[apple/security.git] / libsecurity_cryptkit / lib / CurveParamDocs / factor.c

/**************************************************************
 *
 *	factor.c
 *
 *	General purpose factoring program
 *
 *	Updates:
 *		18 May 97   REC - invoked new, fast divide functions
 *		26 Apr 97	RDW - fixed tabs and unix EOL
 *		20 Apr 97	RDW - conversion to TC4.5
 *
 *	c. 1997 Perfectly Scientific, Inc.
 *	All Rights Reserved.
 *
 *
 *************************************************************/

/* include files */

#include <stdio.h>
#include <math.h>
#include <stdlib.h>
#include <time.h>
#ifdef _WIN32 

#include <process.h>

#endif

#include <string.h>
#include "giants.h"


/* definitions */

#define D 100
#define NUM_PRIMES 6542 /* PrimePi[2^16]. */


/* compiler options */

#ifdef _WIN32
#pragma warning( disable : 4127 4706 ) /* disable conditional is constant warning */
#endif


/* global variables */

extern giant 	scratch2;
int 			pr[NUM_PRIMES];
giant 			xr = NULL, xs = NULL, zs = NULL, zr = NULL, xorg = NULL,
				zorg = NULL, t1 = NULL, t2 = NULL, t3 = NULL, N = NULL,
				gg = NULL, An = NULL, Ad = NULL;
giant 			xb[D+2], zb[D+2], xzb[D+2];
int 			modmode = 0, Q, modcount = 0;


/* function prototypes */

void		ell_even(giant x1, giant z1, giant x2, giant z2, giant An,
						giant Ad, giant N);
void		ell_odd(giant x1, giant z1, giant x2, giant z2, giant xor,
						giant zor, giant N);
void		ell_mul(giant xx, giant zz, int n, giant An, giant Ad, giant N);
int 		least_2(int n);
void		dot(void);
int			psi_rand();


/**************************************************************
 *
 *	Functions
 *
 **************************************************************/


int			
psi_rand(
	void
)
{
	unsigned short	hi;
	unsigned short	low;
	time_t			tp;
	int				result;

	time(&tp);
	low = (unsigned short)rand();
	hi = (unsigned short)rand();
	result = ((hi << 16) | low) ^ ((int)tp);

	return (result & 0x7fffffff);
}


void
set_random_seed(
	void
)
{
	/* Start the random number generator at a new position. */
	time_t		tp;

	time(&tp);
	srand((int)tp + (int)getpid());
}


int
isprime(
	int 	odd
)
{
	int 	j;
	int 	p;

	for (j=1; ; j++)
	{
		p = pr[j];
		if (p*p > odd)
			return(1);
		if (odd % p == 0)
			return(0);
	}
}


int
primeq(
	int				p
)
{
	register int	j=3;

	if ((p&1)==0)
		return ((p==2)?1:0);
	if (j>=p)
		return (1);
	while ((p%j)!=0)
	{
		j+=2;
		if (j*j>p)
			return(1);
	}
	return(0);
}


void
s_modg(
	giant		N,
	giant		t
)
{
	++modcount;
	switch (modmode)
	{
		case 0:
			modg(N, t);
			break;
		case -1:
			mersennemod(Q, t);
			break;
		case 1:
			fermatmod(Q, t);
			break;
	}
}


void
reset_mod(
	giant 	x,
	giant 	N
)
/* Perform a divide (by the discovered factor) and switch back
   to non-Fermat-non-Mersenne (i.e. normal) mod mode. */
{
	divg(x, N);
	modmode = 0;
}

void
ell_even(
	giant 	x1,
	giant 	z1,
	giant 	x2,
	giant 	z2,
	giant 	An,
	giant 	Ad,
	giant 	N
)
{
	gtog(x1, t1);
	addg(z1, t1);
	squareg(t1);
	s_modg(N, t1);
	gtog(x1, t2);
	subg(z1, t2);
	squareg(t2);
	s_modg(N, t2);
	gtog(t1, t3);
	subg(t2, t3);
	gtog(t2, x2);
	mulg(t1, x2);
	gshiftleft(2, x2);
	s_modg(N, x2);
	mulg(Ad, x2);
	s_modg(N, x2);
	mulg(Ad, t2);
	gshiftleft(2, t2);
	s_modg(N, t2);
	gtog(t3, t1);
	mulg(An, t1);
	s_modg(N, t1);
	addg(t1, t2);
	mulg(t3, t2);
	s_modg(N, t2);
	gtog(t2,z2);
}


