SECURITY: CSRF protection in Private Messaging, which is a really broken feature and should get the TinyMCE treatment. *sigh* Reported by Secunia.
////////////////////////////////////////////////////////////////////////////////////////
// Big Integer Library v. 5.1
// Created 2000, last modified 2007
// Leemon Baird
// www.leemon.com
//
// Version history:
//
// v 5.1 8 Oct 2007
// - renamed inverseModInt_ to inverseModInt since it doesn't change its parameters
// - added functions GCD and randBigInt, which call GCD_ and randBigInt_
// - fixed a bug found by Rob Visser (see comment with his name below)
// - improved comments
//
// This file is public domain. You can use it for any purpose without restriction.
// I do not guarantee that it is correct, so use it at your own risk. If you use
// it for something interesting, I'd appreciate hearing about it. If you find
// any bugs or make any improvements, I'd appreciate hearing about those too.
// It would also be nice if my name and address were left in the comments.
// But none of that is required.
//
// This code defines a bigInt library for arbitrary-precision integers.
// A bigInt is an array of integers storing the value in chunks of bpe bits,
// little endian (buff[0] is the least significant word).
// Negative bigInts are stored two's complement.
// Some functions assume their parameters have at least one leading zero element.
// Functions with an underscore at the end of the name have unpredictable behavior in case of overflow,
// so the caller must make sure the arrays must be big enough to hold the answer.
// For each function where a parameter is modified, that same
// variable must not be used as another argument too.
// So, you cannot square x by doing multMod_(x,x,n).
// You must use squareMod_(x,n) instead, or do y=dup(x); multMod_(x,y,n).
//
// These functions are designed to avoid frequent dynamic memory allocation in the inner loop.
// For most functions, if it needs a BigInt as a local variable it will actually use
// a global, and will only allocate to it only when it's not the right size. This ensures
// that when a function is called repeatedly with same-sized parameters, it only allocates
// memory on the first call.
//
// Note that for cryptographic purposes, the calls to Math.random() must
// be replaced with calls to a better pseudorandom number generator.
//
// In the following, "bigInt" means a bigInt with at least one leading zero element,
// and "integer" means a nonnegative integer less than radix. In some cases, integer
// can be negative. Negative bigInts are 2s complement.
//
// The following functions do not modify their inputs.
// Those returning a bigInt, string, or Array will dynamically allocate memory for that value.
// Those returning a boolean will return the integer 0 (false) or 1 (true).
// Those returning boolean or int will not allocate memory except possibly on the first time they're called with a given parameter size.
//
// bigInt add(x,y) //return (x+y) for bigInts x and y.
// bigInt addInt(x,n) //return (x+n) where x is a bigInt and n is an integer.
// string bigInt2str(x,base) //return a string form of bigInt x in a given base, with 2 <= base <= 95
// int bitSize(x) //return how many bits long the bigInt x is, not counting leading zeros
// bigInt dup(x) //return a copy of bigInt x
// boolean equals(x,y) //is the bigInt x equal to the bigint y?
// boolean equalsInt(x,y) //is bigint x equal to integer y?
// bigInt expand(x,n) //return a copy of x with at least n elements, adding leading zeros if needed
// Array findPrimes(n) //return array of all primes less than integer n
// bigInt GCD(x,y) //return greatest common divisor of bigInts x and y (each with same number of elements).
// boolean greater(x,y) //is x>y? (x and y are nonnegative bigInts)
// boolean greaterShift(x,y,shift)//is (x <<(shift*bpe)) > y?
// bigInt int2bigInt(t,n,m) //return a bigInt equal to integer t, with at least n bits and m array elements
// bigInt inverseMod(x,n) //return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null
// int inverseModInt(x,n) //return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse
// boolean isZero(x) //is the bigInt x equal to zero?
// boolean millerRabin(x,b) //does one round of Miller-Rabin base integer b say that bigInt x is possibly prime (as opposed to definitely composite)?
// bigInt mod(x,n) //return a new bigInt equal to (x mod n) for bigInts x and n.
// int modInt(x,n) //return x mod n for bigInt x and integer n.
// bigInt mult(x,y) //return x*y for bigInts x and y. This is faster when y<x.
// bigInt multMod(x,y,n) //return (x*y mod n) for bigInts x,y,n. For greater speed, let y<x.
// boolean negative(x) //is bigInt x negative?
// bigInt powMod(x,y,n) //return (x**y mod n) where x,y,n are bigInts and ** is exponentiation. 0**0=1. Faster for odd n.
// bigInt randBigInt(n,s) //return an n-bit random BigInt (n>=1). If s=1, then the most significant of those n bits is set to 1.
// bigInt randTruePrime(k) //return a new, random, k-bit, true prime bigInt using Maurer's algorithm.
// bigInt str2bigInt(s,b,n,m) //return a bigInt for number represented in string s in base b with at least n bits and m array elements
// bigInt sub(x,y) //return (x-y) for bigInts x and y. Negative answers will be 2s complement
// bigInt bigint_trim(x,k) //return a copy of x with exactly k leading zero elements
//
//
// The following functions each have a non-underscored version, which most users should call instead.
// These functions each write to a single parameter, and the caller is responsible for ensuring the array
// passed in is large enough to hold the result.
//
// void addInt_(x,n) //do x=x+n where x is a bigInt and n is an integer
// void add_(x,y) //do x=x+y for bigInts x and y
// void copy_(x,y) //do x=y on bigInts x and y
// void copyInt_(x,n) //do x=n on bigInt x and integer n
// void GCD_(x,y) //set x to the greatest common divisor of bigInts x and y, (y is destroyed). (This never overflows its array).
// boolean inverseMod_(x,n) //do x=x**(-1) mod n, for bigInts x and n. Returns 1 (0) if inverse does (doesn't) exist
// void mod_(x,n) //do x=x mod n for bigInts x and n. (This never overflows its array).
// void mult_(x,y) //do x=x*y for bigInts x and y.
// void multMod_(x,y,n) //do x=x*y mod n for bigInts x,y,n.
// void powMod_(x,y,n) //do x=x**y mod n, where x,y,n are bigInts (n is odd) and ** is exponentiation. 0**0=1.
// void randBigInt_(b,n,s) //do b = an n-bit random BigInt. if s=1, then nth bit (most significant bit) is set to 1. n>=1.
// void randTruePrime_(ans,k) //do ans = a random k-bit true random prime (not just probable prime) with 1 in the msb.
// void sub_(x,y) //do x=x-y for bigInts x and y. Negative answers will be 2s complement.
//
// The following functions do NOT have a non-underscored version.
// They each write a bigInt result to one or more parameters. The caller is responsible for
// ensuring the arrays passed in are large enough to hold the results.
//
// void addShift_(x,y,ys) //do x=x+(y<<(ys*bpe))
// void carry_(x) //do carries and borrows so each element of the bigInt x fits in bpe bits.
// void divide_(x,y,q,r) //divide x by y giving quotient q and remainder r
// int divInt_(x,n) //do x=floor(x/n) for bigInt x and integer n, and return the remainder. (This never overflows its array).
// int eGCD_(x,y,d,a,b) //sets a,b,d to positive bigInts such that d = GCD_(x,y) = a*x-b*y
// void halve_(x) //do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement. (This never overflows its array).
// void leftShift_(x,n) //left shift bigInt x by n bits. n<bpe.
// void linComb_(x,y,a,b) //do x=a*x+b*y for bigInts x and y and integers a and b
// void linCombShift_(x,y,b,ys) //do x=x+b*(y<<(ys*bpe)) for bigInts x and y, and integers b and ys
// void mont_(x,y,n,np) //Montgomery multiplication (see comments where the function is defined)
// void multInt_(x,n) //do x=x*n where x is a bigInt and n is an integer.
// void rightShift_(x,n) //right shift bigInt x by n bits. 0 <= n < bpe. (This never overflows its array).
// void squareMod_(x,n) //do x=x*x mod n for bigInts x,n
// void subShift_(x,y,ys) //do x=x-(y<<(ys*bpe)). Negative answers will be 2s complement.
//
// The following functions are based on algorithms from the _Handbook of Applied Cryptography_
// powMod_() = algorithm 14.94, Montgomery exponentiation
// eGCD_,inverseMod_() = algorithm 14.61, Binary extended GCD_
// GCD_() = algorothm 14.57, Lehmer's algorithm
// mont_() = algorithm 14.36, Montgomery multiplication
// divide_() = algorithm 14.20 Multiple-precision division
// squareMod_() = algorithm 14.16 Multiple-precision squaring
// randTruePrime_() = algorithm 4.62, Maurer's algorithm
// millerRabin() = algorithm 4.24, Miller-Rabin algorithm
//
// Profiling shows:
// randTruePrime_() spends:
// 10% of its time in calls to powMod_()
// 85% of its time in calls to millerRabin()
// millerRabin() spends:
// 99% of its time in calls to powMod_() (always with a base of 2)
// powMod_() spends:
// 94% of its time in calls to mont_() (almost always with x==y)
//
// This suggests there are several ways to speed up this library slightly:
// - convert powMod_ to use a Montgomery form of k-ary window (or maybe a Montgomery form of sliding window)
// -- this should especially focus on being fast when raising 2 to a power mod n
// - convert randTruePrime_() to use a minimum r of 1/3 instead of 1/2 with the appropriate change to the test
// - tune the parameters in randTruePrime_(), including c, m, and recLimit
// - speed up the single loop in mont_() that takes 95% of the runtime, perhaps by reducing checking
// within the loop when all the parameters are the same length.
//
// There are several ideas that look like they wouldn't help much at all:
// - replacing trial division in randTruePrime_() with a sieve (that speeds up something taking almost no time anyway)
// - increase bpe from 15 to 30 (that would help if we had a 32*32->64 multiplier, but not with JavaScript's 32*32->32)
// - speeding up mont_(x,y,n,np) when x==y by doing a non-modular, non-Montgomery square
// followed by a Montgomery reduction. The intermediate answer will be twice as long as x, so that
// method would be slower. This is unfortunate because the code currently spends almost all of its time
// doing mont_(x,x,...), both for randTruePrime_() and powMod_(). A faster method for Montgomery squaring
// would have a large impact on the speed of randTruePrime_() and powMod_(). HAC has a couple of poorly-worded
// sentences that seem to imply it's faster to do a non-modular square followed by a single
// Montgomery reduction, but that's obviously wrong.
////////////////////////////////////////////////////////////////////////////////////////
//globals
bpe=0; //bits stored per array element
mask=0; //AND this with an array element to chop it down to bpe bits
radix=mask+1; //equals 2^bpe. A single 1 bit to the left of the last bit of mask.
