Enano CMS (1.1.x): comparison includes/clientside/static/crypto.js

Mercurial Mercurial > repos > enano-1.1 / comparison

summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help

includes/clientside/static/crypto.js

changeset 582	a38876c0793c
child 712	331e009416d5

equal deleted inserted replaced

-:5e8fd89c02ea
+:a38876c0793c
+////////////////////////////////////////////////////////////////////////////////////////
+// Big Integer Library v. 5.1
+// Created 2000, last modified 2007
+// Leemon Baird
+// www.leemon.com
+//
+// Version history:
+//
+// v 5.1  8 Oct 2007
+//   - renamed inverseModInt_ to inverseModInt since it doesn't change its parameters
+//   - added functions GCD and randBigInt, which call GCD_ and randBigInt_
+//   - fixed a bug found by Rob Visser (see comment with his name below)
+//   - improved comments
+//
+// This file is public domain.   You can use it for any purpose without restriction.
+// I do not guarantee that it is correct, so use it at your own risk.  If you use
+// it for something interesting, I'd appreciate hearing about it.  If you find
+// any bugs or make any improvements, I'd appreciate hearing about those too.
+// It would also be nice if my name and address were left in the comments.
+// But none of that is required.
+//
+// This code defines a bigInt library for arbitrary-precision integers.
+// A bigInt is an array of integers storing the value in chunks of bpe bits,
+// little endian (buff[0] is the least significant word).
+// Negative bigInts are stored two's complement.
+// Some functions assume their parameters have at least one leading zero element.
+// Functions with an underscore at the end of the name have unpredictable behavior in case of overflow,
+// so the caller must make sure the arrays must be big enough to hold the answer.
+// For each function where a parameter is modified, that same
+// variable must not be used as another argument too.
+// So, you cannot square x by doing multMod_(x,x,n).
+// You must use squareMod_(x,n) instead, or do y=dup(x); multMod_(x,y,n).
+//
+// These functions are designed to avoid frequent dynamic memory allocation in the inner loop.
+// For most functions, if it needs a BigInt as a local variable it will actually use
+// a global, and will only allocate to it only when it's not the right size.  This ensures
+// that when a function is called repeatedly with same-sized parameters, it only allocates
+// memory on the first call.
+//
+// Note that for cryptographic purposes, the calls to Math.random() must
+// be replaced with calls to a better pseudorandom number generator.
+//
+// In the following, "bigInt" means a bigInt with at least one leading zero element,
+// and "integer" means a nonnegative integer less than radix.  In some cases, integer
+// can be negative.  Negative bigInts are 2s complement.
+//
+// The following functions do not modify their inputs.
+// Those returning a bigInt, string, or Array will dynamically allocate memory for that value.
+// Those returning a boolean will return the integer 0 (false) or 1 (true).
+// Those returning boolean or int will not allocate memory except possibly on the first time they're called with a given parameter size.
+//
+// bigInt  add(x,y)               //return (x+y) for bigInts x and y.
+// bigInt  addInt(x,n)            //return (x+n) where x is a bigInt and n is an integer.
+// string  bigInt2str(x,base)     //return a string form of bigInt x in a given base, with 2 <= base <= 95
+// int     bitSize(x)             //return how many bits long the bigInt x is, not counting leading zeros
+// bigInt  dup(x)                 //return a copy of bigInt x
+// boolean equals(x,y)            //is the bigInt x equal to the bigint y?
+// boolean equalsInt(x,y)         //is bigint x equal to integer y?
+// bigInt  expand(x,n)            //return a copy of x with at least n elements, adding leading zeros if needed
+// Array   findPrimes(n)          //return array of all primes less than integer n
+// bigInt  GCD(x,y)               //return greatest common divisor of bigInts x and y (each with same number of elements).
+// boolean greater(x,y)           //is x>y?  (x and y are nonnegative bigInts)
+// boolean greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y?
+// bigInt  int2bigInt(t,n,m)      //return a bigInt equal to integer t, with at least n bits and m array elements
+// bigInt  inverseMod(x,n)        //return (x**(-1) mod n) for bigInts x and n.  If no inverse exists, it returns null
+// int     inverseModInt(x,n)     //return x**(-1) mod n, for integers x and n.  Return 0 if there is no inverse
+// boolean isZero(x)              //is the bigInt x equal to zero?
+// boolean millerRabin(x,b)       //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime (as opposed to definitely composite)?
+// bigInt  mod(x,n)               //return a new bigInt equal to (x mod n) for bigInts x and n.
+// int     modInt(x,n)            //return x mod n for bigInt x and integer n.
+// bigInt  mult(x,y)              //return x*y for bigInts x and y. This is faster when y<x.
+// bigInt  multMod(x,y,n)         //return (x*y mod n) for bigInts x,y,n.  For greater speed, let y<x.
+// boolean negative(x)            //is bigInt x negative?
+// bigInt  powMod(x,y,n)          //return (x**y mod n) where x,y,n are bigInts and ** is exponentiation.  0**0=1. Faster for odd n.
+// bigInt  randBigInt(n,s)        //return an n-bit random BigInt (n>=1).  If s=1, then the most significant of those n bits is set to 1.
+// bigInt  randTruePrime(k)       //return a new, random, k-bit, true prime bigInt using Maurer's algorithm.
+// bigInt  str2bigInt(s,b,n,m)    //return a bigInt for number represented in string s in base b with at least n bits and m array elements
+// bigInt  sub(x,y)               //return (x-y) for bigInts x and y.  Negative answers will be 2s complement
+// bigInt  bigint_trim(x,k)              //return a copy of x with exactly k leading zero elements
+//
+//
+// The following functions each have a non-underscored version, which most users should call instead.
+// These functions each write to a single parameter, and the caller is responsible for ensuring the array
+// passed in is large enough to hold the result.
+//
+// void    addInt_(x,n)          //do x=x+n where x is a bigInt and n is an integer
+// void    add_(x,y)             //do x=x+y for bigInts x and y
+// void    copy_(x,y)            //do x=y on bigInts x and y
+// void    copyInt_(x,n)         //do x=n on bigInt x and integer n
+// void    GCD_(x,y)             //set x to the greatest common divisor of bigInts x and y, (y is destroyed).  (This never overflows its array).
+// boolean inverseMod_(x,n)      //do x=x**(-1) mod n, for bigInts x and n. Returns 1 (0) if inverse does (doesn't) exist
+// void    mod_(x,n)             //do x=x mod n for bigInts x and n. (This never overflows its array).
+// void    mult_(x,y)            //do x=x*y for bigInts x and y.
+// void    multMod_(x,y,n)       //do x=x*y  mod n for bigInts x,y,n.
+// void    powMod_(x,y,n)        //do x=x**y mod n, where x,y,n are bigInts (n is odd) and ** is exponentiation.  0**0=1.
+// void    randBigInt_(b,n,s)    //do b = an n-bit random BigInt. if s=1, then nth bit (most significant bit) is set to 1. n>=1.
+// void    randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb.
+// void    sub_(x,y)             //do x=x-y for bigInts x and y. Negative answers will be 2s complement.
+//
+// The following functions do NOT have a non-underscored version.
+// They each write a bigInt result to one or more parameters.  The caller is responsible for
+// ensuring the arrays passed in are large enough to hold the results.
+//
+// void addShift_(x,y,ys)       //do x=x+(y<<(ys*bpe))
+// void carry_(x)               //do carries and borrows so each element of the bigInt x fits in bpe bits.
+// void divide_(x,y,q,r)        //divide x by y giving quotient q and remainder r
+// int  divInt_(x,n)            //do x=floor(x/n) for bigInt x and integer n, and return the remainder. (This never overflows its array).
+// int  eGCD_(x,y,d,a,b)        //sets a,b,d to positive bigInts such that d = GCD_(x,y) = a*x-b*y
+// void halve_(x)               //do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement.  (This never overflows its array).
+// void leftShift_(x,n)         //left shift bigInt x by n bits.  n<bpe.
+// void linComb_(x,y,a,b)       //do x=a*x+b*y for bigInts x and y and integers a and b
+// void linCombShift_(x,y,b,ys) //do x=x+b*(y<<(ys*bpe)) for bigInts x and y, and integers b and ys
+// void mont_(x,y,n,np)         //Montgomery multiplication (see comments where the function is defined)
+// void multInt_(x,n)           //do x=x*n where x is a bigInt and n is an integer.
+// void rightShift_(x,n)        //right shift bigInt x by n bits.  0 <= n < bpe. (This never overflows its array).
+// void squareMod_(x,n)         //do x=x*x  mod n for bigInts x,n
+// void subShift_(x,y,ys)       //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement.
+//
+// The following functions are based on algorithms from the _Handbook of Applied Cryptography_
+//    powMod_()           = algorithm 14.94, Montgomery exponentiation
+//    eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_
+//    GCD_()              = algorothm 14.57, Lehmer's algorithm
+//    mont_()             = algorithm 14.36, Montgomery multiplication
+//    divide_()           = algorithm 14.20  Multiple-precision division
+//    squareMod_()        = algorithm 14.16  Multiple-precision squaring
+//    randTruePrime_()    = algorithm  4.62, Maurer's algorithm
+//    millerRabin()       = algorithm  4.24, Miller-Rabin algorithm
+//
+// Profiling shows:
+//     randTruePrime_() spends:
+//         10% of its time in calls to powMod_()
+//         85% of its time in calls to millerRabin()
+//     millerRabin() spends:
+//         99% of its time in calls to powMod_()   (always with a base of 2)
+//     powMod_() spends:
+//         94% of its time in calls to mont_()  (almost always with x==y)
+//
+// This suggests there are several ways to speed up this library slightly:
+//     - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window)
+//         -- this should especially focus on being fast when raising 2 to a power mod n
+//     - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test
+//     - tune the parameters in randTruePrime_(), including c, m, and recLimit
+//     - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking
+//       within the loop when all the parameters are the same length.
+//
+// There are several ideas that look like they wouldn't help much at all:
+//     - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway)
+//     - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32)
+//     - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square
+//       followed by a Montgomery reduction.  The intermediate answer will be twice as long as x, so that
+//       method would be slower.  This is unfortunate because the code currently spends almost all of its time
+//       doing mont_(x,x,...), both for randTruePrime_() and powMod_().  A faster method for Montgomery squaring
+//       would have a large impact on the speed of randTruePrime_() and powMod_().  HAC has a couple of poorly-worded
+//       sentences that seem to imply it's faster to do a non-modular square followed by a single
+//       Montgomery reduction, but that's obviously wrong.
+////////////////////////////////////////////////////////////////////////////////////////
+//globals
+bpe=0;         //bits stored per array element
+mask=0;        //AND this with an array element to chop it down to bpe bits
+radix=mask+1;  //equals 2^bpe.  A single 1 bit to the left of the last bit of mask.