void
ell_odd(
	giant 	x1,
	giant 	z1,
	giant 	x2,
	giant 	z2,
	giant 	xor,
	giant 	zor,
	giant 	N
)
{
	gtog(x1, t1);
	subg(z1, t1);
	gtog(x2, t2);
	addg(z2, t2);
	mulg(t1, t2);
	s_modg(N, t2);
	gtog(x1, t1);
	addg(z1, t1);
	gtog(x2, t3);
	subg(z2, t3);
	mulg(t3, t1);
	s_modg(N, t1);
	gtog(t2, x2);
	addg(t1, x2);
	squareg(x2);
	s_modg(N, x2);
	gtog(t2, z2);
	subg(t1, z2);
	squareg(z2);
	s_modg(N, z2);
	mulg(zor, x2);
	s_modg(N, x2);
	mulg(xor, z2);
	s_modg(N, z2);
}


void
ell_mul(
	giant 			xx,
	giant 			zz,
	int 			n,
	giant 			An,
	giant 			Ad,
	giant 			N
)
{
	unsigned int 	c = (unsigned int)0x80000000;

	if (n==1)
		return;
	if (n==2)
	{
		ell_even(xx, zz, xx, zz, An, Ad, N);
		return;
	}
	gtog(xx, xorg);
	gtog(zz, zorg);
	ell_even(xx, zz, xs, zs, An, Ad, N);

	while((c&n) == 0)
	{
		c >>= 1;
	}

	c>>=1;
	do
	{
		if (c&n)
		{
			ell_odd(xs, zs, xx, zz, xorg, zorg, N);
			ell_even(xs, zs, xs, zs, An, Ad, N);
		}
		else
		{
			ell_odd(xx, zz, xs, zs, xorg, zorg, N);
			ell_even(xx, zz, xx, zz, An, Ad, N);
		}
		c >>= 1;
	} while(c);
}


/* From R. P. Brent, priv. comm. 1996:
Let s > 5 be a pseudo-random seed (called $\sigma$ in the Tech. Report),

	u/v = (s^2 - 5)/(4s)

Then starting point is (x_1, y_1) where

	x_1 = (u/v)^3
and
	a = (v-u)^3(3u+v)/(4u^3 v) - 2
*/

void
choose12(
	giant 	x,
	giant 	z,
	int 	k,
	giant 	An,
	giant 	Ad,
	giant 	N
)
{
	itog(k, zs);
	gtog(zs, xs);
	squareg(xs);
	itog(5, t2);
	subg(t2, xs);
	s_modg(N, xs);
	addg(zs, zs);
	addg(zs, zs);
	s_modg(N, zs);
	gtog(xs, x);
	squareg(x);
	s_modg(N, x);
	mulg(xs, x);
	s_modg(N, x);
	gtog(zs, z);
	squareg(z);
	s_modg(N, z);
	mulg(zs, z);
	s_modg(N, z);

	/* Now for A. */
	gtog(zs, t2);
	subg(xs, t2);
	gtog(t2, t3);
	squareg(t2);
	s_modg(N, t2);
	mulg(t3, t2);
	s_modg(N, t2);  /* (v-u)^3. */
	gtog(xs, t3);
	addg(t3, t3);
	addg(xs, t3);
	addg(zs, t3);
	s_modg(N, t3);
	mulg(t3, t2);
	s_modg(N, t2);  /* (v-u)^3 (3u+v). */
	gtog(zs, t3);
	mulg(xs, t3);
	s_modg(N, t3);
	squareg(xs);
	s_modg(N, xs);
	mulg(xs, t3);
	s_modg(N, t3);
	addg(t3, t3);
	addg(t3, t3);
	s_modg(N, t3);
	gtog(t3, Ad);
	gtog(t2, An);  /* An/Ad is now A + 2. */
}


void
ensure(
	int	q
)
{
	int 	nsh, j;

	N = newgiant(INFINITY);
	if(!q)
	{
		gread(N,stdin);
		q = bitlen(N) + 1;
	}
	nsh = q/4; /* Allowing (easily) enough space per giant,
					since N is about 2^q, which is q bits, or
				   q/16 shorts.  But squaring, etc. is allowed,
					so we need at least q/8, and we choose q/4
					to be conservative. */
	if (!xr)
		xr = newgiant(nsh);
	if (!zr)
		zr = newgiant(nsh);
	if (!xs)
		xs = newgiant(nsh);
	if (!zs)
		zs = newgiant(nsh);
	if (!xorg)
		xorg = newgiant(nsh);
	if (!zorg)
		zorg = newgiant(nsh);
	if (!t1)
		t1 = newgiant(nsh);
	if (!t2)
		t2 = newgiant(nsh);
	if (!t3)
		t3 = newgiant(nsh);
	if (!gg)
		gg = newgiant(nsh);
	if (!An)
		An = newgiant(nsh);
	if (!Ad)
		Ad = newgiant(nsh);
	for (j=0;j<D+2;j++)
	{
		xb[j] = newgiant(nsh);
		zb[j] = newgiant(nsh);
		xzb[j] = newgiant(nsh);
	}
}