//the digits for converting to different bases
digitsStr='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_=!@#$%^&*()[]{}|;:,.<>/?`~ \\\'\"+-';
//initialize the global variables
for (bpe=0; (1<<(bpe+1)) > (1<<bpe); bpe++); //bpe=number of bits in the mantissa on this platform
bpe>>=1; //bpe=number of bits in one element of the array representing the bigInt
mask=(1<<bpe)-1; //AND the mask with an integer to get its bpe least significant bits
radix=mask+1; //2^bpe. a single 1 bit to the left of the first bit of mask
one=int2bigInt(1,1,1); //constant used in powMod_()
//the following global variables are scratchpad memory to
//reduce dynamic memory allocation in the inner loop
t=new Array(0);
ss=t; //used in mult_()
s0=t; //used in multMod_(), squareMod_()
s1=t; //used in powMod_(), multMod_(), squareMod_()
s2=t; //used in powMod_(), multMod_()
s3=t; //used in powMod_()
s4=t; s5=t; //used in mod_()
s6=t; //used in bigInt2str()
s7=t; //used in powMod_()
T=t; //used in GCD_()
sa=t; //used in mont_()
mr_x1=t; mr_r=t; mr_a=t; //used in millerRabin()
eg_v=t; eg_u=t; eg_A=t; eg_B=t; eg_C=t; eg_D=t; //used in eGCD_(), inverseMod_()
md_q1=t; md_q2=t; md_q3=t; md_r=t; md_r1=t; md_r2=t; md_tt=t; //used in mod_()
primes=t; pows=t; s_i=t; s_i2=t; s_R=t; s_rm=t; s_q=t; s_n1=t;
s_a=t; s_r2=t; s_n=t; s_b=t; s_d=t; s_x1=t; s_x2=t, s_aa=t; //used in randTruePrime_()
////////////////////////////////////////////////////////////////////////////////////////
//return array of all primes less than integer n
function findPrimes(n) {
var i,s,p,ans;
s=new Array(n);
for (i=0;i<n;i++)
s[i]=0;
s[0]=2;
p=0; //first p elements of s are primes, the rest are a sieve
for(;s[p]<n;) { //s[p] is the pth prime
for(i=s[p]*s[p]; i<n; i+=s[p]) //mark multiples of s[p]
s[i]=1;
p++;
s[p]=s[p-1]+1;
for(; s[p]<n && s[s[p]]; s[p]++); //find next prime (where s[p]==0)
}
ans=new Array(p);
for(i=0;i<p;i++)
ans[i]=s[i];
return ans;
}
//does a single round of Miller-Rabin base b consider x to be a possible prime?
//x is a bigInt, and b is an integer
function millerRabin(x,b) {
var i,j,k,s;
if (mr_x1.length!=x.length) {
mr_x1=dup(x);
mr_r=dup(x);
mr_a=dup(x);
}
copyInt_(mr_a,b);
copy_(mr_r,x);
copy_(mr_x1,x);
addInt_(mr_r,-1);
addInt_(mr_x1,-1);
//s=the highest power of two that divides mr_r
k=0;
for (i=0;i<mr_r.length;i++)
for (j=1;j<mask;j<<=1)
if (x[i] & j) {
s=(k<mr_r.length+bpe ? k : 0);
i=mr_r.length;
j=mask;
} else
k++;
if (s)
rightShift_(mr_r,s);
powMod_(mr_a,mr_r,x);
if (!equalsInt(mr_a,1) && !equals(mr_a,mr_x1)) {
j=1;
while (j<=s-1 && !equals(mr_a,mr_x1)) {
squareMod_(mr_a,x);
if (equalsInt(mr_a,1)) {
return 0;
}
j++;
}
if (!equals(mr_a,mr_x1)) {
return 0;
}
}
return 1;
}
//returns how many bits long the bigInt is, not counting leading zeros.
function bitSize(x) {
var j,z,w;
for (j=x.length-1; (x[j]==0) && (j>0); j--);
for (z=0,w=x[j]; w; (w>>=1),z++);
z+=bpe*j;
return z;
}
//return a copy of x with at least n elements, adding leading zeros if needed
function expand(x,n) {
var ans=int2bigInt(0,(x.length>n ? x.length : n)*bpe,0);
copy_(ans,x);
return ans;
}
//return a k-bit true random prime using Maurer's algorithm.
function randTruePrime(k) {
var ans=int2bigInt(0,k,0);
randTruePrime_(ans,k);
return bigint_trim(ans,1);
}
//return a new bigInt equal to (x mod n) for bigInts x and n.
function mod(x,n) {
var ans=dup(x);
mod_(ans,n);
return bigint_trim(ans,1);
}
//return (x+n) where x is a bigInt and n is an integer.
function addInt(x,n) {
var ans=expand(x,x.length+1);
addInt_(ans,n);
return bigint_trim(ans,1);
}
//return x*y for bigInts x and y. This is faster when y<x.
function mult(x,y) {
var ans=expand(x,x.length+y.length);
mult_(ans,y);
return bigint_trim(ans,1);
}
//return (x**y mod n) where x,y,n are bigInts and ** is exponentiation. 0**0=1. Faster for odd n.
function powMod(x,y,n) {
var ans=expand(x,n.length);
powMod_(ans,bigint_trim(y,2),bigint_trim(n,2),0); //this should work without the trim, but doesn't
return bigint_trim(ans,1);
}
//return (x-y) for bigInts x and y. Negative answers will be 2s complement
function sub(x,y) {
var ans=expand(x,(x.length>y.length ? x.length+1 : y.length+1));
sub_(ans,y);
return bigint_trim(ans,1);
}
//return (x+y) for bigInts x and y.
function add(x,y) {
var ans=expand(x,(x.length>y.length ? x.length+1 : y.length+1));
add_(ans,y);
return bigint_trim(ans,1);
}
//return (x**(-1) mod n) for bigInts x and n. If no inverse exists, it returns null
function inverseMod(x,n) {
var ans=expand(x,n.length);
var s;
s=inverseMod_(ans,n);
return s ? bigint_trim(ans,1) : null;
}
//return (x*y mod n) for bigInts x,y,n. For greater speed, let y<x.
function multMod(x,y,n) {
var ans=expand(x,n.length);
multMod_(ans,y,n);
return bigint_trim(ans,1);
}
//generate a k-bit true random prime using Maurer's algorithm,
//and put it into ans. The bigInt ans must be large enough to hold it.
function randTruePrime_(ans,k) {
var c,m,pm,dd,j,r,B,divisible,z,zz,recSize;
if (primes.length==0)
primes=findPrimes(30000); //check for divisibility by primes <=30000
if (pows.length==0) {
pows=new Array(512);
for (j=0;j<512;j++) {
pows[j]=Math.pow(2,j/511.-1.);
}
}
//c and m should be tuned for a particular machine and value of k, to maximize speed
c=0.1; //c=0.1 in HAC
m=20; //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits
recLimit=20; //stop recursion when k <=recLimit. Must have recLimit >= 2
if (s_i2.length!=ans.length) {
s_i2=dup(ans);
s_R =dup(ans);
s_n1=dup(ans);
s_r2=dup(ans);
s_d =dup(ans);
s_x1=dup(ans);
s_x2=dup(ans);
s_b =dup(ans);
s_n =dup(ans);
s_i =dup(ans);
s_rm=dup(ans);
s_q =dup(ans);
s_a =dup(ans);
s_aa=dup(ans);
}
if (k <= recLimit) { //generate small random primes by trial division up to its square root
pm=(1<<((k+2)>>1))-1; //pm is binary number with all ones, just over sqrt(2^k)
copyInt_(ans,0);
for (dd=1;dd;) {
dd=0;
ans[0]= 1 | (1<<(k-1)) | Math.floor(Math.random()*(1<<k)); //random, k-bit, odd integer, with msb 1
for (j=1;(j<primes.length) && ((primes[j]&pm)==primes[j]);j++) { //trial division by all primes 3...sqrt(2^k)
if (0==(ans[0]%primes[j])) {
dd=1;
break;
}
}
}
carry_(ans);
return;
}
B=c*k*k; //try small primes up to B (or all the primes[] array if the largest is less than B).
if (k>2*m) //generate this k-bit number by first recursively generating a number that has between k/2 and k-m bits
for (r=1; k-k*r<=m; )
r=pows[Math.floor(Math.random()*512)]; //r=Math.pow(2,Math.random()-1);
else
r=.5;
//simulation suggests the more complex algorithm using r=.333 is only slightly faster.
recSize=Math.floor(r*k)+1;
randTruePrime_(s_q,recSize);
copyInt_(s_i2,0);
s_i2[Math.floor((k-2)/bpe)] |= (1<<((k-2)%bpe)); //s_i2=2^(k-2)
divide_(s_i2,s_q,s_i,s_rm); //s_i=floor((2^(k-1))/(2q))
z=bitSize(s_i);
for (;;) {
for (;;) { //generate z-bit numbers until one falls in the range [0,s_i-1]
randBigInt_(s_R,z,0);
if (greater(s_i,s_R))
break;
} //now s_R is in the range [0,s_i-1]
addInt_(s_R,1); //now s_R is in the range [1,s_i]
add_(s_R,s_i); //now s_R is in the range [s_i+1,2*s_i]
copy_(s_n,s_q);
mult_(s_n,s_R);
multInt_(s_n,2);
addInt_(s_n,1); //s_n=2*s_R*s_q+1
copy_(s_r2,s_R);
multInt_(s_r2,2); //s_r2=2*s_R
//check s_n for divisibility by small primes up to B
for (divisible=0,j=0; (j<primes.length) && (primes[j]<B); j++)
if (modInt(s_n,primes[j])==0) {
divisible=1;
break;
}
if (!divisible) //if it passes small primes check, then try a single Miller-Rabin base 2
if (!millerRabin(s_n,2)) //this line represents 75% of the total runtime for randTruePrime_
divisible=1;
if (!divisible) { //if it passes that test, continue checking s_n
addInt_(s_n,-3);
for (j=s_n.length-1;(s_n[j]==0) && (j>0); j--); //strip leading zeros
for (zz=0,w=s_n[j]; w; (w>>=1),zz++);
zz+=bpe*j; //zz=number of bits in s_n, ignoring leading zeros
for (;;) { //generate z-bit numbers until one falls in the range [0,s_n-1]
randBigInt_(s_a,zz,0);
if (greater(s_n,s_a))
break;
} //now s_a is in the range [0,s_n-1]
addInt_(s_n,3); //now s_a is in the range [0,s_n-4]
addInt_(s_a,2); //now s_a is in the range [2,s_n-2]
copy_(s_b,s_a);
copy_(s_n1,s_n);
addInt_(s_n1,-1);
powMod_(s_b,s_n1,s_n); //s_b=s_a^(s_n-1) modulo s_n
addInt_(s_b,-1);
if (isZero(s_b)) {
copy_(s_b,s_a);
powMod_(s_b,s_r2,s_n);
addInt_(s_b,-1);
copy_(s_aa,s_n);
copy_(s_d,s_b);
GCD_(s_d,s_n); //if s_b and s_n are relatively prime, then s_n is a prime
if (equalsInt(s_d,1)) {
copy_(ans,s_aa);
return; //if we've made it this far, then s_n is absolutely guaranteed to be prime
}
}
}
}
}
//Return an n-bit random BigInt (n>=1). If s=1, then the most significant of those n bits is set to 1.
function randBigInt(n,s) {
var a,b;
a=Math.floor((n-1)/bpe)+2; //# array elements to hold the BigInt with a leading 0 element
b=int2bigInt(0,0,a);
randBigInt_(b,n,s);
return b;
}
//Set b to an n-bit random BigInt. If s=1, then the most significant of those n bits is set to 1.