+//the digits for converting to different bases
+digitsStr='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-';
+//initialize the global variables
+for (bpe=0; (1<<(bpe+1)) > (1<<bpe); bpe++);  //bpe=number of bits in the mantissa on this platform
+bpe>>=1;                   //bpe=number of bits in one element of the array representing the bigInt
+mask=(1<<bpe)-1;           //AND the mask with an integer to get its bpe least significant bits
+radix=mask+1;              //2^bpe.  a single 1 bit to the left of the first bit of mask
+one=int2bigInt(1,1,1);     //constant used in powMod_()
+//the following global variables are scratchpad memory to
+//reduce dynamic memory allocation in the inner loop
+t=new Array(0);
+ss=t;       //used in mult_()
+s0=t;       //used in multMod_(), squareMod_()
+s1=t;       //used in powMod_(), multMod_(), squareMod_()
+s2=t;       //used in powMod_(), multMod_()
+s3=t;       //used in powMod_()
+s4=t; s5=t; //used in mod_()
+s6=t;       //used in bigInt2str()
+s7=t;       //used in powMod_()
+T=t;        //used in GCD_()
+sa=t;       //used in mont_()
+mr_x1=t; mr_r=t; mr_a=t;                                      //used in millerRabin()
+eg_v=t; eg_u=t; eg_A=t; eg_B=t; eg_C=t; eg_D=t;               //used in eGCD_(), inverseMod_()
+md_q1=t; md_q2=t; md_q3=t; md_r=t; md_r1=t; md_r2=t; md_tt=t; //used in mod_()
+primes=t; pows=t; s_i=t; s_i2=t; s_R=t; s_rm=t; s_q=t; s_n1=t;
+s_a=t; s_r2=t; s_n=t; s_b=t; s_d=t; s_x1=t; s_x2=t, s_aa=t; //used in randTruePrime_()
+////////////////////////////////////////////////////////////////////////////////////////
+//return array of all primes less than integer n
+function findPrimes(n) {
+var i,s,p,ans;
+s=new Array(n);
+for (i=0;i<n;i++)
+s[i]=0;
+s[0]=2;
+p=0;    //first p elements of s are primes, the rest are a sieve
+for(;s[p]<n;) {                  //s[p] is the pth prime
+for(i=s[p]*s[p]; i<n; i+=s[p]) //mark multiples of s[p]
+s[i]=1;
+p++;
+s[p]=s[p-1]+1;
+for(; s[p]<n && s[s[p]]; s[p]++); //find next prime (where s[p]==0)
+}
+ans=new Array(p);
+for(i=0;i<p;i++)
+ans[i]=s[i];
+return ans;
+}
+//does a single round of Miller-Rabin base b consider x to be a possible prime?
+//x is a bigInt, and b is an integer
+function millerRabin(x,b) {
+var i,j,k,s;
+if (mr_x1.length!=x.length) {
+mr_x1=dup(x);
+mr_r=dup(x);
+mr_a=dup(x);
+}
+copyInt_(mr_a,b);
+copy_(mr_r,x);
+copy_(mr_x1,x);
+addInt_(mr_r,-1);
+addInt_(mr_x1,-1);
+//s=the highest power of two that divides mr_r
+k=0;
+for (i=0;i<mr_r.length;i++)
+for (j=1;j<mask;j<<=1)
+if (x[i] & j) {
+s=(k<mr_r.length+bpe ? k : 0);
+i=mr_r.length;
+j=mask;
+} else
+k++;
+if (s)
+rightShift_(mr_r,s);
+powMod_(mr_a,mr_r,x);
+if (!equalsInt(mr_a,1) && !equals(mr_a,mr_x1)) {
+j=1;
+while (j<=s-1 && !equals(mr_a,mr_x1)) {
+squareMod_(mr_a,x);
+if (equalsInt(mr_a,1)) {
+return 0;
+}
+j++;
+}
+if (!equals(mr_a,mr_x1)) {
+return 0;
+}
+}
+return 1;
+}
+//returns how many bits long the bigInt is, not counting leading zeros.
+function bitSize(x) {
+var j,z,w;
+for (j=x.length-1; (x[j]==0) && (j>0); j--);
+for (z=0,w=x[j]; w; (w>>=1),z++);
+z+=bpe*j;
+return z;
+}
+//return a copy of x with at least n elements, adding leading zeros if needed
+function expand(x,n) {
+var ans=int2bigInt(0,(x.length>n ? x.length : n)*bpe,0);
+copy_(ans,x);
+return ans;
+}
+//return a k-bit true random prime using Maurer's algorithm.
+function randTruePrime(k) {
+var ans=int2bigInt(0,k,0);
+randTruePrime_(ans,k);
+return bigint_trim(ans,1);
+}
+//return a new bigInt equal to (x mod n) for bigInts x and n.
+function mod(x,n) {
+var ans=dup(x);
+mod_(ans,n);
+return bigint_trim(ans,1);
+}
+//return (x+n) where x is a bigInt and n is an integer.
+function addInt(x,n) {
+var ans=expand(x,x.length+1);
+addInt_(ans,n);
+return bigint_trim(ans,1);
+}
+//return x*y for bigInts x and y. This is faster when y<x.
+function mult(x,y) {
+var ans=expand(x,x.length+y.length);
+mult_(ans,y);
+return bigint_trim(ans,1);
+}
+//return (x**y mod n) where x,y,n are bigInts and ** is exponentiation.  0**0=1. Faster for odd n.
+function powMod(x,y,n) {
+var ans=expand(x,n.length);
+powMod_(ans,bigint_trim(y,2),bigint_trim(n,2),0);  //this should work without the trim, but doesn't
+return bigint_trim(ans,1);
+}
+//return (x-y) for bigInts x and y.  Negative answers will be 2s complement
+function sub(x,y) {
+var ans=expand(x,(x.length>y.length ? x.length+1 : y.length+1));
+sub_(ans,y);
+return bigint_trim(ans,1);
+}
+//return (x+y) for bigInts x and y.
+function add(x,y) {
+var ans=expand(x,(x.length>y.length ? x.length+1 : y.length+1));
+add_(ans,y);
+return bigint_trim(ans,1);
+}
+//return (x**(-1) mod n) for bigInts x and n.  If no inverse exists, it returns null
+function inverseMod(x,n) {
+var ans=expand(x,n.length);
+var s;
+s=inverseMod_(ans,n);
+return s ? bigint_trim(ans,1) : null;
+}
+//return (x*y mod n) for bigInts x,y,n.  For greater speed, let y<x.
+function multMod(x,y,n) {
+var ans=expand(x,n.length);
+multMod_(ans,y,n);
+return bigint_trim(ans,1);
+}
+//generate a k-bit true random prime using Maurer's algorithm,
+//and put it into ans.  The bigInt ans must be large enough to hold it.
+function randTruePrime_(ans,k) {
+var c,m,pm,dd,j,r,B,divisible,z,zz,recSize;
+if (primes.length==0)
+primes=findPrimes(30000);  //check for divisibility by primes <=30000
+if (pows.length==0) {
+pows=new Array(512);
+for (j=0;j<512;j++) {
+pows[j]=Math.pow(2,j/511.-1.);
+}
+}
+//c and m should be tuned for a particular machine and value of k, to maximize speed
+c=0.1;  //c=0.1 in HAC
+m=20;   //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits
+recLimit=20; //stop recursion when k <=recLimit.  Must have recLimit >= 2
+if (s_i2.length!=ans.length) {
+s_i2=dup(ans);
+s_R =dup(ans);
+s_n1=dup(ans);
+s_r2=dup(ans);
+s_d =dup(ans);
+s_x1=dup(ans);
+s_x2=dup(ans);
+s_b =dup(ans);
+s_n =dup(ans);
+s_i =dup(ans);
+s_rm=dup(ans);
+s_q =dup(ans);
+s_a =dup(ans);
+s_aa=dup(ans);
+}
+if (k <= recLimit) {  //generate small random primes by trial division up to its square root
+pm=(1<<((k+2)>>1))-1; //pm is binary number with all ones, just over sqrt(2^k)
+copyInt_(ans,0);
+for (dd=1;dd;) {
+dd=0;
+ans[0]= 1 | (1<<(k-1)) | Math.floor(Math.random()*(1<<k));  //random, k-bit, odd integer, with msb 1
+for (j=1;(j<primes.length) && ((primes[j]&pm)==primes[j]);j++) { //trial division by all primes 3...sqrt(2^k)
+if (0==(ans[0]%primes[j])) {
+dd=1;
+break;
+}
+}
+}
+carry_(ans);
+return;
+}
+B=c*k*k;    //try small primes up to B (or all the primes[] array if the largest is less than B).
+if (k>2*m)  //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits
+for (r=1; k-k*r<=m; )
+r=pows[Math.floor(Math.random()*512)];   //r=Math.pow(2,Math.random()-1);
+else
+r=.5;
+//simulation suggests the more complex algorithm using r=.333 is only slightly faster.
+recSize=Math.floor(r*k)+1;
+randTruePrime_(s_q,recSize);
+copyInt_(s_i2,0);
+s_i2[Math.floor((k-2)/bpe)] |= (1<<((k-2)%bpe));   //s_i2=2^(k-2)
+divide_(s_i2,s_q,s_i,s_rm);                        //s_i=floor((2^(k-1))/(2q))
+z=bitSize(s_i);
+for (;;) {
+for (;;) {  //generate z-bit numbers until one falls in the range [0,s_i-1]
+randBigInt_(s_R,z,0);
+if (greater(s_i,s_R))
+break;
+}                //now s_R is in the range [0,s_i-1]
+addInt_(s_R,1);  //now s_R is in the range [1,s_i]
+add_(s_R,s_i);   //now s_R is in the range [s_i+1,2*s_i]
+copy_(s_n,s_q);
+mult_(s_n,s_R);
+multInt_(s_n,2);
+addInt_(s_n,1);    //s_n=2*s_R*s_q+1
+copy_(s_r2,s_R);
+multInt_(s_r2,2);  //s_r2=2*s_R
+//check s_n for divisibility by small primes up to B
+for (divisible=0,j=0; (j<primes.length) && (primes[j]<B); j++)
+if (modInt(s_n,primes[j])==0) {
+divisible=1;
+break;
+}
+if (!divisible)    //if it passes small primes check, then try a single Miller-Rabin base 2
+if (!millerRabin(s_n,2)) //this line represents 75% of the total runtime for randTruePrime_
+divisible=1;
+if (!divisible) {  //if it passes that test, continue checking s_n
+addInt_(s_n,-3);
+for (j=s_n.length-1;(s_n[j]==0) && (j>0); j--);  //strip leading zeros
+for (zz=0,w=s_n[j]; w; (w>>=1),zz++);
+zz+=bpe*j;                             //zz=number of bits in s_n, ignoring leading zeros
+for (;;) {  //generate z-bit numbers until one falls in the range [0,s_n-1]
+randBigInt_(s_a,zz,0);
+if (greater(s_n,s_a))
+break;
+}                //now s_a is in the range [0,s_n-1]
+addInt_(s_n,3);  //now s_a is in the range [0,s_n-4]
+addInt_(s_a,2);  //now s_a is in the range [2,s_n-2]
+copy_(s_b,s_a);
+copy_(s_n1,s_n);
+addInt_(s_n1,-1);
+powMod_(s_b,s_n1,s_n);   //s_b=s_a^(s_n-1) modulo s_n
+addInt_(s_b,-1);
+if (isZero(s_b)) {
+copy_(s_b,s_a);
+powMod_(s_b,s_r2,s_n);
+addInt_(s_b,-1);
+copy_(s_aa,s_n);
+copy_(s_d,s_b);
+GCD_(s_d,s_n);  //if s_b and s_n are relatively prime, then s_n is a prime
+if (equalsInt(s_d,1)) {
+copy_(ans,s_aa);
+return;     //if we've made it this far, then s_n is absolutely guaranteed to be prime
+}
+}
+}
+}
+}
+//Return an n-bit random BigInt (n>=1).  If s=1, then the most significant of those n bits is set to 1.