int
bigprimeq(
	giant 	x
)
{
	itog(1, t1);
	gtog(x, t2);
	subg(t1, t2);
	itog(5, t1);
	powermodg(t1, t2, x);
	if (isone(t1))
		return(1);
	return(0);
}


void
dot(
	void
)
{
	printf(".");
	fflush(stdout);
}

/**************************************************************
 *
 *	Main Function
 *
 **************************************************************/

main(
	int	argc,
	char 	*argv[]
)
{
	int 	j, k, C, nshorts, cnt, count,
			limitbits = 0, pass, npr, rem;
	long	B;
	int 	randmode = 0;

	if (!strcmp(argv[argc-1], "-r"))
	{
		randmode = 1;
		if (argc > 4)
		  /* This segment only takes effect in random mode. */
			limitbits = atoi(argv[argc-2]);
	}
	else
	{
		randmode = 0;
	}

	modmode = 0;
	if (argc > 2)
	{
		modmode = atoi(argv[1]);
		Q = atoi(argv[2]);
	}
	if (modmode==0)
		Q = 0;
	ensure(Q);
	if (modmode)
	{
		itog(1, N);
		gshiftleft(Q, N);
		itog(modmode, t1);
		addg(t1, N);
	}
	pr[0] = 2;
	for (k=0, npr=1;; k++)
	{
		if (primeq(3+2*k))
		{
			pr[npr++] = 3+2*k;
			if (npr >= NUM_PRIMES)
				break;
		}
	}

	if (randmode == 0)
	{
		printf("Sieving...\n");
		fflush(stdout);
		for (j=0; j < NUM_PRIMES; j++)
		{
			gtog(N, t1);
			rem = idivg(pr[j], t1);
			if (rem == 0)
			{
				printf("%d ", pr[j]);
				gtog(t1, N);
				if (isone(N))
				{
					printf("\n");
					exit(0);
				}
				else
				{
					printf("* ");
					fflush(stdout);
				}
				--j;
			}
		}

		if (bigprimeq(N))
		{
			gout(N);
			exit(0);
		}

		printf("\n");
		printf("Commencing Pollard rho...\n");
		fflush(stdout);
		itog(1, gg);
		itog(3, t1); itog(3, t2);

		for (j=0; j < 15000; j++)
		{
			if((j%100) == 0)
			{
				dot();
				gcdg(N, gg);
				if (!isone(gg))
					break;
			}
			squareg(t1);
			iaddg(2, t1);
			s_modg(N, t1);
			squareg(t2);
			iaddg(2, t2);
			s_modg(N, t2);
			squareg(t2);
			iaddg(2, t2);
			s_modg(N, t2);
			gtog(t2, t3);
			subg(t1, t3);
			t3->sign = abs(t3->sign);
			mulg(t3, gg);
			s_modg(N, gg);
		}
		gcdg(N, gg);

		if ((gcompg(N,gg) != 0) && (!isone(gg)))
		{
			fprintf(stdout,"\n");
			gout(gg);
			reset_mod(gg, N);
			if (isone(N))
			{
				printf("\n");
				exit(0);
			}
			else
			{
				printf("* ");
				fflush(stdout);
			}
			if (bigprimeq(N))
			{
				gout(N);
				exit(0);
			}
		}

		printf("\n");
		printf("Commencing Pollard (p-1)...\n");
		fflush(stdout);
		itog(1, gg);
		itog(3, t1);
		for (j=0; j< NUM_PRIMES; j++)
		{
			cnt = (int)(8*log(2.0)/log(1.0*pr[j]));
			if (cnt < 2)
				cnt = 1;
			for (k=0; k< cnt; k++)
			{
				powermod(t1, pr[j], N);
			}
			itog(1, t2);
			subg(t1, t2);
			mulg(t2, gg);
			s_modg(N, gg);

			if (j % 100 == 0)
			{
				dot();
				gcdg(N, gg);
				if	(!isone(gg))
					break;
			}
		}
		gcdg(N, gg);
		if ((gcompg(N,gg) != 0) && (!isone(gg)))
		{
			fprintf(stdout,"\n");
			gout(gg);
			reset_mod(gg, N);
			if (isone(N))
			{
				printf("\n");
				exit(0);
			}
			else
			{
				printf("* ");
				fflush(stdout);
			}
			if (bigprimeq(N))
			{
				gout(N);
				exit(0);
			}
		}
	} /* This is the end of (randmode == 0) */

	printf("\n");
	printf("Commencing ECM...\n");
	fflush(stdout);

	if (randmode)
		set_random_seed();
	pass = 0;
	while (++pass)
	{
		if (randmode == 0)
		{
			if (pass <= 3)
			{
				B = 1000;
			}
			else if (pass <= 10)
			{
				B = 10000;
			}
			else if (pass <= 100)
			{
				B = 100000L;
			} else
			{
				B = 1000000L;
			}
		}
		else
		{
			B = 2000000L;
		}
		C = 50*((int)B);