//Array b must be big enough to hold the result. Must have n>=1
function randBigInt_(b,n,s) {
var i,a;
for (i=0;i<b.length;i++)
b[i]=0;
a=Math.floor((n-1)/bpe)+1; //# array elements to hold the BigInt
for (i=0;i<a;i++) {
b[i]=Math.floor(Math.random()*(1<<(bpe-1)));
}
b[a-1] &= (2<<((n-1)%bpe))-1;
if (s==1)
b[a-1] |= (1<<((n-1)%bpe));
}
//Return the greatest common divisor of bigInts x and y (each with same number of elements).
function GCD(x,y) {
var xc,yc;
xc=dup(x);
yc=dup(y);
GCD_(xc,yc);
return xc;
}
//set x to the greatest common divisor of bigInts x and y (each with same number of elements).
//y is destroyed.
function GCD_(x,y) {
var i,xp,yp,A,B,C,D,q,sing;
if (T.length!=x.length)
T=dup(x);
sing=1;
while (sing) { //while y has nonzero elements other than y[0]
sing=0;
for (i=1;i<y.length;i++) //check if y has nonzero elements other than 0
if (y[i]) {
sing=1;
break;
}
if (!sing) break; //quit when y all zero elements except possibly y[0]
for (i=x.length;!x[i] && i>=0;i--); //find most significant element of x
xp=x[i];
yp=y[i];
A=1; B=0; C=0; D=1;
while ((yp+C) && (yp+D)) {
q =Math.floor((xp+A)/(yp+C));
qp=Math.floor((xp+B)/(yp+D));
if (q!=qp)
break;
t= A-q*C; A=C; C=t; // do (A,B,xp, C,D,yp) = (C,D,yp, A,B,xp) - q*(0,0,0, C,D,yp)
t= B-q*D; B=D; D=t;
t=xp-q*yp; xp=yp; yp=t;
}
if (B) {
copy_(T,x);
linComb_(x,y,A,B); //x=A*x+B*y
linComb_(y,T,D,C); //y=D*y+C*T
} else {
mod_(x,y);
copy_(T,x);
copy_(x,y);
copy_(y,T);
}
}
if (y[0]==0)
return;
t=modInt(x,y[0]);
copyInt_(x,y[0]);
y[0]=t;
while (y[0]) {
x[0]%=y[0];
t=x[0]; x[0]=y[0]; y[0]=t;
}
}
//do x=x**(-1) mod n, for bigInts x and n.
//If no inverse exists, it sets x to zero and returns 0, else it returns 1.
//The x array must be at least as large as the n array.
function inverseMod_(x,n) {
var k=1+2*Math.max(x.length,n.length);
if(!(x[0]&1) && !(n[0]&1)) { //if both inputs are even, then inverse doesn't exist
copyInt_(x,0);
return 0;
}
if (eg_u.length!=k) {
eg_u=new Array(k);
eg_v=new Array(k);
eg_A=new Array(k);
eg_B=new Array(k);
eg_C=new Array(k);
eg_D=new Array(k);
}
copy_(eg_u,x);
copy_(eg_v,n);
copyInt_(eg_A,1);
copyInt_(eg_B,0);
copyInt_(eg_C,0);
copyInt_(eg_D,1);
for (;;) {
while(!(eg_u[0]&1)) { //while eg_u is even
halve_(eg_u);
if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if eg_A==eg_B==0 mod 2
halve_(eg_A);
halve_(eg_B);
} else {
add_(eg_A,n); halve_(eg_A);
sub_(eg_B,x); halve_(eg_B);
}
}
while (!(eg_v[0]&1)) { //while eg_v is even
halve_(eg_v);
if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if eg_C==eg_D==0 mod 2
halve_(eg_C);
halve_(eg_D);
} else {
add_(eg_C,n); halve_(eg_C);
sub_(eg_D,x); halve_(eg_D);
}
}
if (!greater(eg_v,eg_u)) { //eg_v <= eg_u
sub_(eg_u,eg_v);
sub_(eg_A,eg_C);
sub_(eg_B,eg_D);
} else { //eg_v > eg_u
sub_(eg_v,eg_u);
sub_(eg_C,eg_A);
sub_(eg_D,eg_B);
}
if (equalsInt(eg_u,0)) {
if (negative(eg_C)) //make sure answer is nonnegative
add_(eg_C,n);
copy_(x,eg_C);
if (!equalsInt(eg_v,1)) { //if GCD_(x,n)!=1, then there is no inverse
copyInt_(x,0);
return 0;
}
return 1;
}
}
}
//return x**(-1) mod n, for integers x and n. Return 0 if there is no inverse
function inverseModInt(x,n) {
var a=1,b=0,t;
for (;;) {
if (x==1) return a;
if (x==0) return 0;
b-=a*Math.floor(n/x);
n%=x;
if (n==1) return b; //to avoid negatives, change this b to n-b, and each -= to +=
if (n==0) return 0;
a-=b*Math.floor(x/n);
x%=n;
}
}
//this deprecated function is for backward compatibility only.
function inverseModInt_(x,n) {
return inverseModInt(x,n);
}
//Given positive bigInts x and y, change the bigints v, a, and b to positive bigInts such that:
// v = GCD_(x,y) = a*x-b*y
//The bigInts v, a, b, must have exactly as many elements as the larger of x and y.
function eGCD_(x,y,v,a,b) {
var g=0;
var k=Math.max(x.length,y.length);
if (eg_u.length!=k) {
eg_u=new Array(k);
eg_A=new Array(k);
eg_B=new Array(k);
eg_C=new Array(k);
eg_D=new Array(k);
}
while(!(x[0]&1) && !(y[0]&1)) { //while x and y both even
halve_(x);
halve_(y);
g++;
}
copy_(eg_u,x);
copy_(v,y);
copyInt_(eg_A,1);
copyInt_(eg_B,0);
copyInt_(eg_C,0);
copyInt_(eg_D,1);
for (;;) {
while(!(eg_u[0]&1)) { //while u is even
halve_(eg_u);
if (!(eg_A[0]&1) && !(eg_B[0]&1)) { //if A==B==0 mod 2
halve_(eg_A);
halve_(eg_B);
} else {
add_(eg_A,y); halve_(eg_A);
sub_(eg_B,x); halve_(eg_B);
}
}
while (!(v[0]&1)) { //while v is even
halve_(v);
if (!(eg_C[0]&1) && !(eg_D[0]&1)) { //if C==D==0 mod 2
halve_(eg_C);
halve_(eg_D);
} else {
add_(eg_C,y); halve_(eg_C);
sub_(eg_D,x); halve_(eg_D);
}
}
if (!greater(v,eg_u)) { //v<=u
sub_(eg_u,v);
sub_(eg_A,eg_C);
sub_(eg_B,eg_D);
} else { //v>u
sub_(v,eg_u);
sub_(eg_C,eg_A);
sub_(eg_D,eg_B);
}
if (equalsInt(eg_u,0)) {
if (negative(eg_C)) { //make sure a (C)is nonnegative
add_(eg_C,y);
sub_(eg_D,x);
}
multInt_(eg_D,-1); ///make sure b (D) is nonnegative
copy_(a,eg_C);
copy_(b,eg_D);
leftShift_(v,g);
return;
}
}
}
//is bigInt x negative?
function negative(x) {
return ((x[x.length-1]>>(bpe-1))&1);
}
//is (x << (shift*bpe)) > y?
//x and y are nonnegative bigInts
//shift is a nonnegative integer
function greaterShift(x,y,shift) {
var kx=x.length, ky=y.length;
k=((kx+shift)<ky) ? (kx+shift) : ky;
for (i=ky-1-shift; i<kx && i>=0; i++)
if (x[i]>0)
return 1; //if there are nonzeros in x to the left of the first column of y, then x is bigger
for (i=kx-1+shift; i<ky; i++)
if (y[i]>0)
return 0; //if there are nonzeros in y to the left of the first column of x, then x is not bigger
for (i=k-1; i>=shift; i--)
if (x[i-shift]>y[i]) return 1;
else if (x[i-shift]<y[i]) return 0;
return 0;
}
//is x > y? (x and y both nonnegative)
function greater(x,y) {
var i;
var k=(x.length<y.length) ? x.length : y.length;
for (i=x.length;i<y.length;i++)
if (y[i])
return 0; //y has more digits
for (i=y.length;i<x.length;i++)
if (x[i])
return 1; //x has more digits
for (i=k-1;i>=0;i--)
if (x[i]>y[i])
return 1;
else if (x[i]<y[i])
return 0;
return 0;
}
//divide x by y giving quotient q and remainder r. (q=floor(x/y), r=x mod y). All 4 are bigints.
//x must have at least one leading zero element.
//y must be nonzero.
//q and r must be arrays that are exactly the same length as x. (Or q can have more).
//Must have x.length >= y.length >= 2.
function divide_(x,y,q,r) {
var kx, ky;
var i,j,y1,y2,c,a,b;
copy_(r,x);
for (ky=y.length;y[ky-1]==0;ky--); //ky is number of elements in y, not including leading zeros
//normalize: ensure the most significant element of y has its highest bit set
b=y[ky-1];
for (a=0; b; a++)
b>>=1;
a=bpe-a; //a is how many bits to shift so that the high order bit of y is leftmost in its array element
leftShift_(y,a); //multiply both by 1<<a now, then divide both by that at the end
leftShift_(r,a);
//Rob Visser discovered a bug: the following line was originally just before the normalization.
for (kx=r.length;r[kx-1]==0 && kx>ky;kx--); //kx is number of elements in normalized x, not including leading zeros
copyInt_(q,0); // q=0
while (!greaterShift(y,r,kx-ky)) { // while (leftShift_(y,kx-ky) <= r) {
subShift_(r,y,kx-ky); // r=r-leftShift_(y,kx-ky)
q[kx-ky]++; // q[kx-ky]++;
} // }
for (i=kx-1; i>=ky; i--) {
if (r[i]==y[ky-1])
q[i-ky]=mask;
else
q[i-ky]=Math.floor((r[i]*radix+r[i-1])/y[ky-1]);
//The following for(;;) loop is equivalent to the commented while loop,
//except that the uncommented version avoids overflow.