+function randBigInt(n,s) {
+var a,b;
+a=Math.floor((n-1)/bpe)+2; //# array elements to hold the BigInt with a leading 0 element
+b=int2bigInt(0,0,a);
+randBigInt_(b,n,s);
+return b;
+}
+//Set b to an n-bit random BigInt.  If s=1, then the most significant of those n bits is set to 1.
+//Array b must be big enough to hold the result. Must have n>=1
+function randBigInt_(b,n,s) {
+var i,a;
+for (i=0;i<b.length;i++)
+b[i]=0;
+a=Math.floor((n-1)/bpe)+1; //# array elements to hold the BigInt
+for (i=0;i<a;i++) {
+b[i]=Math.floor(Math.random()*(1<<(bpe-1)));
+}
+b[a-1] &= (2<<((n-1)%bpe))-1;
+if (s==1)
+b[a-1] |= (1<<((n-1)%bpe));
+}
+//Return the greatest common divisor of bigInts x and y (each with same number of elements).
+function GCD(x,y) {
+var xc,yc;
+xc=dup(x);
+yc=dup(y);
+GCD_(xc,yc);
+return xc;
+}
+//set x to the greatest common divisor of bigInts x and y (each with same number of elements).
+//y is destroyed.
+function GCD_(x,y) {
+var i,xp,yp,A,B,C,D,q,sing;
+if (T.length!=x.length)
+T=dup(x);
+sing=1;
+while (sing) { //while y has nonzero elements other than y[0]
+sing=0;
+for (i=1;i<y.length;i++) //check if y has nonzero elements other than 0
+if (y[i]) {
+sing=1;
+break;
+}
+if (!sing) break; //quit when y all zero elements except possibly y[0]
+for (i=x.length;!x[i] && i>=0;i--);  //find most significant element of x
+xp=x[i];
+yp=y[i];
+A=1; B=0; C=0; D=1;
+while ((yp+C) && (yp+D)) {
+q =Math.floor((xp+A)/(yp+C));
+qp=Math.floor((xp+B)/(yp+D));
+if (q!=qp)
+break;
+t= A-q*C;   A=C;   C=t;    //  do (A,B,xp, C,D,yp) = (C,D,yp, A,B,xp) - q*(0,0,0, C,D,yp)
+t= B-q*D;   B=D;   D=t;
+t=xp-q*yp; xp=yp; yp=t;
+}
+if (B) {
+copy_(T,x);
+linComb_(x,y,A,B); //x=A*x+B*y
+linComb_(y,T,D,C); //y=D*y+C*T
+} else {
+mod_(x,y);
+copy_(T,x);
+copy_(x,y);
+copy_(y,T);
+}
+}
+if (y[0]==0)
+return;
+t=modInt(x,y[0]);
+copyInt_(x,y[0]);
+y[0]=t;
+while (y[0]) {
+x[0]%=y[0];
+t=x[0]; x[0]=y[0]; y[0]=t;
+}
+}
+//do x=x**(-1) mod n, for bigInts x and n.
+//If no inverse exists, it sets x to zero and returns 0, else it returns 1.
+//The x array must be at least as large as the n array.
+function inverseMod_(x,n) {
+var k=1+2*Math.max(x.length,n.length);
+if(!(x[0]&1)  && !(n[0]&1)) {  //if both inputs are even, then inverse doesn't exist
+copyInt_(x,0);
+return 0;
+}
+if (eg_u.length!=k) {
+eg_u=new Array(k);
+eg_v=new Array(k);
+eg_A=new Array(k);
+eg_B=new Array(k);
+eg_C=new Array(k);
+eg_D=new Array(k);
+}
+copy_(eg_u,x);
+copy_(eg_v,n);
+copyInt_(eg_A,1);
+copyInt_(eg_B,0);
+copyInt_(eg_C,0);
+copyInt_(eg_D,1);
+for (;;) {
+while(!(eg_u[0]&1)) {  //while eg_u is even
+halve_(eg_u);
+if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if eg_A==eg_B==0 mod 2
+halve_(eg_A);
+halve_(eg_B);
+} else {
+add_(eg_A,n);  halve_(eg_A);
+sub_(eg_B,x);  halve_(eg_B);
+}
+}
+while (!(eg_v[0]&1)) {  //while eg_v is even
+halve_(eg_v);
+if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if eg_C==eg_D==0 mod 2
+halve_(eg_C);
+halve_(eg_D);
+} else {
+add_(eg_C,n);  halve_(eg_C);
+sub_(eg_D,x);  halve_(eg_D);
+}
+}
+if (!greater(eg_v,eg_u)) { //eg_v <= eg_u
+sub_(eg_u,eg_v);
+sub_(eg_A,eg_C);
+sub_(eg_B,eg_D);
+} else {                   //eg_v > eg_u
+sub_(eg_v,eg_u);
+sub_(eg_C,eg_A);
+sub_(eg_D,eg_B);
+}
+if (equalsInt(eg_u,0)) {
+if (negative(eg_C)) //make sure answer is nonnegative
+add_(eg_C,n);
+copy_(x,eg_C);
+if (!equalsInt(eg_v,1)) { //if GCD_(x,n)!=1, then there is no inverse
+copyInt_(x,0);
+return 0;
+}
+return 1;
+}
+}
+}
+//return x**(-1) mod n, for integers x and n.  Return 0 if there is no inverse
+function inverseModInt(x,n) {
+var a=1,b=0,t;
+for (;;) {
+if (x==1) return a;
+if (x==0) return 0;
+b-=a*Math.floor(n/x);
+n%=x;
+if (n==1) return b; //to avoid negatives, change this b to n-b, and each -= to +=
+if (n==0) return 0;
+a-=b*Math.floor(x/n);
+x%=n;
+}
+}
+//this deprecated function is for backward compatibility only.
+function inverseModInt_(x,n) {
+return inverseModInt(x,n);
+}
+//Given positive bigInts x and y, change the bigints v, a, and b to positive bigInts such that:
+//     v = GCD_(x,y) = a*x-b*y
+//The bigInts v, a, b, must have exactly as many elements as the larger of x and y.
+function eGCD_(x,y,v,a,b) {
+var g=0;
+var k=Math.max(x.length,y.length);
+if (eg_u.length!=k) {
+eg_u=new Array(k);
+eg_A=new Array(k);
+eg_B=new Array(k);
+eg_C=new Array(k);
+eg_D=new Array(k);
+}
+while(!(x[0]&1)  && !(y[0]&1)) {  //while x and y both even
+halve_(x);
+halve_(y);
+g++;
+}
+copy_(eg_u,x);
+copy_(v,y);
+copyInt_(eg_A,1);
+copyInt_(eg_B,0);
+copyInt_(eg_C,0);
+copyInt_(eg_D,1);
+for (;;) {
+while(!(eg_u[0]&1)) {  //while u is even
+halve_(eg_u);
+if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if A==B==0 mod 2
+halve_(eg_A);
+halve_(eg_B);
+} else {
+add_(eg_A,y);  halve_(eg_A);
+sub_(eg_B,x);  halve_(eg_B);
+}
+}
+while (!(v[0]&1)) {  //while v is even
+halve_(v);
+if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if C==D==0 mod 2
+halve_(eg_C);
+halve_(eg_D);
+} else {
+add_(eg_C,y);  halve_(eg_C);
+sub_(eg_D,x);  halve_(eg_D);
+}
+}
+if (!greater(v,eg_u)) { //v<=u
+sub_(eg_u,v);
+sub_(eg_A,eg_C);
+sub_(eg_B,eg_D);
+} else {                //v>u
+sub_(v,eg_u);
+sub_(eg_C,eg_A);
+sub_(eg_D,eg_B);
+}
+if (equalsInt(eg_u,0)) {
+if (negative(eg_C)) {   //make sure a (C)is nonnegative
+add_(eg_C,y);
+sub_(eg_D,x);
+}
+multInt_(eg_D,-1);  ///make sure b (D) is nonnegative
+copy_(a,eg_C);
+copy_(b,eg_D);
+leftShift_(v,g);
+return;
+}
+}
+}
+//is bigInt x negative?
+function negative(x) {
+return ((x[x.length-1]>>(bpe-1))&1);
+}
+//is (x << (shift*bpe)) > y?
+//x and y are nonnegative bigInts
+//shift is a nonnegative integer
+function greaterShift(x,y,shift) {
+var kx=x.length, ky=y.length;
+k=((kx+shift)<ky) ? (kx+shift) : ky;
+for (i=ky-1-shift; i<kx && i>=0; i++)
+if (x[i]>0)
+return 1; //if there are nonzeros in x to the left of the first column of y, then x is bigger
+for (i=kx-1+shift; i<ky; i++)
+if (y[i]>0)
+return 0; //if there are nonzeros in y to the left of the first column of x, then x is not bigger
+for (i=k-1; i>=shift; i--)
+if      (x[i-shift]>y[i]) return 1;
+else if (x[i-shift]<y[i]) return 0;
+return 0;
+}
+//is x > y? (x and y both nonnegative)
+function greater(x,y) {
+var i;
+var k=(x.length<y.length) ? x.length : y.length;
+for (i=x.length;i<y.length;i++)
+if (y[i])
+return 0;  //y has more digits
+for (i=y.length;i<x.length;i++)
+if (x[i])
+return 1;  //x has more digits
+for (i=k-1;i>=0;i--)
+if (x[i]>y[i])
+return 1;
+else if (x[i]<y[i])
+return 0;
+return 0;
+}
+//divide x by y giving quotient q and remainder r.  (q=floor(x/y),  r=x mod y).  All 4 are bigints.
+//x must have at least one leading zero element.
+//y must be nonzero.
+//q and r must be arrays that are exactly the same length as x. (Or q can have more).
+//Must have x.length >= y.length >= 2.
+function divide_(x,y,q,r) {
+var kx, ky;
+var i,j,y1,y2,c,a,b;
+copy_(r,x);
+for (ky=y.length;y[ky-1]==0;ky--); //ky is number of elements in y, not including leading zeros
+//normalize: ensure the most significant element of y has its highest bit set
+b=y[ky-1];
+for (a=0; b; a++)
+b>>=1;
+a=bpe-a;  //a is how many bits to shift so that the high order bit of y is leftmost in its array element
+leftShift_(y,a);  //multiply both by 1<<a now, then divide both by that at the end
+leftShift_(r,a);
+//Rob Visser discovered a bug: the following line was originally just before the normalization.