		/* Next, choose curve with order divisible by 16 and choose
		 *	a point (xr/zr) on said curve.
		 */

		/* Order-div-12 case. 
		 * cnt = 8020345;   Brent's parameter for stage one discovery
		 * of 27-digit factor of F_13.
		 */

		cnt = psi_rand(); /* cnt = 8020345; */
		choose12(xr, zr, cnt, An, Ad, N);
		printf("Choosing curve %d, with s = %d, B = %d, C = %d:\n", pass,cnt, B, C);   fflush(stdout);
		cnt = 0;
		nshorts = 1;
		count = 0;
		for (j=0;j<nshorts;j++)
		{
			ell_mul(xr, zr, 1<<16, An, Ad, N);
			ell_mul(xr, zr, 3*3*3*3*3*3*3*3*3*3*3, An, Ad, N);
			ell_mul(xr, zr, 5*5*5*5*5*5*5, An, Ad, N);
			ell_mul(xr, zr, 7*7*7*7*7*7, An, Ad, N);
			ell_mul(xr, zr, 11*11*11*11, An, Ad, N);
			ell_mul(xr, zr, 13*13*13*13, An, Ad, N);
			ell_mul(xr, zr, 17*17*17, An, Ad, N);
		}
		k = 19;
		while (k<B)
		{
			if (isprime(k))
			{
				ell_mul(xr, zr, k, An, Ad, N);
				if (k<100)
					ell_mul(xr, zr, k, An, Ad, N);
				if (cnt++ %100==0)
					dot();
			}
			k += 2;
		}
		count = 0;

		gtog(zr, gg);
		gcdg(N, gg);
		if ((!isone(gg))&&(bitlen(gg)>limitbits))
		{
			fprintf(stdout,"\n");
			gwriteln(gg, stdout);
			fflush(stdout);
			reset_mod(gg, N);
			if (isone(N))
			{
				printf("\n");
				exit(0);
			}
			else
			{
				printf("* ");
				fflush(stdout);
			}
			if (bigprimeq(N))
			{
				 gout(N);
				 exit(0);
			}
			continue;
		}
		else
		{
			printf("\n");
			fflush(stdout);
		}

		/* Continue;  Invoke, to test Stage 1 only. */
		k = ((int)B)/D;
		gtog(xr, xb[0]);
		gtog(zr, zb[0]);
		ell_mul(xb[0], zb[0], k*D+1 , An, Ad, N);
		gtog(xr, xb[D+1]);
		gtog(zr, zb[D+1]);
		ell_mul(xb[D+1], zb[D+1], (k+2)*D+1 , An, Ad, N);

		for (j=1; j <= D; j++)
		{
			gtog(xr, xb[j]);
			gtog(zr, zb[j]);
			ell_mul(xb[j], zb[j], 2*j , An, Ad, N);
			gtog(zb[j], xzb[j]);
			mulg(xb[j], xzb[j]);
			s_modg(N, xzb[j]);
		}
		modcount = 0;
		printf("\nCommencing second stage, curve %d...\n",pass); fflush(stdout);
		count = 0;
		itog(1, gg);

		while (1)
		{
			gtog(zb[0], xzb[0]);
			mulg(xb[0], xzb[0]);
			s_modg(N, xzb[0]);
			mulg(zb[0], gg);
			s_modg(N,gg); /* Accumulate. */
			for (j = 1; j < D; j++)
			{
				if (!isprime(k*D+1+ 2*j))
					continue;

				/* Next, accumulate (xa - xb)(za + zb) - xa za + xb zb. */
				gtog(xb[0], t1);
				subg(xb[j], t1);
				gtog(zb[0], t2);
				addg(zb[j], t2);
				mulg(t1, t2);
				s_modg(N, t1);
				subg(xzb[0], t2);
				addg(xzb[j], t2);
				s_modg(N, t2);
				--modcount;
				mulg(t2, gg);
				s_modg(N, gg);
				if((++count)%1000==0)
					dot();
			}

			k += 2;
			if(k*D > C)
				break;
			gtog(xb[D+1], xs);
			gtog(zb[D+1], zs);
			ell_odd(xb[D], zb[D], xb[D+1], zb[D+1], xb[0], zb[0], N);
			gtog(xs, xb[0]);
			gtog(zs, zb[0]);
		}

		gcdg(N, gg);
		if((!isone(gg))&&(bitlen(gg)>limitbits))
		{
			fprintf(stdout,"\n");
			gwriteln(gg, stdout);
			fflush(stdout);
			reset_mod(gg, N);
			if (isone(N))
			{
				printf("\n");
				exit(0);
			}
			else
			{
				printf("* ");
				fflush(stdout);
			}
			if (bigprimeq(N))
			{
				gout(N);
				exit(0);
			}
			continue;
		}