//The commented loop comes from HAC, which assumes r[-1]==y[-1]==0
// while (q[i-ky]*(y[ky-1]*radix+y[ky-2]) > r[i]*radix*radix+r[i-1]*radix+r[i-2])
// q[i-ky]--;
for (;;) {
y2=(ky>1 ? y[ky-2] : 0)*q[i-ky];
c=y2>>bpe;
y2=y2 & mask;
y1=c+q[i-ky]*y[ky-1];
c=y1>>bpe;
y1=y1 & mask;
if (c==r[i] ? y1==r[i-1] ? y2>(i>1 ? r[i-2] : 0) : y1>r[i-1] : c>r[i])
q[i-ky]--;
else
break;
}
linCombShift_(r,y,-q[i-ky],i-ky); //r=r-q[i-ky]*leftShift_(y,i-ky)
if (negative(r)) {
addShift_(r,y,i-ky); //r=r+leftShift_(y,i-ky)
q[i-ky]--;
}
}
rightShift_(y,a); //undo the normalization step
rightShift_(r,a); //undo the normalization step
}
//do carries and borrows so each element of the bigInt x fits in bpe bits.
function carry_(x) {
var i,k,c,b;
k=x.length;
c=0;
for (i=0;i<k;i++) {
c+=x[i];
b=0;
if (c<0) {
b=-(c>>bpe);
c+=b*radix;
}
x[i]=c & mask;
c=(c>>bpe)-b;
}
}
//return x mod n for bigInt x and integer n.
function modInt(x,n) {
var i,c=0;
for (i=x.length-1; i>=0; i--)
c=(c*radix+x[i])%n;
return c;
}
//convert the integer t into a bigInt with at least the given number of bits.
//the returned array stores the bigInt in bpe-bit chunks, little endian (buff[0] is least significant word)
//Pad the array with leading zeros so that it has at least minSize elements.
//There will always be at least one leading 0 element.
function int2bigInt(t,bits,minSize) {
var i,k;
k=Math.ceil(bits/bpe)+1;
k=minSize>k ? minSize : k;
buff=new Array(k);
copyInt_(buff,t);
return buff;
}
//return the bigInt given a string representation in a given base.
//Pad the array with leading zeros so that it has at least minSize elements.
//If base=-1, then it reads in a space-separated list of array elements in decimal.
//The array will always have at least one leading zero, unless base=-1.
function str2bigInt(s,base,minSize) {
var d, i, j, x, y, kk;
var k=s.length;
if (base==-1) { //comma-separated list of array elements in decimal
x=new Array(0);
for (;;) {
y=new Array(x.length+1);
for (i=0;i<x.length;i++)
y[i+1]=x[i];
y[0]=parseInt(s,10);
x=y;
d=s.indexOf(',',0);
if (d<1)
break;
s=s.substring(d+1);
if (s.length==0)
break;
}
if (x.length<minSize) {
y=new Array(minSize);
copy_(y,x);
return y;
}
return x;
}
x=int2bigInt(0,base*k,0);
for (i=0;i<k;i++) {
d=digitsStr.indexOf(s.substring(i,i+1),0);
if (base<=36 && d>=36) //convert lowercase to uppercase if base<=36
d-=26;
if (d<base && d>=0) { //ignore illegal characters
multInt_(x,base);
addInt_(x,d);
}
}
for (k=x.length;k>0 && !x[k-1];k--); //strip off leading zeros
k=minSize>k+1 ? minSize : k+1;
y=new Array(k);
kk=k<x.length ? k : x.length;
for (i=0;i<kk;i++)
y[i]=x[i];
for (;i<k;i++)
y[i]=0;
return y;
}
//is bigint x equal to integer y?
//y must have less than bpe bits
function equalsInt(x,y) {
var i;
if (x[0]!=y)
return 0;
for (i=1;i<x.length;i++)
if (x[i])
return 0;
return 1;
}
//are bigints x and y equal?
//this works even if x and y are different lengths and have arbitrarily many leading zeros
function equals(x,y) {
var i;
var k=x.length<y.length ? x.length : y.length;
for (i=0;i<k;i++)
if (x[i]!=y[i])
return 0;
if (x.length>y.length) {
for (;i<x.length;i++)
if (x[i])
return 0;
} else {
for (;i<y.length;i++)
if (y[i])
return 0;
}
return 1;
}
//is the bigInt x equal to zero?
function isZero(x) {
var i;
for (i=0;i<x.length;i++)
if (x[i])
return 0;
return 1;
}
//convert a bigInt into a string in a given base, from base 2 up to base 95.
//Base -1 prints the contents of the array representing the number.
function bigInt2str(x,base) {
var i,t,s="";
if (s6.length!=x.length)
s6=dup(x);
else
copy_(s6,x);
if (base==-1) { //return the list of array contents
for (i=x.length-1;i>0;i--)
s+=x[i]+',';
s+=x[0];
}
else { //return it in the given base
while (!isZero(s6)) {
t=divInt_(s6,base); //t=s6 % base; s6=floor(s6/base);
s=digitsStr.substring(t,t+1)+s;
}
}
if (s.length==0)
s="0";
return s;
}
//returns a duplicate of bigInt x
function dup(x) {
var i;
buff=new Array(x.length);
copy_(buff,x);
return buff;
}
//do x=y on bigInts x and y. x must be an array at least as big as y (not counting the leading zeros in y).
function copy_(x,y) {
var i;
var k=x.length<y.length ? x.length : y.length;
for (i=0;i<k;i++)
x[i]=y[i];
for (i=k;i<x.length;i++)
x[i]=0;
}
//do x=y on bigInt x and integer y.
function copyInt_(x,n) {
var i,c;
for (c=n,i=0;i<x.length;i++) {
x[i]=c & mask;
c>>=bpe;
}
}
//do x=x+n where x is a bigInt and n is an integer.
//x must be large enough to hold the result.
function addInt_(x,n) {
var i,k,c,b;
x[0]+=n;
k=x.length;
c=0;
for (i=0;i<k;i++) {
c+=x[i];
b=0;
if (c<0) {
b=-(c>>bpe);
c+=b*radix;
}
x[i]=c & mask;
c=(c>>bpe)-b;
if (!c) return; //stop carrying as soon as the carry_ is zero
}
}
//right shift bigInt x by n bits. 0 <= n < bpe.
function rightShift_(x,n) {
var i;
var k=Math.floor(n/bpe);
if (k) {
for (i=0;i<x.length-k;i++) //right shift x by k elements
x[i]=x[i+k];
for (;i<x.length;i++)
x[i]=0;
n%=bpe;
}
for (i=0;i<x.length-1;i++) {
x[i]=mask & ((x[i+1]<<(bpe-n)) | (x[i]>>n));
}
x[i]>>=n;
}
//do x=floor(|x|/2)*sgn(x) for bigInt x in 2's complement
function halve_(x) {
var i;
for (i=0;i<x.length-1;i++) {
x[i]=mask & ((x[i+1]<<(bpe-1)) | (x[i]>>1));
}
x[i]=(x[i]>>1) | (x[i] & (radix>>1)); //most significant bit stays the same
}
//left shift bigInt x by n bits.
function leftShift_(x,n) {
var i;
var k=Math.floor(n/bpe);
if (k) {
for (i=x.length; i>=k; i--) //left shift x by k elements
x[i]=x[i-k];
for (;i>=0;i--)
x[i]=0;
n%=bpe;
}
if (!n)
return;
for (i=x.length-1;i>0;i--) {
x[i]=mask & ((x[i]<<n) | (x[i-1]>>(bpe-n)));
}
x[i]=mask & (x[i]<<n);
}
//do x=x*n where x is a bigInt and n is an integer.
//x must be large enough to hold the result.
function multInt_(x,n) {
var i,k,c,b;
if (!n)
return;
k=x.length;
c=0;
for (i=0;i<k;i++) {
c+=x[i]*n;
b=0;
if (c<0) {
b=-(c>>bpe);
c+=b*radix;
}
x[i]=c & mask;
c=(c>>bpe)-b;
}
}
//do x=floor(x/n) for bigInt x and integer n, and return the remainder
function divInt_(x,n) {
var i,r=0,s;
for (i=x.length-1;i>=0;i--) {
s=r*radix+x[i];
x[i]=Math.floor(s/n);
r=s%n;
}
return r;
}
//do the linear combination x=a*x+b*y for bigInts x and y, and integers a and b.
//x must be large enough to hold the answer.
function linComb_(x,y,a,b) {
var i,c,k,kk;
k=x.length<y.length ? x.length : y.length;
kk=x.length;
for (c=0,i=0;i<k;i++) {
c+=a*x[i]+b*y[i];
x[i]=c & mask;
c>>=bpe;
}
for (i=k;i<kk;i++) {
c+=a*x[i];
x[i]=c & mask;
c>>=bpe;
}
}
//do the linear combination x=a*x+b*(y<<(ys*bpe)) for bigInts x and y, and integers a, b and ys.
//x must be large enough to hold the answer.
function linCombShift_(x,y,b,ys) {
var i,c,k,kk;
k=x.length<ys+y.length ? x.length : ys+y.length;
kk=x.length;
for (c=0,i=ys;i<k;i++) {
c+=x[i]+b*y[i-ys];
x[i]=c & mask;
c>>=bpe;
}
for (i=k;c && i<kk;i++) {
c+=x[i];
x[i]=c & mask;
c>>=bpe;
}
}
//do x=x+(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys.
//x must be large enough to hold the answer.
function addShift_(x,y,ys) {
var i,c,k,kk;
k=x.length<ys+y.length ? x.length : ys+y.length;
kk=x.length;
for (c=0,i=ys;i<k;i++) {
c+=x[i]+y[i-ys];
x[i]=c & mask;
c>>=bpe;
}
for (i=k;c && i<kk;i++) {
c+=x[i];
x[i]=c & mask;
c>>=bpe;
}
}
//do x=x-(y<<(ys*bpe)) for bigInts x and y, and integers a,b and ys.
//x must be large enough to hold the answer.
function subShift_(x,y,ys) {
var i,c,k,kk;
k=x.length<ys+y.length ? x.length : ys+y.length;
kk=x.length;
for (c=0,i=ys;i<k;i++) {
c+=x[i]-y[i-ys];
x[i]=c & mask;
c>>=bpe;
}
for (i=k;c && i<kk;i++) {
c+=x[i];
x[i]=c & mask;
c>>=bpe;
}
}
//do x=x-y for bigInts x and y.
//x must be large enough to hold the answer.
//negative answers will be 2s complement
function sub_(x,y) {
var i,c,k,kk;
k=x.length<y.length ? x.length : y.length;
for (c=0,i=0;i<k;i++) {
c+=x[i]-y[i];
x[i]=c & mask;
c>>=bpe;
}
for (i=k;c && i<x.length;i++) {
c+=x[i];
x[i]=c & mask;
c>>=bpe;
}
}
//do x=x+y for bigInts x and y.