+for (kx=r.length;r[kx-1]==0 && kx>ky;kx--); //kx is number of elements in normalized x, not including leading zeros
+copyInt_(q,0);                      // q=0
+while (!greaterShift(y,r,kx-ky)) {  // while (leftShift_(y,kx-ky) <= r) {
+subShift_(r,y,kx-ky);             //   r=r-leftShift_(y,kx-ky)
+q[kx-ky]++;                       //   q[kx-ky]++;
+}                                   // }
+for (i=kx-1; i>=ky; i--) {
+if (r[i]==y[ky-1])
+q[i-ky]=mask;
+else
+q[i-ky]=Math.floor((r[i]*radix+r[i-1])/y[ky-1]);
+//The following for(;;) loop is equivalent to the commented while loop,
+//except that the uncommented version avoids overflow.
+//The commented loop comes from HAC, which assumes r[-1]==y[-1]==0
+//  while (q[i-ky]*(y[ky-1]*radix+y[ky-2]) > r[i]*radix*radix+r[i-1]*radix+r[i-2])
+//    q[i-ky]--;
+for (;;) {
+y2=(ky>1 ? y[ky-2] : 0)*q[i-ky];
+c=y2>>bpe;
+y2=y2 & mask;
+y1=c+q[i-ky]*y[ky-1];
+c=y1>>bpe;
+y1=y1 & mask;
+if (c==r[i] ? y1==r[i-1] ? y2>(i>1 ? r[i-2] : 0) : y1>r[i-1] : c>r[i])
+q[i-ky]--;
+else
+break;
+}
+linCombShift_(r,y,-q[i-ky],i-ky);    //r=r-q[i-ky]*leftShift_(y,i-ky)
+if (negative(r)) {
+addShift_(r,y,i-ky);         //r=r+leftShift_(y,i-ky)
+q[i-ky]--;
+}
+}
+rightShift_(y,a);  //undo the normalization step
+rightShift_(r,a);  //undo the normalization step
+}
+//do carries and borrows so each element of the bigInt x fits in bpe bits.
+function carry_(x) {
+var i,k,c,b;
+k=x.length;
+c=0;
+for (i=0;i<k;i++) {
+c+=x[i];
+b=0;
+if (c<0) {
+b=-(c>>bpe);
+c+=b*radix;
+}
+x[i]=c & mask;
+c=(c>>bpe)-b;
+}
+}
+//return x mod n for bigInt x and integer n.
+function modInt(x,n) {
+var i,c=0;
+for (i=x.length-1; i>=0; i--)
+c=(c*radix+x[i])%n;
+return c;
+}
+//convert the integer t into a bigInt with at least the given number of bits.
+//the returned array stores the bigInt in bpe-bit chunks, little endian (buff[0] is least significant word)
+//Pad the array with leading zeros so that it has at least minSize elements.
+//There will always be at least one leading 0 element.
+function int2bigInt(t,bits,minSize) {
+var i,k;
+k=Math.ceil(bits/bpe)+1;
+k=minSize>k ? minSize : k;
+buff=new Array(k);
+copyInt_(buff,t);
+return buff;
+}
+//return the bigInt given a string representation in a given base.
+//Pad the array with leading zeros so that it has at least minSize elements.
+//If base=-1, then it reads in a space-separated list of array elements in decimal.
+//The array will always have at least one leading zero, unless base=-1.
+function str2bigInt(s,base,minSize) {
+var d, i, j, x, y, kk;
+var k=s.length;
+if (base==-1) { //comma-separated list of array elements in decimal
+x=new Array(0);
+for (;;) {
+y=new Array(x.length+1);
+for (i=0;i<x.length;i++)
+y[i+1]=x[i];
+y[0]=parseInt(s,10);
+x=y;
+d=s.indexOf(',',0);
+if (d<1)
+break;
+s=s.substring(d+1);
+if (s.length==0)
+break;
+}
+if (x.length<minSize) {
+y=new Array(minSize);
+copy_(y,x);
+return y;
+}
+return x;
+}
+x=int2bigInt(0,base*k,0);
+for (i=0;i<k;i++) {
+d=digitsStr.indexOf(s.substring(i,i+1),0);
+if (base<=36 && d>=36)  //convert lowercase to uppercase if base<=36
+d-=26;
+if (d<base && d>=0) {   //ignore illegal characters
+multInt_(x,base);
+addInt_(x,d);
+}
+}
+for (k=x.length;k>0 && !x[k-1];k--); //strip off leading zeros
+k=minSize>k+1 ? minSize : k+1;
+y=new Array(k);
+kk=k<x.length ? k : x.length;
+for (i=0;i<kk;i++)
+y[i]=x[i];
+for (;i<k;i++)
+y[i]=0;
+return y;
+}
+//is bigint x equal to integer y?
+//y must have less than bpe bits
+function equalsInt(x,y) {
+var i;
+if (x[0]!=y)
+return 0;
+for (i=1;i<x.length;i++)
+if (x[i])
+return 0;
+return 1;
+}
+//are bigints x and y equal?
+//this works even if x and y are different lengths and have arbitrarily many leading zeros
+function equals(x,y) {
+var i;
+var k=x.length<y.length ? x.length : y.length;
+for (i=0;i<k;i++)
+if (x[i]!=y[i])
+return 0;
+if (x.length>y.length) {
+for (;i<x.length;i++)
+if (x[i])
+return 0;
+} else {
+for (;i<y.length;i++)
+if (y[i])
+return 0;
+}
+return 1;
+}
+//is the bigInt x equal to zero?
+function isZero(x) {
+var i;
+for (i=0;i<x.length;i++)
+if (x[i])
+return 0;
+return 1;
+}
+//convert a bigInt into a string in a given base, from base 2 up to base 95.
+//Base -1 prints the contents of the array representing the number.
+function bigInt2str(x,base) {
+var i,t,s="";
+if (s6.length!=x.length)
+s6=dup(x);
+else
+copy_(s6,x);
+if (base==-1) { //return the list of array contents
+for (i=x.length-1;i>0;i--)
+s+=x[i]+',';
+s+=x[0];
+}
+else { //return it in the given base
+while (!isZero(s6)) {
+t=divInt_(s6,base);  //t=s6 % base; s6=floor(s6/base);
+s=digitsStr.substring(t,t+1)+s;
+}
+}
+if (s.length==0)
+s="0";
+return s;
+}
+//returns a duplicate of bigInt x
+function dup(x) {
+var i;
+buff=new Array(x.length);
+copy_(buff,x);
+return buff;
+}
+//do x=y on bigInts x and y.  x must be an array at least as big as y (not counting the leading zeros in y).
+function copy_(x,y) {
+var i;
+var k=x.length<y.length ? x.length : y.length;
+for (i=0;i<k;i++)
+x[i]=y[i];
+for (i=k;i<x.length;i++)
+x[i]=0;
+}
+//do x=y on bigInt x and integer y.
+function copyInt_(x,n) {
+var i,c;
+for (c=n,i=0;i<x.length;i++) {
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do x=x+n where x is a bigInt and n is an integer.
+//x must be large enough to hold the result.
+function addInt_(x,n) {
+var i,k,c,b;
+x[0]+=n;
+k=x.length;
+c=0;
+for (i=0;i<k;i++) {
+c+=x[i];
+b=0;
+if (c<0) {
+b=-(c>>bpe);
+c+=b*radix;
+}
+x[i]=c & mask;
+c=(c>>bpe)-b;
+if (!c) return; //stop carrying as soon as the carry_ is zero
+}
+}
+//right shift bigInt x by n bits.  0 <= n < bpe.
+function rightShift_(x,n) {
+var i;
+var k=Math.floor(n/bpe);
+if (k) {
+for (i=0;i<x.length-k;i++) //right shift x by k elements
+x[i]=x[i+k];
+for (;i<x.length;i++)
+x[i]=0;
+n%=bpe;
+}
+for (i=0;i<x.length-1;i++) {
+x[i]=mask & ((x[i+1]<<(bpe-n)) | (x[i]>>n));
+}
+x[i]>>=n;
+}
+//do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement
+function halve_(x) {
+var i;
+for (i=0;i<x.length-1;i++) {
+x[i]=mask & ((x[i+1]<<(bpe-1)) | (x[i]>>1));
+}
+x[i]=(x[i]>>1) | (x[i] & (radix>>1));  //most significant bit stays the same
+}
+//left shift bigInt x by n bits.
+function leftShift_(x,n) {
+var i;
+var k=Math.floor(n/bpe);
+if (k) {
+for (i=x.length; i>=k; i--) //left shift x by k elements
+x[i]=x[i-k];
+for (;i>=0;i--)
+x[i]=0;
+n%=bpe;
+}
+if (!n)
+return;
+for (i=x.length-1;i>0;i--) {
+x[i]=mask & ((x[i]<<n) | (x[i-1]>>(bpe-n)));
+}
+x[i]=mask & (x[i]<<n);
+}
+//do x=x*n where x is a bigInt and n is an integer.
+//x must be large enough to hold the result.
+function multInt_(x,n) {
+var i,k,c,b;
+if (!n)
+return;
+k=x.length;
+c=0;
+for (i=0;i<k;i++) {
+c+=x[i]*n;
+b=0;
+if (c<0) {
+b=-(c>>bpe);
+c+=b*radix;
+}
+x[i]=c & mask;
+c=(c>>bpe)-b;
+}
+}
+//do x=floor(x/n) for bigInt x and integer n, and return the remainder
+function divInt_(x,n) {
+var i,r=0,s;
+for (i=x.length-1;i>=0;i--) {
+s=r*radix+x[i];
+x[i]=Math.floor(s/n);
+r=s%n;
+}
+return r;
+}
+//do the linear combination x=a*x+b*y for bigInts x and y, and integers a and b.
+//x must be large enough to hold the answer.
+function linComb_(x,y,a,b) {
+var i,c,k,kk;
+k=x.length<y.length ? x.length : y.length;
+kk=x.length;
+for (c=0,i=0;i<k;i++) {
+c+=a*x[i]+b*y[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+for (i=k;i<kk;i++) {
+c+=a*x[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do the linear combination x=a*x+b*(y<<(ys*bpe)) for bigInts x and y, and integers a, b and ys.
+//x must be large enough to hold the answer.
+function linCombShift_(x,y,b,ys) {
+var i,c,k,kk;
+k=x.length<ys+y.length ? x.length : ys+y.length;
+kk=x.length;
+for (c=0,i=ys;i<k;i++) {
+c+=x[i]+b*y[i-ys];
+x[i]=c & mask;
+c>>=bpe;
+}
+for (i=k;c && i<kk;i++) {
+c+=x[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do x=x+(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys.
+//x must be large enough to hold the answer.
+function addShift_(x,y,ys) {
+var i,c,k,kk;
+k=x.length<ys+y.length ? x.length : ys+y.length;
+kk=x.length;
+for (c=0,i=ys;i<k;i++) {
+c+=x[i]+y[i-ys];
+x[i]=c & mask;
+c>>=bpe;
+}
+for (i=k;c && i<kk;i++) {
+c+=x[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do x=x-(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys.