		printf("\n");
		fflush(stdout);
	}

	return 0;
}
Commit	Line	Data
b1ab9ed8 A	1	/**************************************************************
	2	*
	3	* factor.c
	4	*
	5	* General purpose factoring program
	6	*
	7	* Updates:
	8	* 18 May 97 REC - invoked new, fast divide functions
	9	* 26 Apr 97 RDW - fixed tabs and unix EOL
	10	* 20 Apr 97 RDW - conversion to TC4.5
	11	*
	12	* c. 1997 Perfectly Scientific, Inc.
	13	* All Rights Reserved.
	14	*
	15	*
	16	*************************************************************/
	17
	18	/* include files */
	19
	20	#include <stdio.h>
	21	#include <math.h>
	22	#include <stdlib.h>
	23	#include <time.h>
	24	#ifdef _WIN32
	25
	26	#include <process.h>
	27
	28	#endif
	29
	30	#include <string.h>
	31	#include "giants.h"
	32
	33
	34	/* definitions */
	35
	36	#define D 100
	37	#define NUM_PRIMES 6542 /* PrimePi[2^16]. */
	38
	39
	40	/* compiler options */
	41
	42	#ifdef _WIN32
	43	#pragma warning( disable : 4127 4706 ) /* disable conditional is constant warning */
	44	#endif
	45
	46
	47	/* global variables */
	48
	49	extern giant scratch2;
	50	int pr[NUM_PRIMES];
	51	giant xr = NULL, xs = NULL, zs = NULL, zr = NULL, xorg = NULL,
	52	zorg = NULL, t1 = NULL, t2 = NULL, t3 = NULL, N = NULL,
	53	gg = NULL, An = NULL, Ad = NULL;
	54	giant xb[D+2], zb[D+2], xzb[D+2];
	55	int modmode = 0, Q, modcount = 0;
	56
	57
	58	/* function prototypes */
	59
	60	void ell_even(giant x1, giant z1, giant x2, giant z2, giant An,
	61	giant Ad, giant N);
	62	void ell_odd(giant x1, giant z1, giant x2, giant z2, giant xor,
	63	giant zor, giant N);
	64	void ell_mul(giant xx, giant zz, int n, giant An, giant Ad, giant N);
65	int least_2(int n);
66	void dot(void);
67	int psi_rand();
68
69
70	/**************************************************************
71	*
72	* Functions
73	*
74	**************************************************************/
75
76
77	int
78	psi_rand(
79	void
80	)
81	{
82	unsigned short hi;
83	unsigned short low;
84	time_t tp;
85	int result;
86
87	time(&tp);
88	low = (unsigned short)rand();
89	hi = (unsigned short)rand();
90	result = ((hi << 16) \| low) ^ ((int)tp);
91
92	return (result & 0x7fffffff);
93	}
94
95
96	void
97	set_random_seed(
98	void
99	)
100	{
101	/* Start the random number generator at a new position. */
102	time_t tp;
103
104	time(&tp);
105	srand((int)tp + (int)getpid());
106	}
107
108
109	int
110	isprime(
111	int odd
112	)
113	{
114	int j;
115	int p;
116
117	for (j=1; ; j++)
118	{
119	p = pr[j];
120	if (p*p > odd)
121	return(1);
122	if (odd % p == 0)
123	return(0);
124	}
125	}
126
127
128	int
129	primeq(
130	int p
131	)
132	{
133	register int j=3;
134
135	if ((p&1)==0)
136	return ((p==2)?1:0);
137	if (j>=p)
138	return (1);
139	while ((p%j)!=0)
140	{
141	j+=2;
142	if (j*j>p)
143	return(1);
144	}
145	return(0);
146	}
147
148
149	void
150	s_modg(
151	giant N,
152	giant t
153	)
154	{
155	++modcount;
156	switch (modmode)
157	{
158	case 0:
159	modg(N, t);
160	break;
161	case -1:
162	mersennemod(Q, t);
163	break;
164	case 1:
165	fermatmod(Q, t);
166	break;
167	}
168	}
169
170
171	void
172	reset_mod(
173	giant x,
174	giant N
175	)
176	/* Perform a divide (by the discovered factor) and switch back
177	to non-Fermat-non-Mersenne (i.e. normal) mod mode. */
178	{
179	divg(x, N);
180	modmode = 0;