//x must be large enough to hold the answer.
function add_(x,y) {
var i,c,k,kk;
k=x.length<y.length ? x.length : y.length;
for (c=0,i=0;i<k;i++) {
c+=x[i]+y[i];
x[i]=c & mask;
c>>=bpe;
}
for (i=k;c && i<x.length;i++) {
c+=x[i];
x[i]=c & mask;
c>>=bpe;
}
}
//do x=x*y for bigInts x and y. This is faster when y<x.
function mult_(x,y) {
var i;
if (ss.length!=2*x.length)
ss=new Array(2*x.length);
copyInt_(ss,0);
for (i=0;i<y.length;i++)
if (y[i])
linCombShift_(ss,x,y[i],i); //ss=1*ss+y[i]*(x<<(i*bpe))
copy_(x,ss);
}
//do x=x mod n for bigInts x and n.
function mod_(x,n) {
if (s4.length!=x.length)
s4=dup(x);
else
copy_(s4,x);
if (s5.length!=x.length)
s5=dup(x);
divide_(s4,n,s5,x); //x = remainder of s4 / n
}
//do x=x*y mod n for bigInts x,y,n.
//for greater speed, let y<x.
function multMod_(x,y,n) {
var i;
if (s0.length!=2*x.length)
s0=new Array(2*x.length);
copyInt_(s0,0);
for (i=0;i<y.length;i++)
if (y[i])
linCombShift_(s0,x,y[i],i); //s0=1*s0+y[i]*(x<<(i*bpe))
mod_(s0,n);
copy_(x,s0);
}
//do x=x*x mod n for bigInts x,n.
function squareMod_(x,n) {
var i,j,d,c,kx,kn,k;
for (kx=x.length; kx>0 && !x[kx-1]; kx--); //ignore leading zeros in x
k=kx>n.length ? 2*kx : 2*n.length; //k=# elements in the product, which is twice the elements in the larger of x and n
if (s0.length!=k)
s0=new Array(k);
copyInt_(s0,0);
for (i=0;i<kx;i++) {
c=s0[2*i]+x[i]*x[i];
s0[2*i]=c & mask;
c>>=bpe;
for (j=i+1;j<kx;j++) {
c=s0[i+j]+2*x[i]*x[j]+c;
s0[i+j]=(c & mask);
c>>=bpe;
}
s0[i+kx]=c;
}
mod_(s0,n);
copy_(x,s0);
}
//return x with exactly k leading zero elements
function bigint_trim(x,k) {
var i,y;
for (i=x.length; i>0 && !x[i-1]; i--);
y=new Array(i+k);
copy_(y,x);
return y;
}
//do x=x**y mod n, where x,y,n are bigInts and ** is exponentiation. 0**0=1.
//this is faster when n is odd. x usually needs to have as many elements as n.
function powMod_(x,y,n) {
var k1,k2,kn,np;
if(s7.length!=n.length)
s7=dup(n);
//for even modulus, use a simple square-and-multiply algorithm,
//rather than using the more complex Montgomery algorithm.
if ((n[0]&1)==0) {
copy_(s7,x);
copyInt_(x,1);
while(!equalsInt(y,0)) {
if (y[0]&1)
multMod_(x,s7,n);
divInt_(y,2);
squareMod_(s7,n);
}
return;
}
//calculate np from n for the Montgomery multiplications
copyInt_(s7,0);
for (kn=n.length;kn>0 && !n[kn-1];kn--);
np=radix-inverseModInt(modInt(n,radix),radix);
s7[kn]=1;
multMod_(x ,s7,n); // x = x * 2**(kn*bp) mod n
if (s3.length!=x.length)
s3=dup(x);
else
copy_(s3,x);
for (k1=y.length-1;k1>0 & !y[k1]; k1--); //k1=first nonzero element of y
if (y[k1]==0) { //anything to the 0th power is 1
copyInt_(x,1);
return;
}
for (k2=1<<(bpe-1);k2 && !(y[k1] & k2); k2>>=1); //k2=position of first 1 bit in y[k1]
for (;;) {
if (!(k2>>=1)) { //look at next bit of y
k1--;
if (k1<0) {
mont_(x,one,n,np);
return;
}
k2=1<<(bpe-1);
}
mont_(x,x,n,np);
if (k2 & y[k1]) //if next bit is a 1
mont_(x,s3,n,np);
}
}
//do x=x*y*Ri mod n for bigInts x,y,n,
// where Ri = 2**(-kn*bpe) mod n, and kn is the
// number of elements in the n array, not
// counting leading zeros.
//x must be large enough to hold the answer.
//It's OK if x and y are the same variable.
//must have:
// x,y < n
// n is odd
// np = -(n^(-1)) mod radix
function mont_(x,y,n,np) {
var i,j,c,ui,t;
var kn=n.length;
var ky=y.length;
if (sa.length!=kn)
sa=new Array(kn);
for (;kn>0 && n[kn-1]==0;kn--); //ignore leading zeros of n
//this function sometimes gives wrong answers when the next line is uncommented
//for (;ky>0 && y[ky-1]==0;ky--); //ignore leading zeros of y
copyInt_(sa,0);
//the following loop consumes 95% of the runtime for randTruePrime_() and powMod_() for large keys
for (i=0; i<kn; i++) {
t=sa[0]+x[i]*y[0];
ui=((t & mask) * np) & mask; //the inner "& mask" is needed on Macintosh MSIE, but not windows MSIE
c=(t+ui*n[0]) >> bpe;
t=x[i];
//do sa=(sa+x[i]*y+ui*n)/b where b=2**bpe
for (j=1;j<ky;j++) {
c+=sa[j]+t*y[j]+ui*n[j];
sa[j-1]=c & mask;
c>>=bpe;
}
for (;j<kn;j++) {
c+=sa[j]+ui*n[j];
sa[j-1]=c & mask;
c>>=bpe;
}
sa[j-1]=c & mask;
}
if (!greater(n,sa))
sub_(sa,n);
copy_(x,sa);
}
/* rijndael.js Rijndael Reference Implementation
Copyright (c) 2001 Fritz Schneider
This software is provided as-is, without express or implied warranty.
Permission to use, copy, modify, distribute or sell this software, with or
without fee, for any purpose and by any individual or organization, is hereby
granted, provided that the above copyright notice and this paragraph appear
in all copies. Distribution as a part of an application or binary must
include the above copyright notice in the documentation and/or other materials
provided with the application or distribution.
As the above disclaimer notes, you are free to use this code however you
want. However, I would request that you send me an email
(fritz /at/ cs /dot/ ucsd /dot/ edu) to say hi if you find this code useful
or instructional. Seeing that people are using the code acts as
encouragement for me to continue development. If you *really* want to thank
me you can buy the book I wrote with Thomas Powell, _JavaScript:
_The_Complete_Reference_ :)
This code is an UNOPTIMIZED REFERENCE implementation of Rijndael.
If there is sufficient interest I can write an optimized (word-based,
table-driven) version, although you might want to consider using a
compiled language if speed is critical to your application. As it stands,
one run of the monte carlo test (10,000 encryptions) can take up to
several minutes, depending upon your processor. You shouldn't expect more
than a few kilobytes per second in throughput.
Also note that there is very little error checking in these functions.
Doing proper error checking is always a good idea, but the ideal
implementation (using the instanceof operator and exceptions) requires
IE5+/NS6+, and I've chosen to implement this code so that it is compatible
with IE4/NS4.
And finally, because JavaScript doesn't have an explicit byte/char data
type (although JavaScript 2.0 most likely will), when I refer to "byte"
in this code I generally mean "32 bit integer with value in the interval
[0,255]" which I treat as a byte.
See http://www-cse.ucsd.edu/~fritz/rijndael.html for more documentation
of the (very simple) API provided by this code.
Fritz Schneider
fritz at cs.ucsd.edu
*/
// Rijndael parameters -- Valid values are 128, 192, or 256
var keySizeInBits = ( typeof AES_BITS == 'number' ) ? AES_BITS : 128;
var blockSizeInBits = ( typeof AES_BLOCKSIZE == 'number' ) ? AES_BLOCKSIZE : 128;
/////// You shouldn't have to modify anything below this line except for
/////// the function getRandomBytes().
//
// Note: in the following code the two dimensional arrays are indexed as
// you would probably expect, as array[row][column]. The state arrays
// are 2d arrays of the form state[4][Nb].
// The number of rounds for the cipher, indexed by [Nk][Nb]
var roundsArray = [ ,,,,[,,,,10,, 12,, 14],,
[,,,,12,, 12,, 14],,
[,,,,14,, 14,, 14] ];
// The number of bytes to shift by in shiftRow, indexed by [Nb][row]
var shiftOffsets = [ ,,,,[,1, 2, 3],,[,1, 2, 3],,[,1, 3, 4] ];
// The round constants used in subkey expansion
var Rcon = [
0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc,
0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4,
0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 ];
// Precomputed lookup table for the SBox
var SBox = [
99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171,
118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164,
114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113,
216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214,
179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203,
190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69,
249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245,
188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68,
23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42,
144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73,
6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109,
141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37,
46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62,
181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225,
248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223,
140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187,
22 ];
// Precomputed lookup table for the inverse SBox
var SBoxInverse = [
82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215,
251, 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222,
233, 203, 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66,
250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73,
109, 139, 209, 37, 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92,
204, 93, 101, 182, 146, 108, 112, 72, 80, 253, 237, 185, 218, 94, 21,
70, 87, 167, 141, 157, 132, 144, 216, 171, 0, 140, 188, 211, 10, 247,
228, 88, 5, 184, 179, 69, 6, 208, 44, 30, 143, 202, 63, 15, 2,
193, 175, 189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220,
234, 151, 242, 207, 206, 240, 180, 230, 115, 150, 172, 116, 34, 231, 173,
53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26, 113, 29,
41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, 252, 86, 62, 75,
198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168,
51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, 96, 81,
127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, 160,
224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97,
23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12,
125 ];
function str_split(string, chunklen)
{
if(!chunklen) chunklen = 1;
ret = new Array();
for ( i = 0; i < string.length; i+=chunklen )
{
ret[ret.length] = string.slice(i, i+chunklen);
}
return ret;
}
// This method circularly shifts the array left by the number of elements
// given in its parameter. It returns the resulting array and is used for
// the ShiftRow step. Note that shift() and push() could be used for a more
// elegant solution, but they require IE5.5+, so I chose to do it manually.
function cyclicShiftLeft(theArray, positions) {
var temp = theArray.slice(0, positions);
theArray = theArray.slice(positions).concat(temp);
return theArray;
}
// Cipher parameters ... do not change these
var Nk = keySizeInBits / 32;
var Nb = blockSizeInBits / 32;
var Nr = roundsArray[Nk][Nb];
// Multiplies the element "poly" of GF(2^8) by x. See the Rijndael spec.
function xtime(poly) {
poly <<= 1;
return ((poly & 0x100) ? (poly ^ 0x11B) : (poly));
}
// Multiplies the two elements of GF(2^8) together and returns the result.