+//x must be large enough to hold the answer.
+function subShift_(x,y,ys) {
+var i,c,k,kk;
+k=x.length<ys+y.length ? x.length : ys+y.length;
+kk=x.length;
+for (c=0,i=ys;i<k;i++) {
+c+=x[i]-y[i-ys];
+x[i]=c & mask;
+c>>=bpe;
+}
+for (i=k;c && i<kk;i++) {
+c+=x[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do x=x-y for bigInts x and y.
+//x must be large enough to hold the answer.
+//negative answers will be 2s complement
+function sub_(x,y) {
+var i,c,k,kk;
+k=x.length<y.length ? x.length : y.length;
+for (c=0,i=0;i<k;i++) {
+c+=x[i]-y[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+for (i=k;c && i<x.length;i++) {
+c+=x[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do x=x+y for bigInts x and y.
+//x must be large enough to hold the answer.
+function add_(x,y) {
+var i,c,k,kk;
+k=x.length<y.length ? x.length : y.length;
+for (c=0,i=0;i<k;i++) {
+c+=x[i]+y[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+for (i=k;c && i<x.length;i++) {
+c+=x[i];
+x[i]=c & mask;
+c>>=bpe;
+}
+}
+//do x=x*y for bigInts x and y.  This is faster when y<x.
+function mult_(x,y) {
+var i;
+if (ss.length!=2*x.length)
+ss=new Array(2*x.length);
+copyInt_(ss,0);
+for (i=0;i<y.length;i++)
+if (y[i])
+linCombShift_(ss,x,y[i],i);   //ss=1*ss+y[i]*(x<<(i*bpe))
+copy_(x,ss);
+}
+//do x=x mod n for bigInts x and n.
+function mod_(x,n) {
+if (s4.length!=x.length)
+s4=dup(x);
+else
+copy_(s4,x);
+if (s5.length!=x.length)
+s5=dup(x);
+divide_(s4,n,s5,x);  //x = remainder of s4 / n
+}
+//do x=x*y mod n for bigInts x,y,n.
+//for greater speed, let y<x.
+function multMod_(x,y,n) {
+var i;
+if (s0.length!=2*x.length)
+s0=new Array(2*x.length);
+copyInt_(s0,0);
+for (i=0;i<y.length;i++)
+if (y[i])
+linCombShift_(s0,x,y[i],i);   //s0=1*s0+y[i]*(x<<(i*bpe))
+mod_(s0,n);
+copy_(x,s0);
+}
+//do x=x*x mod n for bigInts x,n.
+function squareMod_(x,n) {
+var i,j,d,c,kx,kn,k;
+for (kx=x.length; kx>0 && !x[kx-1]; kx--);  //ignore leading zeros in x
+k=kx>n.length ? 2*kx : 2*n.length; //k=# elements in the product, which is twice the elements in the larger of x and n
+if (s0.length!=k)
+s0=new Array(k);
+copyInt_(s0,0);
+for (i=0;i<kx;i++) {
+c=s0[2*i]+x[i]*x[i];
+s0[2*i]=c & mask;
+c>>=bpe;
+for (j=i+1;j<kx;j++) {
+c=s0[i+j]+2*x[i]*x[j]+c;
+s0[i+j]=(c & mask);
+c>>=bpe;
+}
+s0[i+kx]=c;
+}
+mod_(s0,n);
+copy_(x,s0);
+}
+//return x with exactly k leading zero elements
+function bigint_trim(x,k) {
+var i,y;
+for (i=x.length; i>0 && !x[i-1]; i--);
+y=new Array(i+k);
+copy_(y,x);
+return y;
+}
+//do x=x**y mod n, where x,y,n are bigInts and ** is exponentiation.  0**0=1.
+//this is faster when n is odd.  x usually needs to have as many elements as n.
+function powMod_(x,y,n) {
+var k1,k2,kn,np;
+if(s7.length!=n.length)
+s7=dup(n);
+//for even modulus, use a simple square-and-multiply algorithm,
+//rather than using the more complex Montgomery algorithm.
+if ((n[0]&1)==0) {
+copy_(s7,x);
+copyInt_(x,1);
+while(!equalsInt(y,0)) {
+if (y[0]&1)
+multMod_(x,s7,n);
+divInt_(y,2);
+squareMod_(s7,n);
+}
+return;
+}
+//calculate np from n for the Montgomery multiplications
+copyInt_(s7,0);
+for (kn=n.length;kn>0 && !n[kn-1];kn--);
+np=radix-inverseModInt(modInt(n,radix),radix);
+s7[kn]=1;
+multMod_(x ,s7,n);   // x = x * 2**(kn*bp) mod n
+if (s3.length!=x.length)
+s3=dup(x);
+else
+copy_(s3,x);
+for (k1=y.length-1;k1>0 & !y[k1]; k1--);  //k1=first nonzero element of y
+if (y[k1]==0) {  //anything to the 0th power is 1
+copyInt_(x,1);
+return;
+}
+for (k2=1<<(bpe-1);k2 && !(y[k1] & k2); k2>>=1);  //k2=position of first 1 bit in y[k1]
+for (;;) {
+if (!(k2>>=1)) {  //look at next bit of y
+k1--;
+if (k1<0) {
+mont_(x,one,n,np);
+return;
+}
+k2=1<<(bpe-1);
+}
+mont_(x,x,n,np);
+if (k2 & y[k1]) //if next bit is a 1
+mont_(x,s3,n,np);
+}
+}
+//do x=x*y*Ri mod n for bigInts x,y,n,
+//  where Ri = 2**(-kn*bpe) mod n, and kn is the
+//  number of elements in the n array, not
+//  counting leading zeros.
+//x must be large enough to hold the answer.
+//It's OK if x and y are the same variable.
+//must have:
+//  x,y < n
+//  n is odd
+//  np = -(n^(-1)) mod radix
+function mont_(x,y,n,np) {
+var i,j,c,ui,t;
+var kn=n.length;
+var ky=y.length;
+if (sa.length!=kn)
+sa=new Array(kn);
+for (;kn>0 && n[kn-1]==0;kn--); //ignore leading zeros of n
+//this function sometimes gives wrong answers when the next line is uncommented
+//for (;ky>0 && y[ky-1]==0;ky--); //ignore leading zeros of y
+copyInt_(sa,0);
+//the following loop consumes 95% of the runtime for randTruePrime_() and powMod_() for large keys
+for (i=0; i<kn; i++) {
+t=sa[0]+x[i]*y[0];
+ui=((t & mask) * np) & mask;  //the inner "& mask" is needed on Macintosh MSIE, but not windows MSIE
+c=(t+ui*n[0]) >> bpe;
+t=x[i];
+//do sa=(sa+x[i]*y+ui*n)/b   where b=2**bpe
+for (j=1;j<ky;j++) {
+c+=sa[j]+t*y[j]+ui*n[j];
+sa[j-1]=c & mask;
+c>>=bpe;
+}
+for (;j<kn;j++) {
+c+=sa[j]+ui*n[j];
+sa[j-1]=c & mask;
+c>>=bpe;
+}
+sa[j-1]=c & mask;
+}
+if (!greater(n,sa))
+sub_(sa,n);
+copy_(x,sa);
+}
+/* rijndael.js      Rijndael Reference Implementation
+Copyright (c) 2001 Fritz Schneider
+This software is provided as-is, without express or implied warranty.
+Permission to use, copy, modify, distribute or sell this software, with or
+without fee, for any purpose and by any individual or organization, is hereby
+granted, provided that the above copyright notice and this paragraph appear
+in all copies. Distribution as a part of an application or binary must
+include the above copyright notice in the documentation and/or other materials
+provided with the application or distribution.
+As the above disclaimer notes, you are free to use this code however you
+want. However, I would request that you send me an email
+(fritz /at/ cs /dot/ ucsd /dot/ edu) to say hi if you find this code useful
+or instructional. Seeing that people are using the code acts as
+encouragement for me to continue development. If you *really* want to thank
+me you can buy the book I wrote with Thomas Powell, _JavaScript:
+_The_Complete_Reference_ :)
+This code is an UNOPTIMIZED REFERENCE implementation of Rijndael.
+If there is sufficient interest I can write an optimized (word-based,
+table-driven) version, although you might want to consider using a
+compiled language if speed is critical to your application. As it stands,
+one run of the monte carlo test (10,000 encryptions) can take up to
+several minutes, depending upon your processor. You shouldn't expect more
+than a few kilobytes per second in throughput.
+Also note that there is very little error checking in these functions.
+Doing proper error checking is always a good idea, but the ideal
+implementation (using the instanceof operator and exceptions) requires
+IE5+/NS6+, and I've chosen to implement this code so that it is compatible
+with IE4/NS4.
+And finally, because JavaScript doesn't have an explicit byte/char data
+type (although JavaScript 2.0 most likely will), when I refer to "byte"
+in this code I generally mean "32 bit integer with value in the interval
+[0,255]" which I treat as a byte.
+See http://www-cse.ucsd.edu/~fritz/rijndael.html for more documentation
+of the (very simple) API provided by this code.
+Fritz Schneider
+fritz at cs.ucsd.edu
+*/
+// Rijndael parameters --  Valid values are 128, 192, or 256
+var keySizeInBits =   ( typeof AES_BITS == 'number' ) ? AES_BITS : 128;
+var blockSizeInBits = ( typeof AES_BLOCKSIZE == 'number' ) ? AES_BLOCKSIZE : 128;
+///////  You shouldn't have to modify anything below this line except for
+///////  the function getRandomBytes().
+//
+// Note: in the following code the two dimensional arrays are indexed as
+//       you would probably expect, as array[row][column]. The state arrays
+//       are 2d arrays of the form state[4][Nb].