181	}
182
183	void
184	ell_even(
185	giant x1,
186	giant z1,
187	giant x2,
188	giant z2,
189	giant An,
190	giant Ad,
191	giant N
192	)
193	{
194	gtog(x1, t1);
195	addg(z1, t1);
196	squareg(t1);
197	s_modg(N, t1);
198	gtog(x1, t2);
199	subg(z1, t2);
200	squareg(t2);
201	s_modg(N, t2);
202	gtog(t1, t3);
203	subg(t2, t3);
204	gtog(t2, x2);
205	mulg(t1, x2);
206	gshiftleft(2, x2);
207	s_modg(N, x2);
208	mulg(Ad, x2);
209	s_modg(N, x2);
210	mulg(Ad, t2);
211	gshiftleft(2, t2);
212	s_modg(N, t2);
213	gtog(t3, t1);
214	mulg(An, t1);
215	s_modg(N, t1);
216	addg(t1, t2);
217	mulg(t3, t2);
218	s_modg(N, t2);
219	gtog(t2,z2);
220	}
221
222
223	void
224	ell_odd(
225	giant x1,
226	giant z1,
227	giant x2,
228	giant z2,
229	giant xor,
230	giant zor,
231	giant N
232	)
233	{
234	gtog(x1, t1);
235	subg(z1, t1);
236	gtog(x2, t2);
237	addg(z2, t2);
238	mulg(t1, t2);
239	s_modg(N, t2);
240	gtog(x1, t1);
241	addg(z1, t1);
242	gtog(x2, t3);
243	subg(z2, t3);
244	mulg(t3, t1);
245	s_modg(N, t1);
246	gtog(t2, x2);
247	addg(t1, x2);
248	squareg(x2);
249	s_modg(N, x2);
250	gtog(t2, z2);
251	subg(t1, z2);
252	squareg(z2);
253	s_modg(N, z2);
254	mulg(zor, x2);
255	s_modg(N, x2);
256	mulg(xor, z2);
257	s_modg(N, z2);
258	}
259
260
261	void
262	ell_mul(
263	giant xx,
264	giant zz,
265	int n,
266	giant An,
267	giant Ad,
268	giant N
269	)
270	{
271	unsigned int c = (unsigned int)0x80000000;
272
273	if (n==1)
274	return;
275	if (n==2)
276	{
277	ell_even(xx, zz, xx, zz, An, Ad, N);
278	return;
279	}
280	gtog(xx, xorg);
281	gtog(zz, zorg);
282	ell_even(xx, zz, xs, zs, An, Ad, N);
283
284	while((c&n) == 0)
285	{
286	c >>= 1;
287	}
288
289	c>>=1;
290	do
291	{
292	if (c&n)
293	{
294	ell_odd(xs, zs, xx, zz, xorg, zorg, N);
295	ell_even(xs, zs, xs, zs, An, Ad, N);
296	}
297	else
298	{
299	ell_odd(xx, zz, xs, zs, xorg, zorg, N);
300	ell_even(xx, zz, xx, zz, An, Ad, N);
301	}
302	c >>= 1;
303	} while(c);
304	}
305
306
307
308	/* From R. P. Brent, priv. comm. 1996:
309	Let s > 5 be a pseudo-random seed (called $\sigma$ in the Tech. Report),
310
311	u/v = (s^2 - 5)/(4s)
312
313	Then starting point is (x_1, y_1) where
314
315	x_1 = (u/v)^3
316	and
317	a = (v-u)^3(3u+v)/(4u^3 v) - 2
318	*/
319
320	void
321	choose12(
322	giant x,
323	giant z,
324	int k,
325	giant An,
326	giant Ad,
327	giant N
328	)
329	{
330	itog(k, zs);
331	gtog(zs, xs);
332	squareg(xs);
333	itog(5, t2);
334	subg(t2, xs);
335	s_modg(N, xs);
336	addg(zs, zs);
337	addg(zs, zs);
338	s_modg(N, zs);
339	gtog(xs, x);
340	squareg(x);
341	s_modg(N, x);
342	mulg(xs, x);
343	s_modg(N, x);
344	gtog(zs, z);
345	squareg(z);
346	s_modg(N, z);
347	mulg(zs, z);
348	s_modg(N, z);
349
350	/* Now for A. */
351	gtog(zs, t2);
352	subg(xs, t2);
353	gtog(t2, t3);
354	squareg(t2);
355	s_modg(N, t2);
356	mulg(t3, t2);
357	s_modg(N, t2); /* (v-u)^3. */
358	gtog(xs, t3);
359	addg(t3, t3);
360	addg(xs, t3);
361	addg(zs, t3);
362	s_modg(N, t3);
363	mulg(t3, t2);
364	s_modg(N, t2); /* (v-u)^3 (3u+v). */
365	gtog(zs, t3);
366	mulg(xs, t3);
367	s_modg(N, t3);
368	squareg(xs);
369	s_modg(N, xs);
370	mulg(xs, t3);
371	s_modg(N, t3);
372	addg(t3, t3);
373	addg(t3, t3);
374	s_modg(N, t3);
375	gtog(t3, Ad);
376	gtog(t2, An); /* An/Ad is now A + 2. */
377	}
378
379
380	void
381	ensure(
382	int q
383	)
384	{
385	int nsh, j;