// See the Rijndael spec, but should be straightforward: for each power of
// the indeterminant that has a 1 coefficient in x, add y times that power
// to the result. x and y should be bytes representing elements of GF(2^8)
function mult_GF256(x, y) {
var bit, result = 0;
for (bit = 1; bit < 256; bit *= 2, y = xtime(y)) {
if (x & bit)
result ^= y;
}
return result;
}
// Performs the substitution step of the cipher. State is the 2d array of
// state information (see spec) and direction is string indicating whether
// we are performing the forward substitution ("encrypt") or inverse
// substitution (anything else)
function byteSub(state, direction) {
var S;
if (direction == "encrypt") // Point S to the SBox we're using
S = SBox;
else
S = SBoxInverse;
for (var i = 0; i < 4; i++) // Substitute for every byte in state
for (var j = 0; j < Nb; j++)
state[i][j] = S[state[i][j]];
}
// Performs the row shifting step of the cipher.
function shiftRow(state, direction) {
for (var i=1; i<4; i++) // Row 0 never shifts
if (direction == "encrypt")
state[i] = cyclicShiftLeft(state[i], shiftOffsets[Nb][i]);
else
state[i] = cyclicShiftLeft(state[i], Nb - shiftOffsets[Nb][i]);
}
// Performs the column mixing step of the cipher. Most of these steps can
// be combined into table lookups on 32bit values (at least for encryption)
// to greatly increase the speed.
function mixColumn(state, direction) {
var b = []; // Result of matrix multiplications
for (var j = 0; j < Nb; j++) { // Go through each column...
for (var i = 0; i < 4; i++) { // and for each row in the column...
if (direction == "encrypt")
b[i] = mult_GF256(state[i][j], 2) ^ // perform mixing
mult_GF256(state[(i+1)%4][j], 3) ^
state[(i+2)%4][j] ^
state[(i+3)%4][j];
else
b[i] = mult_GF256(state[i][j], 0xE) ^
mult_GF256(state[(i+1)%4][j], 0xB) ^
mult_GF256(state[(i+2)%4][j], 0xD) ^
mult_GF256(state[(i+3)%4][j], 9);
}
for (var i = 0; i < 4; i++) // Place result back into column
state[i][j] = b[i];
}
}
// Adds the current round key to the state information. Straightforward.
function addRoundKey(state, roundKey) {
for (var j = 0; j < Nb; j++) { // Step through columns...
state[0][j] ^= (roundKey[j] & 0xFF); // and XOR
state[1][j] ^= ((roundKey[j]>>8) & 0xFF);
state[2][j] ^= ((roundKey[j]>>16) & 0xFF);
state[3][j] ^= ((roundKey[j]>>24) & 0xFF);
}
}
// This function creates the expanded key from the input (128/192/256-bit)
// key. The parameter key is an array of bytes holding the value of the key.
// The returned value is an array whose elements are the 32-bit words that
// make up the expanded key.
function keyExpansion(key) {
var expandedKey = new Array();
var temp;
// in case the key size or parameters were changed...
Nk = keySizeInBits / 32;
Nb = blockSizeInBits / 32;
Nr = roundsArray[Nk][Nb];
for (var j=0; j < Nk; j++) // Fill in input key first
expandedKey[j] =
(key[4*j]) | (key[4*j+1]<<8) | (key[4*j+2]<<16) | (key[4*j+3]<<24);
// Now walk down the rest of the array filling in expanded key bytes as
// per Rijndael's spec
for (j = Nk; j < Nb * (Nr + 1); j++) { // For each word of expanded key
temp = expandedKey[j - 1];
if (j % Nk == 0)
temp = ( (SBox[(temp>>8) & 0xFF]) |
(SBox[(temp>>16) & 0xFF]<<8) |
(SBox[(temp>>24) & 0xFF]<<16) |
(SBox[temp & 0xFF]<<24) ) ^ Rcon[Math.floor(j / Nk) - 1];
else if (Nk > 6 && j % Nk == 4)
temp = (SBox[(temp>>24) & 0xFF]<<24) |
(SBox[(temp>>16) & 0xFF]<<16) |
(SBox[(temp>>8) & 0xFF]<<8) |
(SBox[temp & 0xFF]);
expandedKey[j] = expandedKey[j-Nk] ^ temp;
}
return expandedKey;
}
// Rijndael's round functions...
function Round(state, roundKey) {
byteSub(state, "encrypt");
shiftRow(state, "encrypt");
mixColumn(state, "encrypt");
addRoundKey(state, roundKey);
}
function InverseRound(state, roundKey) {
addRoundKey(state, roundKey);
mixColumn(state, "decrypt");
shiftRow(state, "decrypt");
byteSub(state, "decrypt");
}
function FinalRound(state, roundKey) {
byteSub(state, "encrypt");
shiftRow(state, "encrypt");
addRoundKey(state, roundKey);
}
function InverseFinalRound(state, roundKey){
addRoundKey(state, roundKey);
shiftRow(state, "decrypt");
byteSub(state, "decrypt");
}
// encrypt is the basic encryption function. It takes parameters
// block, an array of bytes representing a plaintext block, and expandedKey,
// an array of words representing the expanded key previously returned by
// keyExpansion(). The ciphertext block is returned as an array of bytes.
function encrypt(block, expandedKey) {
var i;
if (!block || block.length*8 != blockSizeInBits)
return;
if (!expandedKey)
return;
block = packBytes(block);
addRoundKey(block, expandedKey);
for (i=1; i<Nr; i++)
Round(block, expandedKey.slice(Nb*i, Nb*(i+1)));
FinalRound(block, expandedKey.slice(Nb*Nr));
return unpackBytes(block);
}
// decrypt is the basic decryption function. It takes parameters
// block, an array of bytes representing a ciphertext block, and expandedKey,
// an array of words representing the expanded key previously returned by
// keyExpansion(). The decrypted block is returned as an array of bytes.
function decrypt(block, expandedKey) {
var i;
if (!block || block.length*8 != blockSizeInBits)
return;
if (!expandedKey)
return;
block = packBytes(block);
InverseFinalRound(block, expandedKey.slice(Nb*Nr));
for (i = Nr - 1; i>0; i--)
InverseRound(block, expandedKey.slice(Nb*i, Nb*(i+1)));
addRoundKey(block, expandedKey);
return unpackBytes(block);
}
// This function packs an array of bytes into the four row form defined by
// Rijndael. It assumes the length of the array of bytes is divisible by
// four. Bytes are filled in according to the Rijndael spec (starting with
// column 0, row 0 to 3). This function returns a 2d array.
function packBytes(octets) {
var state = new Array();
if (!octets || octets.length % 4)
return;
state[0] = new Array(); state[1] = new Array();
state[2] = new Array(); state[3] = new Array();
for (var j=0; j<octets.length; j+= 4) {
state[0][j/4] = octets[j];
state[1][j/4] = octets[j+1];
state[2][j/4] = octets[j+2];
state[3][j/4] = octets[j+3];
}
return state;
}
// This function unpacks an array of bytes from the four row format preferred
// by Rijndael into a single 1d array of bytes. It assumes the input "packed"
// is a packed array. Bytes are filled in according to the Rijndael spec.
// This function returns a 1d array of bytes.
function unpackBytes(packed) {
var result = new Array();
for (var j=0; j<packed[0].length; j++) {
result[result.length] = packed[0][j];
result[result.length] = packed[1][j];
result[result.length] = packed[2][j];
result[result.length] = packed[3][j];
}
return result;
}
// This function takes a prospective plaintext (string or array of bytes)
// and pads it with zero bytes if its length is not a multiple of the block
// size. If plaintext is a string, it is converted to an array of bytes
// in the process. The type checking can be made much nicer using the
// instanceof operator, but this operator is not available until IE5.0 so I
// chose to use the heuristic below.
function formatPlaintext(plaintext) {
var bpb = blockSizeInBits / 8; // bytes per block
var i;
// if primitive string or String instance
if (typeof plaintext == "string" || plaintext.split) {
// alert('AUUGH you idiot it\'s NOT A STRING ITS A '+typeof(plaintext)+'!!!');
// return false;
plaintext = plaintext.split("");
// Unicode issues here (ignoring high byte)
for (i=0; i<plaintext.length; i++)
plaintext[i] = plaintext[i].charCodeAt(0) & 0xFF;
}
for (i = bpb - (plaintext.length % bpb); i > 0 && i < bpb; i--)
plaintext[plaintext.length] = 0;
return plaintext;
}
// Returns an array containing "howMany" random bytes. YOU SHOULD CHANGE THIS
// TO RETURN HIGHER QUALITY RANDOM BYTES IF YOU ARE USING THIS FOR A "REAL"
// APPLICATION.
function getRandomBytes(howMany) {
var i;
var bytes = new Array();
for (i=0; i<howMany; i++)
bytes[i] = Math.round(Math.random()*255);
return bytes;
}
// rijndaelEncrypt(plaintext, key, mode)
// Encrypts the plaintext using the given key and in the given mode.
// The parameter "plaintext" can either be a string or an array of bytes.
// The parameter "key" must be an array of key bytes. If you have a hex
// string representing the key, invoke hexToByteArray() on it to convert it
// to an array of bytes. The third parameter "mode" is a string indicating
// the encryption mode to use, either "ECB" or "CBC". If the parameter is
// omitted, ECB is assumed.
//
// An array of bytes representing the cihpertext is returned. To convert
// this array to hex, invoke byteArrayToHex() on it. If you are using this
// "for real" it is a good idea to change the function getRandomBytes() to
// something that returns truly random bits.
function rijndaelEncrypt(plaintext, key, mode) {
var expandedKey, i, aBlock;
var bpb = blockSizeInBits / 8; // bytes per block
var ct; // ciphertext
if (typeof plaintext != 'object' || typeof key != 'object')
{
alert( 'Invalid params\nplaintext: '+typeof(plaintext)+'\nkey: '+typeof(key) );
return false;
}
if (key.length*8 == keySizeInBits+8)
key.length = keySizeInBits / 8;
if (key.length*8 != keySizeInBits)
{
alert( 'Key length is bad!\nLength: '+key.length+'\nExpected: '+keySizeInBits / 8 );
return false;
}
if (mode == "CBC")
ct = getRandomBytes(bpb); // get IV
else {
mode = "ECB";
ct = new Array();
}
// convert plaintext to byte array and pad with zeros if necessary.
plaintext = formatPlaintext(plaintext);
expandedKey = keyExpansion(key);
for (var block=0; block<plaintext.length / bpb; block++) {
aBlock = plaintext.slice(block*bpb, (block+1)*bpb);
if (mode == "CBC")
for (var i=0; i<bpb; i++)
aBlock[i] ^= ct[block*bpb + i];
ct = ct.concat(encrypt(aBlock, expandedKey));
}
return ct;
}
// rijndaelDecrypt(ciphertext, key, mode)
// Decrypts the using the given key and mode. The parameter "ciphertext"
// must be an array of bytes. The parameter "key" must be an array of key
// bytes. If you have a hex string representing the ciphertext or key,
// invoke hexToByteArray() on it to convert it to an array of bytes. The
// parameter "mode" is a string, either "CBC" or "ECB".