+// The number of rounds for the cipher, indexed by [Nk][Nb]
+var roundsArray = [ ,,,,[,,,,10,, 12,, 14],,
+[,,,,12,, 12,, 14],,
+[,,,,14,, 14,, 14] ];
+// The number of bytes to shift by in shiftRow, indexed by [Nb][row]
+var shiftOffsets = [ ,,,,[,1, 2, 3],,[,1, 2, 3],,[,1, 3, 4] ];
+// The round constants used in subkey expansion
+var Rcon = [
+0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
+0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
+0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc,
+0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4,
+0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 ];
+// Precomputed lookup table for the SBox
+var SBox = [
+99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171,
+118, 202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164,
+114, 192, 183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113,
+216,  49,  21,   4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226,
+235,  39, 178, 117,   9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214,
+179,  41, 227,  47, 132,  83, 209,   0, 237,  32, 252, 177,  91, 106, 203,
+190,  57,  74,  76,  88, 207, 208, 239, 170, 251,  67,  77,  51, 133,  69,
+249,   2, 127,  80,  60, 159, 168,  81, 163,  64, 143, 146, 157,  56, 245,
+188, 182, 218,  33,  16, 255, 243, 210, 205,  12,  19, 236,  95, 151,  68,
+23,  196, 167, 126,  61, 100,  93,  25, 115,  96, 129,  79, 220,  34,  42,
+144, 136,  70, 238, 184,  20, 222,  94,  11, 219, 224,  50,  58,  10,  73,
+6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121, 231, 200,  55, 109,
+141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8, 186, 120,  37,
+46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138, 112,  62,
+181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158, 225,
+248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223,
+140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,
+22 ];
+// Precomputed lookup table for the inverse SBox
+var SBoxInverse = [
+82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215,
+251, 124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222,
+233, 203,  84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66,
+250, 195,  78,   8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73,
+109, 139, 209,  37, 114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92,
+204,  93, 101, 182, 146, 108, 112,  72,  80, 253, 237, 185, 218,  94,  21,
+70,  87, 167, 141, 157, 132, 144, 216, 171,   0, 140, 188, 211,  10, 247,
+228,  88,   5, 184, 179,  69,   6, 208,  44,  30, 143, 202,  63,  15,   2,
+193, 175, 189,   3,   1,  19, 138, 107,  58, 145,  17,  65,  79, 103, 220,
+234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116,  34, 231, 173,
+53, 133, 226, 249,  55, 232,  28, 117, 223, 110,  71, 241,  26, 113,  29,
+41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27, 252,  86,  62,  75,
+198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244,  31, 221, 168,
+51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95,  96,  81,
+127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239, 160,
+224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97,
+23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12,
+125 ];
+function str_split(string, chunklen)
+{
+if(!chunklen) chunklen = 1;
+ret = new Array();
+for ( i = 0; i < string.length; i+=chunklen )
+{
+ret[ret.length] = string.slice(i, i+chunklen);
+}
+return ret;
+}
+// This method circularly shifts the array left by the number of elements
+// given in its parameter. It returns the resulting array and is used for
+// the ShiftRow step. Note that shift() and push() could be used for a more
+// elegant solution, but they require IE5.5+, so I chose to do it manually.
+function cyclicShiftLeft(theArray, positions) {
+var temp = theArray.slice(0, positions);
+theArray = theArray.slice(positions).concat(temp);
+return theArray;
+}
+// Cipher parameters ... do not change these
+var Nk = keySizeInBits / 32;
+var Nb = blockSizeInBits / 32;
+var Nr = roundsArray[Nk][Nb];
+// Multiplies the element "poly" of GF(2^8) by x. See the Rijndael spec.
+function xtime(poly) {
+poly <<= 1;
+return ((poly & 0x100) ? (poly ^ 0x11B) : (poly));
+}
+// Multiplies the two elements of GF(2^8) together and returns the result.
+// See the Rijndael spec, but should be straightforward: for each power of
+// the indeterminant that has a 1 coefficient in x, add y times that power
+// to the result. x and y should be bytes representing elements of GF(2^8)
+function mult_GF256(x, y) {
+var bit, result = 0;
+for (bit = 1; bit < 256; bit *= 2, y = xtime(y)) {
+if (x & bit)
+result ^= y;
+}
+return result;
+}
+// Performs the substitution step of the cipher. State is the 2d array of
+// state information (see spec) and direction is string indicating whether
+// we are performing the forward substitution ("encrypt") or inverse
+// substitution (anything else)
+function byteSub(state, direction) {
+var S;
+if (direction == "encrypt")           // Point S to the SBox we're using
+S = SBox;
+else
+S = SBoxInverse;
+for (var i = 0; i < 4; i++)           // Substitute for every byte in state
+for (var j = 0; j < Nb; j++)
+state[i][j] = S[state[i][j]];
+}
+// Performs the row shifting step of the cipher.
+function shiftRow(state, direction) {
+for (var i=1; i<4; i++)               // Row 0 never shifts
+if (direction == "encrypt")
+state[i] = cyclicShiftLeft(state[i], shiftOffsets[Nb][i]);
+else
+state[i] = cyclicShiftLeft(state[i], Nb - shiftOffsets[Nb][i]);
+}
+// Performs the column mixing step of the cipher. Most of these steps can
+// be combined into table lookups on 32bit values (at least for encryption)
+// to greatly increase the speed.
+function mixColumn(state, direction) {
+var b = [];                            // Result of matrix multiplications
+for (var j = 0; j < Nb; j++) {         // Go through each column...
+for (var i = 0; i < 4; i++) {        // and for each row in the column...
+if (direction == "encrypt")
+b[i] = mult_GF256(state[i][j], 2) ^          // perform mixing
+mult_GF256(state[(i+1)%4][j], 3) ^
+state[(i+2)%4][j] ^
+state[(i+3)%4][j];
+else
+b[i] = mult_GF256(state[i][j], 0xE) ^
+mult_GF256(state[(i+1)%4][j], 0xB) ^
+mult_GF256(state[(i+2)%4][j], 0xD) ^
+mult_GF256(state[(i+3)%4][j], 9);
+}
+for (var i = 0; i < 4; i++)          // Place result back into column
+state[i][j] = b[i];
+}
+}
+// Adds the current round key to the state information. Straightforward.
+function addRoundKey(state, roundKey) {
+for (var j = 0; j < Nb; j++) {                 // Step through columns...
+state[0][j] ^= (roundKey[j] & 0xFF);         // and XOR
+state[1][j] ^= ((roundKey[j]>>8) & 0xFF);
+state[2][j] ^= ((roundKey[j]>>16) & 0xFF);
+state[3][j] ^= ((roundKey[j]>>24) & 0xFF);
+}
+}
+// This function creates the expanded key from the input (128/192/256-bit)
+// key. The parameter key is an array of bytes holding the value of the key.
+// The returned value is an array whose elements are the 32-bit words that
+// make up the expanded key.
+function keyExpansion(key) {
+var expandedKey = new Array();
+var temp;
+// in case the key size or parameters were changed...
+Nk = keySizeInBits / 32;
+Nb = blockSizeInBits / 32;
+Nr = roundsArray[Nk][Nb];
+for (var j=0; j < Nk; j++)     // Fill in input key first
+expandedKey[j] =
+(key[4*j]) | (key[4*j+1]<<8) | (key[4*j+2]<<16) | (key[4*j+3]<<24);
+// Now walk down the rest of the array filling in expanded key bytes as
+// per Rijndael's spec
+for (j = Nk; j < Nb * (Nr + 1); j++) {    // For each word of expanded key
+temp = expandedKey[j - 1];
+if (j % Nk == 0)
+temp = ( (SBox[(temp>>8) & 0xFF]) |
+(SBox[(temp>>16) & 0xFF]<<8) |
+(SBox[(temp>>24) & 0xFF]<<16) |
+(SBox[temp & 0xFF]<<24) ) ^ Rcon[Math.floor(j / Nk) - 1];
+else if (Nk > 6 && j % Nk == 4)
+temp = (SBox[(temp>>24) & 0xFF]<<24) |
+(SBox[(temp>>16) & 0xFF]<<16) |
+(SBox[(temp>>8) & 0xFF]<<8) |
+(SBox[temp & 0xFF]);
+expandedKey[j] = expandedKey[j-Nk] ^ temp;
+}
+return expandedKey;
+}
+// Rijndael's round functions...
+function Round(state, roundKey) {
+byteSub(state, "encrypt");
+shiftRow(state, "encrypt");
+mixColumn(state, "encrypt");
+addRoundKey(state, roundKey);
+}
+function InverseRound(state, roundKey) {
+addRoundKey(state, roundKey);
+mixColumn(state, "decrypt");
+shiftRow(state, "decrypt");
+byteSub(state, "decrypt");
+}
+function FinalRound(state, roundKey) {
+byteSub(state, "encrypt");
+shiftRow(state, "encrypt");
+addRoundKey(state, roundKey);
+}
+function InverseFinalRound(state, roundKey){
+addRoundKey(state, roundKey);
+shiftRow(state, "decrypt");
+byteSub(state, "decrypt");
+}
+// encrypt is the basic encryption function. It takes parameters
+// block, an array of bytes representing a plaintext block, and expandedKey,
+// an array of words representing the expanded key previously returned by
+// keyExpansion(). The ciphertext block is returned as an array of bytes.
+function encrypt(block, expandedKey) {
+var i;
+if (!block || block.length*8 != blockSizeInBits)
+return;
+if (!expandedKey)
+return;
+block = packBytes(block);
+addRoundKey(block, expandedKey);
+for (i=1; i<Nr; i++)
+Round(block, expandedKey.slice(Nb*i, Nb*(i+1)));
+FinalRound(block, expandedKey.slice(Nb*Nr));
+return unpackBytes(block);
+}
+// decrypt is the basic decryption function. It takes parameters
+// block, an array of bytes representing a ciphertext block, and expandedKey,
+// an array of words representing the expanded key previously returned by
+// keyExpansion(). The decrypted block is returned as an array of bytes.
+function decrypt(block, expandedKey) {
+var i;
+if (!block || block.length*8 != blockSizeInBits)
+return;
+if (!expandedKey)
+return;
+block = packBytes(block);
+InverseFinalRound(block, expandedKey.slice(Nb*Nr));
+for (i = Nr - 1; i>0; i--)
+InverseRound(block, expandedKey.slice(Nb*i, Nb*(i+1)));
+addRoundKey(block, expandedKey);
+return unpackBytes(block);
+}
+// This method takes a byte array (byteArray) and converts it to a string by
+// applying String.fromCharCode() to each value and concatenating the result.
+// The resulting string is returned. Note that this function SKIPS zero bytes
+// under the assumption that they are padding added in formatPlaintext().
+// Obviously, do not invoke this method on raw data that can contain zero
+// bytes. It is really only appropriate for printable ASCII/Latin-1
+// values. Roll your own function for more robust functionality :)
+function byteArrayToString(byteArray) {
+var result = "";
+for(var i=0; i<byteArray.length; i++)
+if (byteArray[i] != 0)
+result += String.fromCharCode(byteArray[i]);
+return result;
+}
+// This function takes an array of bytes (byteArray) and converts them
+// to a hexadecimal string. Array element 0 is found at the beginning of
+// the resulting string, high nibble first. Consecutive elements follow
+// similarly, for example [16, 255] --> "10ff". The function returns a
+// string.
+function byteArrayToHex(byteArray) {
+var result = "";
+if (!byteArray)
+return;
+for (var i=0; i<byteArray.length; i++)
+result += ((byteArray[i]<16) ? "0" : "") + byteArray[i].toString(16);
+return result;
+}
+// This function converts a string containing hexadecimal digits to an
+// array of bytes. The resulting byte array is filled in the order the
+// values occur in the string, for example "10FF" --> [16, 255]. This
+// function returns an array.
+function hexToByteArray(hexString) {
+/*
+var byteArray = [];
+if (hexString.length % 2)             // must have even length
+return;
+if (hexString.indexOf("0x") == 0 || hexString.indexOf("0X") == 0)
+hexString = hexString.substring(2);
+for (var i = 0; i<hexString.length; i += 2)
+byteArray[Math.floor(i/2)] = parseInt(hexString.slice(i, i+2), 16);
+return byteArray;
+*/
+var bytes = new Array();
+hexString = str_split(hexString, 2);
+//alert(hexString.toString());
+//return false;
+for( var i in hexString )
+{
+bytes[bytes.length] = parseInt(hexString[i], 16);
+}
+//alert(bytes.toString());
+return bytes;
+}
+// This function packs an array of bytes into the four row form defined by
+// Rijndael. It assumes the length of the array of bytes is divisible by
+// four. Bytes are filled in according to the Rijndael spec (starting with
+// column 0, row 0 to 3). This function returns a 2d array.