386
387	N = newgiant(INFINITY);
388	if(!q)
389	{
390	gread(N,stdin);
391	q = bitlen(N) + 1;
392	}
393	nsh = q/4; /* Allowing (easily) enough space per giant,
394	since N is about 2^q, which is q bits, or
395	q/16 shorts. But squaring, etc. is allowed,
396	so we need at least q/8, and we choose q/4
397	to be conservative. */
398	if (!xr)
399	xr = newgiant(nsh);
400	if (!zr)
401	zr = newgiant(nsh);
402	if (!xs)
403	xs = newgiant(nsh);
404	if (!zs)
405	zs = newgiant(nsh);
406	if (!xorg)
407	xorg = newgiant(nsh);
408	if (!zorg)
409	zorg = newgiant(nsh);
410	if (!t1)
411	t1 = newgiant(nsh);
412	if (!t2)
413	t2 = newgiant(nsh);
414	if (!t3)
415	t3 = newgiant(nsh);
416	if (!gg)
417	gg = newgiant(nsh);
418	if (!An)
419	An = newgiant(nsh);
420	if (!Ad)
421	Ad = newgiant(nsh);
422	for (j=0;j<D+2;j++)
423	{
424	xb[j] = newgiant(nsh);
425	zb[j] = newgiant(nsh);
426	xzb[j] = newgiant(nsh);
427	}
428	}
429
430	int
431	bigprimeq(
432	giant x
433	)
434	{
435	itog(1, t1);
436	gtog(x, t2);
437	subg(t1, t2);
438	itog(5, t1);
439	powermodg(t1, t2, x);
440	if (isone(t1))
441	return(1);
442	return(0);
443	}
444
445
446	void
447	dot(
448	void
449	)
450	{
451	printf(".");
452	fflush(stdout);
453	}
454
455	/**************************************************************
456	*
457	* Main Function
458	*
459	**************************************************************/
460
461	main(
462	int argc,
463	char *argv[]
464	)
465	{
466	int j, k, C, nshorts, cnt, count,
467	limitbits = 0, pass, npr, rem;
468	long B;
469	int randmode = 0;
470
471	if (!strcmp(argv[argc-1], "-r"))
472	{
473	randmode = 1;
474	if (argc > 4)
475	/* This segment only takes effect in random mode. */
476	limitbits = atoi(argv[argc-2]);
477	}
478	else
479	{
480	randmode = 0;
481	}
482
483	modmode = 0;
484	if (argc > 2)
485	{
486	modmode = atoi(argv[1]);
487	Q = atoi(argv[2]);
488	}
489	if (modmode==0)
490	Q = 0;
491	ensure(Q);
492	if (modmode)
493	{
494	itog(1, N);
495	gshiftleft(Q, N);
496	itog(modmode, t1);
497	addg(t1, N);
498	}
499	pr[0] = 2;
500	for (k=0, npr=1;; k++)
501	{
502	if (primeq(3+2*k))
503	{
504	pr[npr++] = 3+2*k;
505	if (npr >= NUM_PRIMES)
506	break;
507	}
508	}
509
510	if (randmode == 0)
511	{
512	printf("Sieving...\n");
513	fflush(stdout);
514	for (j=0; j < NUM_PRIMES; j++)
515	{
516	gtog(N, t1);
517	rem = idivg(pr[j], t1);
518	if (rem == 0)
519	{
520	printf("%d ", pr[j]);
521	gtog(t1, N);
522	if (isone(N))
523	{
524	printf("\n");
525	exit(0);
526	}
527	else
528	{
529	printf("* ");
530	fflush(stdout);
531	}
532	--j;
533	}
534	}
535
536	if (bigprimeq(N))
537	{
538	gout(N);
539	exit(0);
540	}
541
542	printf("\n");
543	printf("Commencing Pollard rho...\n");
544	fflush(stdout);
545	itog(1, gg);
546	itog(3, t1); itog(3, t2);
547
548	for (j=0; j < 15000; j++)
549	{
550	if((j%100) == 0)
551	{
552	dot();
553	gcdg(N, gg);
554	if (!isone(gg))
555	break;
556	}
557	squareg(t1);
558	iaddg(2, t1);
559	s_modg(N, t1);
560	squareg(t2);
561	iaddg(2, t2);
562	s_modg(N, t2);
563	squareg(t2);
564	iaddg(2, t2);
565	s_modg(N, t2);
566	gtog(t2, t3);
567	subg(t1, t3);
568	t3->sign = abs(t3->sign);
569	mulg(t3, gg);
570	s_modg(N, gg);
571	}
572	gcdg(N, gg);
573
574	if ((gcompg(N,gg) != 0) && (!isone(gg)))
575	{
576	fprintf(stdout,"\n");
577	gout(gg);
578	reset_mod(gg, N);
