPow(BigInteger y, BigInteger z) {
- /*
- * The algorithm is adapted from Colin Plumb's C library.
- *
- * The window algorithm:
- * The idea is to keep a running product of b1 = n^(high-order bits of exp)
- * and then keep appending exponent bits to it. The following patterns
- * apply to a 3-bit window (k = 3):
- * To append 0: square
- * To append 1: square, multiply by n^1
- * To append 10: square, multiply by n^1, square
- * To append 11: square, square, multiply by n^3
- * To append 100: square, multiply by n^1, square, square
- * To append 101: square, square, square, multiply by n^5
- * To append 110: square, square, multiply by n^3, square
- * To append 111: square, square, square, multiply by n^7
- *
- * Since each pattern involves only one multiply, the longer the pattern
- * the better, except that a 0 (no multiplies) can be appended directly.
- * We precompute a table of odd powers of n, up to 2^k, and can then
- * multiply k bits of exponent at a time. Actually, assuming random
- * exponents, there is on average one zero bit between needs to
- * multiply (1/2 of the time there's none, 1/4 of the time there's 1,
- * 1/8 of the time, there's 2, 1/32 of the time, there's 3, etc.), so
- * you have to do one multiply per k+1 bits of exponent.
- *
- * The loop walks down the exponent, squaring the result buffer as
- * it goes. There is a wbits+1 bit lookahead buffer, buf, that is
- * filled with the upcoming exponent bits. (What is read after the
- * end of the exponent is unimportant, but it is filled with zero here.)
- * When the most-significant bit of this buffer becomes set, i.e.
- * (buf & tblmask) != 0, we have to decide what pattern to multiply
- * by, and when to do it. We decide, remember to do it in future
- * after a suitable number of squarings have passed (e.g. a pattern
- * of "100" in the buffer requires that we multiply by n^1 immediately;
- * a pattern of "110" calls for multiplying by n^3 after one more
- * squaring), clear the buffer, and continue.
- *
- * When we start, there is one more optimization: the result buffer
- * is implcitly one, so squaring it or multiplying by it can be
- * optimized away. Further, if we start with a pattern like "100"
- * in the lookahead window, rather than placing n into the buffer
- * and then starting to square it, we have already computed n^2
- * to compute the odd-powers table, so we can place that into
- * the buffer and save a squaring.
- *
- * This means that if you have a k-bit window, to compute n^z,
- * where z is the high k bits of the exponent, 1/2 of the time
- * it requires no squarings. 1/4 of the time, it requires 1
- * squaring, ... 1/2^(k-1) of the time, it reqires k-2 squarings.
- * And the remaining 1/2^(k-1) of the time, the top k bits are a
- * 1 followed by k-1 0 bits, so it again only requires k-2
- * squarings, not k-1. The average of t