+function packBytes(octets) {
+var state = new Array();
+if (!octets || octets.length % 4)
+return;
+state[0] = new Array();  state[1] = new Array();
+state[2] = new Array();  state[3] = new Array();
+for (var j=0; j<octets.length; j+= 4) {
+state[0][j/4] = octets[j];
+state[1][j/4] = octets[j+1];
+state[2][j/4] = octets[j+2];
+state[3][j/4] = octets[j+3];
+}
+return state;
+}
+// This function unpacks an array of bytes from the four row format preferred
+// by Rijndael into a single 1d array of bytes. It assumes the input "packed"
+// is a packed array. Bytes are filled in according to the Rijndael spec.
+// This function returns a 1d array of bytes.
+function unpackBytes(packed) {
+var result = new Array();
+for (var j=0; j<packed[0].length; j++) {
+result[result.length] = packed[0][j];
+result[result.length] = packed[1][j];
+result[result.length] = packed[2][j];
+result[result.length] = packed[3][j];
+}
+return result;
+}
+// This function takes a prospective plaintext (string or array of bytes)
+// and pads it with zero bytes if its length is not a multiple of the block
+// size. If plaintext is a string, it is converted to an array of bytes
+// in the process. The type checking can be made much nicer using the
+// instanceof operator, but this operator is not available until IE5.0 so I
+// chose to use the heuristic below.
+function formatPlaintext(plaintext) {
+var bpb = blockSizeInBits / 8;               // bytes per block
+var i;
+// if primitive string or String instance
+if (typeof plaintext == "string" || plaintext.split) {
+// alert('AUUGH you idiot it\'s NOT A STRING ITS A '+typeof(plaintext)+'!!!');
+// return false;
+plaintext = plaintext.split("");
+// Unicode issues here (ignoring high byte)
+for (i=0; i<plaintext.length; i++)
+plaintext[i] = plaintext[i].charCodeAt(0) & 0xFF;
+}
+for (i = bpb - (plaintext.length % bpb); i > 0 && i < bpb; i--)
+plaintext[plaintext.length] = 0;
+return plaintext;
+}
+// Returns an array containing "howMany" random bytes. YOU SHOULD CHANGE THIS
+// TO RETURN HIGHER QUALITY RANDOM BYTES IF YOU ARE USING THIS FOR A "REAL"
+// APPLICATION.
+function getRandomBytes(howMany) {
+var i;
+var bytes = new Array();
+for (i=0; i<howMany; i++)
+bytes[i] = Math.round(Math.random()*255);
+return bytes;
+}
+// rijndaelEncrypt(plaintext, key, mode)
+// Encrypts the plaintext using the given key and in the given mode.
+// The parameter "plaintext" can either be a string or an array of bytes.
+// The parameter "key" must be an array of key bytes. If you have a hex
+// string representing the key, invoke hexToByteArray() on it to convert it
+// to an array of bytes. The third parameter "mode" is a string indicating
+// the encryption mode to use, either "ECB" or "CBC". If the parameter is
+// omitted, ECB is assumed.
+//
+// An array of bytes representing the cihpertext is returned. To convert
+// this array to hex, invoke byteArrayToHex() on it. If you are using this
+// "for real" it is a good idea to change the function getRandomBytes() to
+// something that returns truly random bits.
+function rijndaelEncrypt(plaintext, key, mode) {
+var expandedKey, i, aBlock;
+var bpb = blockSizeInBits / 8;          // bytes per block
+var ct;                                 // ciphertext
+if (typeof plaintext != 'object' || typeof key != 'object')
+{
+alert( 'Invalid params\nplaintext: '+typeof(plaintext)+'\nkey: '+typeof(key) );
+return false;
+}
+if (key.length*8 == keySizeInBits+8)
+key.length = keySizeInBits / 8;
+if (key.length*8 != keySizeInBits)
+{
+alert( 'Key length is bad!\nLength: '+key.length+'\nExpected: '+keySizeInBits / 8 );
+return false;
+}
+if (mode == "CBC")
+ct = getRandomBytes(bpb);             // get IV
+else {
+mode = "ECB";
+ct = new Array();
+}
+// convert plaintext to byte array and pad with zeros if necessary.
+plaintext = formatPlaintext(plaintext);
+expandedKey = keyExpansion(key);
+for (var block=0; block<plaintext.length / bpb; block++) {
+aBlock = plaintext.slice(block*bpb, (block+1)*bpb);
+if (mode == "CBC")
+for (var i=0; i<bpb; i++)
+aBlock[i] ^= ct[block*bpb + i];
+ct = ct.concat(encrypt(aBlock, expandedKey));
+}
+return ct;
+}
+// rijndaelDecrypt(ciphertext, key, mode)
+// Decrypts the using the given key and mode. The parameter "ciphertext"
+// must be an array of bytes. The parameter "key" must be an array of key
+// bytes. If you have a hex string representing the ciphertext or key,
+// invoke hexToByteArray() on it to convert it to an array of bytes. The
+// parameter "mode" is a string, either "CBC" or "ECB".
+//
+// An array of bytes representing the plaintext is returned. To convert
+// this array to a hex string, invoke byteArrayToHex() on it. To convert it
+// to a string of characters, you can use byteArrayToString().
+function rijndaelDecrypt(ciphertext, key, mode) {
+var expandedKey;
+var bpb = blockSizeInBits / 8;          // bytes per block
+var pt = new Array();                   // plaintext array
+var aBlock;                             // a decrypted block
+var block;                              // current block number
+if (!ciphertext || !key || typeof ciphertext == "string")
+return;
+if (key.length*8 != keySizeInBits)
+return;
+if (!mode)
+mode = "ECB";                         // assume ECB if mode omitted
+expandedKey = keyExpansion(key);
+// work backwards to accomodate CBC mode
+for (block=(ciphertext.length / bpb)-1; block>0; block--) {
+aBlock =
+decrypt(ciphertext.slice(block*bpb,(block+1)*bpb), expandedKey);
+if (mode == "CBC")
+for (var i=0; i<bpb; i++)
+pt[(block-1)*bpb + i] = aBlock[i] ^ ciphertext[(block-1)*bpb + i];
+else
+pt = aBlock.concat(pt);
+}
+// do last block if ECB (skips the IV in CBC)
+if (mode == "ECB")
+pt = decrypt(ciphertext.slice(0, bpb), expandedKey).concat(pt);
+return pt;
+}
+function stringToByteArray(text)
+{
+result = new Array();
+for ( i=0; i<text.length; i++ )
+{
+result[result.length] = text.charCodeAt(i);
+}
+return result;
+}
+function aes_self_test()
+{
+//
+// Encryption test
+//
+var str = '';
+for(i=0;i<keySizeInBits/4;i++)
+{
+str+='0';
+}
+str = hexToByteArray(str);
+var ct  = rijndaelEncrypt(str, str, 'ECB');
+ct      = byteArrayToHex(ct);
+var v;
+switch(keySizeInBits)
+{
+// These test vectors are for 128-bit block size.
+case 128:
+v = '66e94bd4ef8a2c3b884cfa59ca342b2e';
+break;
+case 192:
+v = 'aae06992acbf52a3e8f4a96ec9300bd7aae06992acbf52a3e8f4a96ec9300bd7';
+break;
+case 256:
+v = 'dc95c078a2408989ad48a21492842087dc95c078a2408989ad48a21492842087';
+break;
+}
+return ( ct == v && md5_vm_test() );
+}
+/*
+* EnanoMath, an abstraction layer for big-integer (arbitrary precision)
+* mathematics.
+*/
+var EnanoMathLayers = {};
+// EnanoMath layer: Leemon (frontend to BigInt library by Leemon Baird)
+EnanoMathLayers.Leemon = {
+Base: 10,
+PowMod: function(a, b, c)
+{
+a = str2bigInt(a, this.Base);
+b = str2bigInt(b, this.Base);
+c = str2bigInt(c, this.Base);
+var result = powMod(a, b, c);
+result = bigInt2str(result, this.Base);
+return result;
+},
+RandomInt: function(bits)
+{
+var result = randBigInt(bits);
+return bigInt2str(result, this.Base);
+}
+}
+var EnanoMath = EnanoMathLayers.Leemon;
+/*
+* The Diffie-Hellman key exchange protocol.
+*/
+// Our prime number as a base for operations.
+var dh_prime = '82818079787776757473727170696867666564636261605958575655545352515049484746454443424140393837363534333231302928272625242322212019181716151413121110987654321';
+// g, a primitive root used as an exponent
+// (2 and 5 are acceptable, but BigInt is faster with odd numbers)
+var dh_g = '5';
+/**
+* Generates a Diffie-Hellman private key
+* @return string(BigInt)
+*/
+function dh_gen_private()
+{
+return EnanoMath.RandomInt(256);
+}
+/**
+* Calculates the public key from the private key
+* @param string(BigInt)
+* @return string(BigInt)
+*/
+function dh_gen_public(b)
+{
+return EnanoMath.PowMod(dh_g, b, dh_prime);
+}
+/**
+* Calculates the shared secret.
+* @param string(BigInt) Our private key
+* @param string(BigInt) Remote party's public key
+* @return string(BigInt)
+*/
+function dh_gen_shared_secret(b, A)
+{
+return EnanoMath.PowMod(A, b, dh_prime);
+}
+/* A JavaScript implementation of the Secure Hash Algorithm, SHA-256
+* Version 0.3 Copyright Angel Marin 2003-2004 - http://anmar.eu.org/
+* Distributed under the BSD License
+* Some bits taken from Paul Johnston's SHA-1 implementation
+*/
+/*
+Copyright (c) 2003-2004, Angel Marin
+All rights reserved.