//
// An array of bytes representing the plaintext is returned. To convert
// this array to a hex string, invoke byteArrayToHex() on it. To convert it
// to a string of characters, you can use byteArrayToString().
function rijndaelDecrypt(ciphertext, key, mode) {
var expandedKey;
var bpb = blockSizeInBits / 8; // bytes per block
var pt = new Array(); // plaintext array
var aBlock; // a decrypted block
var block; // current block number
if (!ciphertext || !key || typeof ciphertext == "string")
return;
if (key.length*8 != keySizeInBits)
return;
if (!mode)
mode = "ECB"; // assume ECB if mode omitted
expandedKey = keyExpansion(key);
// work backwards to accomodate CBC mode
for (block=(ciphertext.length / bpb)-1; block>0; block--) {
aBlock =
decrypt(ciphertext.slice(block*bpb,(block+1)*bpb), expandedKey);
if (mode == "CBC")
for (var i=0; i<bpb; i++)
pt[(block-1)*bpb + i] = aBlock[i] ^ ciphertext[(block-1)*bpb + i];
else
pt = aBlock.concat(pt);
}
// do last block if ECB (skips the IV in CBC)
if (mode == "ECB")
pt = decrypt(ciphertext.slice(0, bpb), expandedKey).concat(pt);
return pt;
}
// This method takes a byte array (byteArray) and converts it to a string by
// applying String.fromCharCode() to each value and concatenating the result.
// The resulting string is returned. Note that this function SKIPS zero bytes
// under the assumption that they are padding added in formatPlaintext().
// Obviously, do not invoke this method on raw data that can contain zero
// bytes. It is really only appropriate for printable ASCII/Latin-1
// values. Roll your own function for more robust functionality :)
function byteArrayToString(byteArray) {
var result = "";
for ( var i=0; i < byteArray.length; i++ )
if (byteArray[i] != 0)
result += '%' + byteArray[i].toString(16);
return decodeURIComponent(result);
}
// This function takes an array of bytes (byteArray) and converts them
// to a hexadecimal string. Array element 0 is found at the beginning of
// the resulting string, high nibble first. Consecutive elements follow
// similarly, for example [16, 255] --> "10ff". The function returns a
// string.
function byteArrayToHex(byteArray) {
var result = "";
if (!byteArray)
return;
for (var i=0; i<byteArray.length; i++)
result += ((byteArray[i]<16) ? "0" : "") + byteArray[i].toString(16);
return result;
}
// This function converts a string containing hexadecimal digits to an
// array of bytes. The resulting byte array is filled in the order the
// values occur in the string, for example "10FF" --> [16, 255]. This
// function returns an array.
function hexToByteArray(hexString) {
/*
var byteArray = [];
if (hexString.length % 2) // must have even length
return;
if (hexString.indexOf("0x") == 0 || hexString.indexOf("0X") == 0)
hexString = hexString.substring(2);
for (var i = 0; i<hexString.length; i += 2)
byteArray[Math.floor(i/2)] = parseInt(hexString.slice(i, i+2), 16);
return byteArray;
*/
var bytes = new Array();
hexString = str_split(hexString, 2);
//alert(hexString.toString());
//return false;
for( var i in hexString )
{
bytes[bytes.length] = parseInt(hexString[i], 16);
}
//alert(bytes.toString());
return bytes;
}
function stringToByteArray(text)
{
// Modified for Enano 2009-02-16 to be Unicode-safe
var result = new Array();
text = encodeURIComponent(text);
for ( var i = 0; i < text.length; i++ )
{
var ch = text.charCodeAt(i);
var a = false;
if ( ch == 37 ) // "%"
{
var hexch = text.substr(i, 3);
if ( hexch.match(/^%[a-f0-9][a-f0-9]$/i) )
{
result[result.length] = (unescape(hexch)).charCodeAt(0);
a = true;
i += 2;
}
}
if ( !a )
{
result[result.length] = ch;
}
}
return result;
}
function aes_self_test()
{
//
// Encryption test
//
var str = '';
for(i=0;i<keySizeInBits/4;i++)
{
str+='0';
}
str = hexToByteArray(str);
var ct = rijndaelEncrypt(str, str, 'ECB');
ct = byteArrayToHex(ct);
var v;
switch(keySizeInBits)
{
// These test vectors are for 128-bit block size.
case 128:
v = '66e94bd4ef8a2c3b884cfa59ca342b2e';
break;
case 192:
v = 'aae06992acbf52a3e8f4a96ec9300bd7aae06992acbf52a3e8f4a96ec9300bd7';
break;
case 256:
v = 'dc95c078a2408989ad48a21492842087dc95c078a2408989ad48a21492842087';
break;
}
return ( ct == v && md5_vm_test() );
}
/*
* EnanoMath, an abstraction layer for big-integer (arbitrary precision)
* mathematics.
*/
var EnanoMathLayers = {};
// EnanoMath layer: Leemon (frontend to BigInt library by Leemon Baird)
EnanoMathLayers.Leemon = {
Base: 10,
PowMod: function(a, b, c)
{
a = str2bigInt(a, this.Base);
b = str2bigInt(b, this.Base);
c = str2bigInt(c, this.Base);
var result = powMod(a, b, c);
result = bigInt2str(result, this.Base);
return result;
},
RandomInt: function(bits)
{
var result = randBigInt(bits);
return bigInt2str(result, this.Base);
}
}
var EnanoMath = EnanoMathLayers.Leemon;
/*
* The Diffie-Hellman key exchange protocol.
*/
// Our prime number as a base for operations.
var dh_prime = '7916586051748534588306961133067968196965257961415756656521818848750723547477673457670019632882524164647651492025728980571833579341743988603191694784406703';
// g, a primitive root used as an exponent
// (2 and 5 are acceptable, but BigInt is faster with odd numbers)
var dh_g = '5';
/**
* Generates a Diffie-Hellman private key
* @return string(BigInt)
*/
function dh_gen_private()
{
return EnanoMath.RandomInt(256);
}
/**
* Calculates the public key from the private key
* @param string(BigInt)
* @return string(BigInt)
*/
function dh_gen_public(b)
{
return EnanoMath.PowMod(dh_g, b, dh_prime);
}
/**
* Calculates the shared secret.
* @param string(BigInt) Our private key
* @param string(BigInt) Remote party's public key
* @return string(BigInt)
*/
function dh_gen_shared_secret(b, A)
{
return EnanoMath.PowMod(A, b, dh_prime);
}
/* A JavaScript implementation of the Secure Hash Algorithm, SHA-256
* Version 0.3 Copyright Angel Marin 2003-2004 - http://anmar.eu.org/
* Distributed under the BSD License
* Some bits taken from Paul Johnston's SHA-1 implementation
*/
/*
Copyright (c) 2003-2004, Angel Marin
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the <ORGANIZATION> nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
*/
var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */
function safe_add (x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
function S (X, n) {return ( X >>> n ) | (X << (32 - n));}
function R (X, n) {return ( X >>> n );}
function Ch(x, y, z) {return ((x & y) ^ ((~x) & z));}
function Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));}
function Sigma0256(x) {return (S(x, 2) ^ S(x, 13) ^ S(x, 22));}
function Sigma1256(x) {return (S(x, 6) ^ S(x, 11) ^ S(x, 25));}
function Gamma0256(x) {return (S(x, 7) ^ S(x, 18) ^ R(x, 3));}
function Gamma1256(x) {return (S(x, 17) ^ S(x, 19) ^ R(x, 10));}
function core_sha256 (m, l) {
var K = new Array(0x428A2F98,0x71374491,0xB5C0FBCF,0xE9B5DBA5,0x3956C25B,0x59F111F1,0x923F82A4,0xAB1C5ED5,0xD807AA98,0x12835B01,0x243185BE,0x550C7DC3,0x72BE5D74,0x80DEB1FE,0x9BDC06A7,0xC19BF174,0xE49B69C1,0xEFBE4786,0xFC19DC6,0x240CA1CC,0x2DE92C6F,0x4A7484AA,0x5CB0A9DC,0x76F988DA,0x983E5152,0xA831C66D,0xB00327C8,0xBF597FC7,0xC6E00BF3,0xD5A79147,0x6CA6351,0x14292967,0x27B70A85,0x2E1B2138,0x4D2C6DFC,0x53380D13,0x650A7354,0x766A0ABB,0x81C2C92E,0x92722C85,0xA2BFE8A1,0xA81A664B,0xC24B8B70,0xC76C51A3,0xD192E819,0xD6990624,0xF40E3585,0x106AA070,0x19A4C116,0x1E376C08,0x2748774C,0x34B0BCB5,0x391C0CB3,0x4ED8AA4A,0x5B9CCA4F,0x682E6FF3,0x748F82EE,0x78A5636F,0x84C87814,0x8CC70208,0x90BEFFFA,0xA4506CEB,0xBEF9A3F7,0xC67178F2);
var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19);
var W = new Array(64);
var a, b, c, d, e, f, g, h, i, j;
var T1, T2;
/* append padding */
m[l >> 5] |= 0x80 << (24 - l % 32);
m[((l + 64 >> 9) << 4) + 15] = l;
for ( var i = 0; i<m.length; i+=16 ) {
a = HASH[0]; b = HASH[1]; c = HASH[2]; d = HASH[3]; e = HASH[4]; f = HASH[5]; g = HASH[6]; h = HASH[7];
for ( var j = 0; j<64; j++) {
if (j < 16) W[j] = m[j + i];
else W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
T2 = safe_add(Sigma0256(a), Maj(a, b, c));
h = g; g = f; f = e; e = safe_add(d, T1); d = c; c = b; b = a; a = safe_add(T1, T2);
}
HASH[0] = safe_add(a, HASH[0]); HASH[1] = safe_add(b, HASH[1]); HASH[2] = safe_add(c, HASH[2]); HASH[3] = safe_add(d, HASH[3]); HASH[4] = safe_add(e, HASH[4]); HASH[5] = safe_add(f, HASH[5]); HASH[6] = safe_add(g, HASH[6]); HASH[7] = safe_add(h, HASH[7]);
}
return HASH;
}
function str2binb (str) {
var bin = Array();
var mask = (1 << chrsz) - 1;
for(var i = 0; i < str.length * chrsz; i += chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32);
return bin;
}
function binb2hex (binarray) {
var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
var str = "";
for (var i = 0; i < binarray.length * 4; i++) {
str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
}
return str;
}
function hex_sha256(s){return binb2hex(core_sha256(str2binb(s),s.length * chrsz));}
// Javascript implementation of the and SHA1 hash algorithms - both written by Paul Johnston, licensed under the BSD license
// MD5