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+* Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+* Neither the name of the <ORGANIZATION> nor the names of its contributors may
+be used to endorse or promote products derived from this software without
+specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+var chrsz = 8;  /* bits per input character. 8 - ASCII; 16 - Unicode  */
+function safe_add (x, y) {
+var lsw = (x & 0xFFFF) + (y & 0xFFFF);
+var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
+return (msw << 16) | (lsw & 0xFFFF);
+}
+function S (X, n) {return ( X >>> n ) | (X << (32 - n));}
+function R (X, n) {return ( X >>> n );}
+function Ch(x, y, z) {return ((x & y) ^ ((~x) & z));}
+function Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));}
+function Sigma0256(x) {return (S(x, 2) ^ S(x, 13) ^ S(x, 22));}
+function Sigma1256(x) {return (S(x, 6) ^ S(x, 11) ^ S(x, 25));}
+function Gamma0256(x) {return (S(x, 7) ^ S(x, 18) ^ R(x, 3));}
+function Gamma1256(x) {return (S(x, 17) ^ S(x, 19) ^ R(x, 10));}
+function core_sha256 (m, l) {
+var K = new Array(0x428A2F98,0x71374491,0xB5C0FBCF,0xE9B5DBA5,0x3956C25B,0x59F111F1,0x923F82A4,0xAB1C5ED5,0xD807AA98,0x12835B01,0x243185BE,0x550C7DC3,0x72BE5D74,0x80DEB1FE,0x9BDC06A7,0xC19BF174,0xE49B69C1,0xEFBE4786,0xFC19DC6,0x240CA1CC,0x2DE92C6F,0x4A7484AA,0x5CB0A9DC,0x76F988DA,0x983E5152,0xA831C66D,0xB00327C8,0xBF597FC7,0xC6E00BF3,0xD5A79147,0x6CA6351,0x14292967,0x27B70A85,0x2E1B2138,0x4D2C6DFC,0x53380D13,0x650A7354,0x766A0ABB,0x81C2C92E,0x92722C85,0xA2BFE8A1,0xA81A664B,0xC24B8B70,0xC76C51A3,0xD192E819,0xD6990624,0xF40E3585,0x106AA070,0x19A4C116,0x1E376C08,0x2748774C,0x34B0BCB5,0x391C0CB3,0x4ED8AA4A,0x5B9CCA4F,0x682E6FF3,0x748F82EE,0x78A5636F,0x84C87814,0x8CC70208,0x90BEFFFA,0xA4506CEB,0xBEF9A3F7,0xC67178F2);
+var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19);
+var W = new Array(64);
+var a, b, c, d, e, f, g, h, i, j;
+var T1, T2;
+/* append padding */
+m[l >> 5] |= 0x80 << (24 - l % 32);
+m[((l + 64 >> 9) << 4) + 15] = l;
+for ( var i = 0; i<m.length; i+=16 ) {
+a = HASH[0]; b = HASH[1]; c = HASH[2]; d = HASH[3]; e = HASH[4]; f = HASH[5]; g = HASH[6]; h = HASH[7];
+for ( var j = 0; j<64; j++) {
+if (j < 16) W[j] = m[j + i];
+else W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
+T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
+T2 = safe_add(Sigma0256(a), Maj(a, b, c));
+h = g; g = f; f = e; e = safe_add(d, T1); d = c; c = b; b = a; a = safe_add(T1, T2);
+}
+HASH[0] = safe_add(a, HASH[0]); HASH[1] = safe_add(b, HASH[1]); HASH[2] = safe_add(c, HASH[2]); HASH[3] = safe_add(d, HASH[3]); HASH[4] = safe_add(e, HASH[4]); HASH[5] = safe_add(f, HASH[5]); HASH[6] = safe_add(g, HASH[6]); HASH[7] = safe_add(h, HASH[7]);
+}
+return HASH;
+}
+function str2binb (str) {
+var bin = Array();
+var mask = (1 << chrsz) - 1;
+for(var i = 0; i < str.length * chrsz; i += chrsz)
+bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32);
+return bin;
+}
+function binb2hex (binarray) {
+var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
+var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
+var str = "";
+for (var i = 0; i < binarray.length * 4; i++) {
+str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8  )) & 0xF);
+}
+return str;
+}
+function hex_sha256(s){return binb2hex(core_sha256(str2binb(s),s.length * chrsz));}
+// Javascript implementation of the and SHA1 hash algorithms - both written by Paul Johnston, licensed under the BSD license
+// MD5
+var hexcase = 0; var b64pad  = ""; var chrsz   = 8;
+function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));}
+function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));}
+function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));}
+function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); }
+function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); }
+function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); }
+function md5_vm_test() { return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"; }
+function core_md5(x, len) { x[len >> 5] |= 0x80 << ((len) % 32); x[(((len + 64) >>> 9) << 4) + 14] = len; var a =  1732584193; var b = -271733879; var c = -1732584194; var d =  271733878; for(var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);c = md5_ff(c, d, a, b, x[i+ 2], 17,  606105819);b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);
+a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);d = md5_ff(d, a, b, c, x[i+ 5], 12,  1200080426);c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);a = md5_ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);c = md5_ff(c, d, a, b, x[i+10], 17, -42063);b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162);a = md5_ff(a, b, c, d, x[i+12], 7 ,  1804603682);d = md5_ff(d, a, b, c, x[i+13], 12, -40341101);
+c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290);b = md5_ff(b, c, d, a, x[i+15], 22,  1236535329);a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);c = md5_gg(c, d, a, b, x[i+11], 14,  643717713);b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);d = md5_gg(d, a, b, c, x[i+10], 9 ,  38016083);c = md5_gg(c, d, a, b, x[i+15], 14, -660478335);b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);
+a = md5_gg(a, b, c, d, x[i+ 9], 5 ,  568446438);d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);b = md5_gg(b, c, d, a, x[i+ 8], 20,  1163531501);a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);c = md5_gg(c, d, a, b, x[i+ 7], 14,  1735328473);b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734);a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463);
+c = md5_hh(c, d, a, b, x[i+11], 16,  1839030562);b = md5_hh(b, c, d, a, x[i+14], 23, -35309556);a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);d = md5_hh(d, a, b, c, x[i+ 4], 11,  1272893353);c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640);a = md5_hh(a, b, c, d, x[i+13], 4 ,  681279174);d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);b = md5_hh(b, c, d, a, x[i+ 6], 23,  76029189);
+a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);d = md5_hh(d, a, b, c, x[i+12], 11, -421815835);c = md5_hh(c, d, a, b, x[i+15], 16,  530742520);b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);d = md5_ii(d, a, b, c, x[i+ 7], 10,  1126891415);c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905);b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);a = md5_ii(a, b, c, d, x[i+12], 6 ,  1700485571);d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);
+c = md5_ii(c, d, a, b, x[i+10], 15, -1051523);b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);a = md5_ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);d = md5_ii(d, a, b, c, x[i+15], 10, -30611744);c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);b = md5_ii(b, c, d, a, x[i+13], 21,  1309151649);a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379);c = md5_ii(c, d, a, b, x[i+ 2], 15,  718787259);b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);
+a = safe_add(a, olda); b = safe_add(b, oldb); c = safe_add(c, oldc); d = safe_add(d, oldd); } return Array(a, b, c, d); }
+function md5_cmn(q, a, b, x, s, t) { return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b); }
+function md5_ff(a, b, c, d, x, s, t) { return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t); }
+function md5_gg(a, b, c, d, x, s, t) { return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t); }
+function md5_hh(a, b, c, d, x, s, t) { return md5_cmn(b ^ c ^ d, a, b, x, s, t); }
+function md5_ii(a, b, c, d, x, s, t) { return md5_cmn(c ^ (b | (~d)), a, b, x, s, t); }
+function core_hmac_md5(key, data) { var bkey = str2binl(key); if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz); var ipad = Array(16), opad = Array(16); for(var i = 0; i < 16; i++) { ipad[i] = bkey[i] ^ 0x36363636; opad[i] = bkey[i] ^ 0x5C5C5C5C; } var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz); return core_md5(opad.concat(hash), 512 + 128); }
+function safe_add(x, y) {var lsw = (x & 0xFFFF) + (y & 0xFFFF);var msw = (x >> 16) + (y >> 16) + (lsw >> 16);return (msw << 16) | (lsw & 0xFFFF); }
+function bit_rol(num, cnt) { return (num << cnt) | (num >>> (32 - cnt)); }
+function str2binl(str) { var bin = Array(); var mask = (1 << chrsz) - 1; for(var i = 0; i < str.length * chrsz; i += chrsz)bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32); return bin;}
+function binl2str(bin) { var str = ""; var mask = (1 << chrsz) - 1; for(var i = 0; i < bin.length * 32; i += chrsz) str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask); return str; }
+function binl2hex(binarray) { var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; var str = ""; for(var i = 0; i < binarray.length * 4; i++) { str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((i%4)*8  )) & 0xF); } return str; }
+function binl2b64(binarray) { var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var str = ""; for(var i = 0; i < binarray.length * 4; i += 3) { var triplet = (((binarray[i >> 2] >> 8 * ( i   %4)) & 0xFF) << 16) | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 ) |  ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF); for(var j = 0; j < 4; j++) { if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); } } return str; }
+// SHA1
+function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
+function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
+function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
+function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
+function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
+function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
+function sha1_vm_test() {   return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d"; }
+function core_sha1(x, len) { x[len >> 5] |= 0x80 << (24 - len % 32); x[((len + 64 >> 9) << 4) + 15] = len; var w = Array(80); var a =  1732584193; var b = -271733879; var c = -1732584194; var d =  271733878; var e = -1009589776; for(var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; var olde = e; for(var j = 0; j < 80; j++) { if(j < 16) w[j] = x[i + j]; else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1); var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)), safe_add(safe_add(e, w[j]), sha1_kt(j))); e = d; d = c; c = rol(b, 30); b = a; a = t; } a = safe_add(a, olda); b = safe_add(b, oldb); c = safe_add(c, oldc); d = safe_add(d, oldd); e = safe_add(e, olde); } return Array(a, b, c, d, e);}
+function sha1_ft(t, b, c, d){ if(t < 20) return (b & c) | ((~b) & d); if(t < 40) return b ^ c ^ d; if(t < 60) return (b & c) | (b & d) | (c & d); return b ^ c ^ d;}
+function sha1_kt(t){ return (t < 20) ?  1518500249 : (t < 40) ?  1859775393 : (t < 60) ? -1894007588 : -899497514;}
+function core_hmac_sha1(key, data){ var bkey = str2binb(key); if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz); var ipad = Array(16), opad = Array(16); for(var i = 0; i < 16; i++) { ipad[i] = bkey[i] ^ 0x36363636; opad[i] = bkey[i] ^ 0x5C5C5C5C; } var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz); return core_sha1(opad.concat(hash), 512 + 160);}
+function safe_add(x, y){ var lsw = (x & 0xFFFF) + (y & 0xFFFF); var msw = (x >> 16) + (y >> 16) + (lsw >> 16); return (msw << 16) | (lsw & 0xFFFF);}
+function rol(num, cnt){ return (num << cnt) | (num >>> (32 - cnt));}
+function str2binb(str){ var bin = Array(); var mask = (1 << chrsz) - 1; for(var i = 0; i < str.length * chrsz; i += chrsz) bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32); return bin;}
+function binb2str(bin){ var str = ""; var mask = (1 << chrsz) - 1; for(var i = 0; i < bin.length * 32; i += chrsz) str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask); return str;}
+function binb2hex(binarray){ var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; var str = ""; for(var i = 0; i < binarray.length * 4; i++) { str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8  )) & 0xF); } return str;}
+function binb2b64(binarray){ var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var str = ""; for(var i = 0; i < binarray.length * 4; i += 3) { var triplet = (((binarray[i   >> 2] >> 8 * (3 -  i   %4)) & 0xFF) << 16) | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 ) |  ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF); for(var j = 0; j < 4; j++) { if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); } } return str;}

Enano CMS (1.1.x)