var hexcase = 0; var b64pad = ""; var chrsz = 8;
function hex_md5(s){ return binl2hex(core_md5(str2binl(s), s.length * chrsz));}
function b64_md5(s){ return binl2b64(core_md5(str2binl(s), s.length * chrsz));}
function str_md5(s){ return binl2str(core_md5(str2binl(s), s.length * chrsz));}
function hex_hmac_md5(key, data) { return binl2hex(core_hmac_md5(key, data)); }
function b64_hmac_md5(key, data) { return binl2b64(core_hmac_md5(key, data)); }
function str_hmac_md5(key, data) { return binl2str(core_hmac_md5(key, data)); }
function md5_vm_test() { return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"; }
function core_md5(x, len) { x[len >> 5] |= 0x80 << ((len) % 32); x[(((len + 64) >>> 9) << 4) + 14] = len; var a = 1732584193; var b = -271733879; var c = -1732584194; var d = 271733878; for(var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; a = md5_ff(a, b, c, d, x[i+ 0], 7 , -680876936);d = md5_ff(d, a, b, c, x[i+ 1], 12, -389564586);c = md5_ff(c, d, a, b, x[i+ 2], 17, 606105819);b = md5_ff(b, c, d, a, x[i+ 3], 22, -1044525330);
a = md5_ff(a, b, c, d, x[i+ 4], 7 , -176418897);d = md5_ff(d, a, b, c, x[i+ 5], 12, 1200080426);c = md5_ff(c, d, a, b, x[i+ 6], 17, -1473231341);b = md5_ff(b, c, d, a, x[i+ 7], 22, -45705983);a = md5_ff(a, b, c, d, x[i+ 8], 7 , 1770035416);d = md5_ff(d, a, b, c, x[i+ 9], 12, -1958414417);c = md5_ff(c, d, a, b, x[i+10], 17, -42063);b = md5_ff(b, c, d, a, x[i+11], 22, -1990404162);a = md5_ff(a, b, c, d, x[i+12], 7 , 1804603682);d = md5_ff(d, a, b, c, x[i+13], 12, -40341101);
c = md5_ff(c, d, a, b, x[i+14], 17, -1502002290);b = md5_ff(b, c, d, a, x[i+15], 22, 1236535329);a = md5_gg(a, b, c, d, x[i+ 1], 5 , -165796510);d = md5_gg(d, a, b, c, x[i+ 6], 9 , -1069501632);c = md5_gg(c, d, a, b, x[i+11], 14, 643717713);b = md5_gg(b, c, d, a, x[i+ 0], 20, -373897302);a = md5_gg(a, b, c, d, x[i+ 5], 5 , -701558691);d = md5_gg(d, a, b, c, x[i+10], 9 , 38016083);c = md5_gg(c, d, a, b, x[i+15], 14, -660478335);b = md5_gg(b, c, d, a, x[i+ 4], 20, -405537848);
a = md5_gg(a, b, c, d, x[i+ 9], 5 , 568446438);d = md5_gg(d, a, b, c, x[i+14], 9 , -1019803690);c = md5_gg(c, d, a, b, x[i+ 3], 14, -187363961);b = md5_gg(b, c, d, a, x[i+ 8], 20, 1163531501);a = md5_gg(a, b, c, d, x[i+13], 5 , -1444681467);d = md5_gg(d, a, b, c, x[i+ 2], 9 , -51403784);c = md5_gg(c, d, a, b, x[i+ 7], 14, 1735328473);b = md5_gg(b, c, d, a, x[i+12], 20, -1926607734);a = md5_hh(a, b, c, d, x[i+ 5], 4 , -378558);d = md5_hh(d, a, b, c, x[i+ 8], 11, -2022574463);
c = md5_hh(c, d, a, b, x[i+11], 16, 1839030562);b = md5_hh(b, c, d, a, x[i+14], 23, -35309556);a = md5_hh(a, b, c, d, x[i+ 1], 4 , -1530992060);d = md5_hh(d, a, b, c, x[i+ 4], 11, 1272893353);c = md5_hh(c, d, a, b, x[i+ 7], 16, -155497632);b = md5_hh(b, c, d, a, x[i+10], 23, -1094730640);a = md5_hh(a, b, c, d, x[i+13], 4 , 681279174);d = md5_hh(d, a, b, c, x[i+ 0], 11, -358537222);c = md5_hh(c, d, a, b, x[i+ 3], 16, -722521979);b = md5_hh(b, c, d, a, x[i+ 6], 23, 76029189);
a = md5_hh(a, b, c, d, x[i+ 9], 4 , -640364487);d = md5_hh(d, a, b, c, x[i+12], 11, -421815835);c = md5_hh(c, d, a, b, x[i+15], 16, 530742520);b = md5_hh(b, c, d, a, x[i+ 2], 23, -995338651);a = md5_ii(a, b, c, d, x[i+ 0], 6 , -198630844);d = md5_ii(d, a, b, c, x[i+ 7], 10, 1126891415);c = md5_ii(c, d, a, b, x[i+14], 15, -1416354905);b = md5_ii(b, c, d, a, x[i+ 5], 21, -57434055);a = md5_ii(a, b, c, d, x[i+12], 6 , 1700485571);d = md5_ii(d, a, b, c, x[i+ 3], 10, -1894986606);
c = md5_ii(c, d, a, b, x[i+10], 15, -1051523);b = md5_ii(b, c, d, a, x[i+ 1], 21, -2054922799);a = md5_ii(a, b, c, d, x[i+ 8], 6 , 1873313359);d = md5_ii(d, a, b, c, x[i+15], 10, -30611744);c = md5_ii(c, d, a, b, x[i+ 6], 15, -1560198380);b = md5_ii(b, c, d, a, x[i+13], 21, 1309151649);a = md5_ii(a, b, c, d, x[i+ 4], 6 , -145523070);d = md5_ii(d, a, b, c, x[i+11], 10, -1120210379);c = md5_ii(c, d, a, b, x[i+ 2], 15, 718787259);b = md5_ii(b, c, d, a, x[i+ 9], 21, -343485551);
a = safe_add(a, olda); b = safe_add(b, oldb); c = safe_add(c, oldc); d = safe_add(d, oldd); } return Array(a, b, c, d); }
function md5_cmn(q, a, b, x, s, t) { return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s),b); }
function md5_ff(a, b, c, d, x, s, t) { return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t); }
function md5_gg(a, b, c, d, x, s, t) { return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t); }
function md5_hh(a, b, c, d, x, s, t) { return md5_cmn(b ^ c ^ d, a, b, x, s, t); }
function md5_ii(a, b, c, d, x, s, t) { return md5_cmn(c ^ (b | (~d)), a, b, x, s, t); }
function core_hmac_md5(key, data) { var bkey = str2binl(key); if(bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz); var ipad = Array(16), opad = Array(16); for(var i = 0; i < 16; i++) { ipad[i] = bkey[i] ^ 0x36363636; opad[i] = bkey[i] ^ 0x5C5C5C5C; } var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz); return core_md5(opad.concat(hash), 512 + 128); }
function safe_add(x, y) {var lsw = (x & 0xFFFF) + (y & 0xFFFF);var msw = (x >> 16) + (y >> 16) + (lsw >> 16);return (msw << 16) | (lsw & 0xFFFF); }
function bit_rol(num, cnt) { return (num << cnt) | (num >>> (32 - cnt)); }
function str2binl(str) { var bin = Array(); var mask = (1 << chrsz) - 1; for(var i = 0; i < str.length * chrsz; i += chrsz)bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (i%32); return bin;}
function binl2str(bin) { var str = ""; var mask = (1 << chrsz) - 1; for(var i = 0; i < bin.length * 32; i += chrsz) str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask); return str; }
function binl2hex(binarray) { var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; var str = ""; for(var i = 0; i < binarray.length * 4; i++) { str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF); } return str; }
function binl2b64(binarray) { var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var str = ""; for(var i = 0; i < binarray.length * 4; i += 3) { var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16) | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 ) | ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF); for(var j = 0; j < 4; j++) { if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); } } return str; }
// SHA1
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
function sha1_vm_test() { return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d"; }
function core_sha1(x, len) { x[len >> 5] |= 0x80 << (24 - len % 32); x[((len + 64 >> 9) << 4) + 15] = len; var w = Array(80); var a = 1732584193; var b = -271733879; var c = -1732584194; var d = 271733878; var e = -1009589776; for(var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; var olde = e; for(var j = 0; j < 80; j++) { if(j < 16) w[j] = x[i + j]; else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1); var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)), safe_add(safe_add(e, w[j]), sha1_kt(j))); e = d; d = c; c = rol(b, 30); b = a; a = t; } a = safe_add(a, olda); b = safe_add(b, oldb); c = safe_add(c, oldc); d = safe_add(d, oldd); e = safe_add(e, olde); } return Array(a, b, c, d, e);}
function sha1_ft(t, b, c, d){ if(t < 20) return (b & c) | ((~b) & d); if(t < 40) return b ^ c ^ d; if(t < 60) return (b & c) | (b & d) | (c & d); return b ^ c ^ d;}
function sha1_kt(t){ return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 : (t < 60) ? -1894007588 : -899497514;}
function core_hmac_sha1(key, data){ var bkey = str2binb(key); if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz); var ipad = Array(16), opad = Array(16); for(var i = 0; i < 16; i++) { ipad[i] = bkey[i] ^ 0x36363636; opad[i] = bkey[i] ^ 0x5C5C5C5C; } var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz); return core_sha1(opad.concat(hash), 512 + 160);}
function safe_add(x, y){ var lsw = (x & 0xFFFF) + (y & 0xFFFF); var msw = (x >> 16) + (y >> 16) + (lsw >> 16); return (msw << 16) | (lsw & 0xFFFF);}
function rol(num, cnt){ return (num << cnt) | (num >>> (32 - cnt));}
function str2binb(str){ var bin = Array(); var mask = (1 << chrsz) - 1; for(var i = 0; i < str.length * chrsz; i += chrsz) bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32); return bin;}
function binb2str(bin){ var str = ""; var mask = (1 << chrsz) - 1; for(var i = 0; i < bin.length * 32; i += chrsz) str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask); return str;}
function binb2hex(binarray){ var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; var str = ""; for(var i = 0; i < binarray.length * 4; i++) { str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF); } return str;}
function binb2b64(binarray){ var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; var str = ""; for(var i = 0; i < binarray.length * 4; i += 3) { var triplet = (((binarray[i >> 2] >> 8 * (3 - i %4)) & 0xFF) << 16) | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 ) | ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF); for(var j = 0; j < 4; j++) { if(i * 8 + j * 6 > binarray.length * 32) str += b64pad; else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F); } } return str;}