579	if (isone(N))
580	{
581	printf("\n");
582	exit(0);
583	}
584	else
585	{
586	printf("* ");
587	fflush(stdout);
588	}
589	if (bigprimeq(N))
590	{
591	gout(N);
592	exit(0);
593	}
594	}
595
596	printf("\n");
597	printf("Commencing Pollard (p-1)...\n");
598	fflush(stdout);
599	itog(1, gg);
600	itog(3, t1);
601	for (j=0; j< NUM_PRIMES; j++)
602	{
603	cnt = (int)(8log(2.0)/log(1.0pr[j]));
604	if (cnt < 2)
605	cnt = 1;
606	for (k=0; k< cnt; k++)
607	{
608	powermod(t1, pr[j], N);
609	}
610	itog(1, t2);
611	subg(t1, t2);
612	mulg(t2, gg);
613	s_modg(N, gg);
614
615	if (j % 100 == 0)
616	{
617	dot();
618	gcdg(N, gg);
619	if (!isone(gg))
620	break;
621	}
622	}
623	gcdg(N, gg);
624	if ((gcompg(N,gg) != 0) && (!isone(gg)))
625	{
626	fprintf(stdout,"\n");
627	gout(gg);
628	reset_mod(gg, N);
629	if (isone(N))
630	{
631	printf("\n");
632	exit(0);
633	}
634	else
635	{
636	printf("* ");
637	fflush(stdout);
638	}
639	if (bigprimeq(N))
640	{
641	gout(N);
642	exit(0);
643	}
644	}
645	} /* This is the end of (randmode == 0) */
646
647	printf("\n");
648	printf("Commencing ECM...\n");
649	fflush(stdout);
650
651	if (randmode)
652	set_random_seed();
653	pass = 0;
654	while (++pass)
655	{
656	if (randmode == 0)
657	{
658	if (pass <= 3)
659	{
660	B = 1000;
661	}
662	else if (pass <= 10)
663	{
664	B = 10000;
665	}
666	else if (pass <= 100)
667	{
668	B = 100000L;
669	} else
670	{
671	B = 1000000L;
672	}
673	}
674	else
675	{
676	B = 2000000L;
677	}
678	C = 50*((int)B);
679
680	/* Next, choose curve with order divisible by 16 and choose
681	* a point (xr/zr) on said curve.
682	*/
683
684	/* Order-div-12 case.
685	* cnt = 8020345; Brent's parameter for stage one discovery
686	* of 27-digit factor of F_13.
687	*/
688
689	cnt = psi_rand(); /* cnt = 8020345; */
690	choose12(xr, zr, cnt, An, Ad, N);
691	printf("Choosing curve %d, with s = %d, B = %d, C = %d:\n", pass,cnt, B, C); fflush(stdout);
692	cnt = 0;
693	nshorts = 1;
694	count = 0;
695	for (j=0;j<nshorts;j++)
696	{
697	ell_mul(xr, zr, 1<<16, An, Ad, N);
698	ell_mul(xr, zr, 33333333333, An, Ad, N);
699	ell_mul(xr, zr, 5555555, An, Ad, N);
700	ell_mul(xr, zr, 77777*7, An, Ad, N);
701	ell_mul(xr, zr, 111111*11, An, Ad, N);
702	ell_mul(xr, zr, 131313*13, An, Ad, N);
703	ell_mul(xr, zr, 171717, An, Ad, N);
704	}
705	k = 19;
706	while (k<B)
707	{
708	if (isprime(k))
709	{
710	ell_mul(xr, zr, k, An, Ad, N);
711	if (k<100)
712	ell_mul(xr, zr, k, An, Ad, N);
713	if (cnt++ %100==0)
714	dot();
715	}
716	k += 2;
717	}
718	count = 0;
719
720	gtog(zr, gg);
721	gcdg(N, gg);
722	if ((!isone(gg))&&(bitlen(gg)>limitbits))
723	{
724	fprintf(stdout,"\n");
725	gwriteln(gg, stdout);
726	fflush(stdout);
727	reset_mod(gg, N);
728	if (isone(N))
729	{
730	printf("\n");
731	exit(0);
732	}
733	else
734	{
735	printf("* ");
736	fflush(stdout);
737	}
738	if (bigprimeq(N))
739	{
740	gout(N);
741	exit(0);
742	}
743	continue;
744	}
745	else
746	{
747	printf("\n");
748	fflush(stdout);
749	}
750
751	/* Continue; Invoke, to test Stage 1 only. */
752	k = ((int)B)/D;
753	gtog(xr, xb[0]);
754	gtog(zr, zb[0]);
755	ell_mul(xb[0], zb[0], k*D+1 , An, Ad, N);
756	gtog(xr, xb[D+1]);
757	gtog(zr, zb[D+1]);
758	ell_mul(xb[D+1], zb[D+1], (k+2)*D+1 , An, Ad, N);
759
760	for (j=1; j <= D; j++)
761	{
762	gtog(xr, xb[j]);
763	gtog(zr, zb[j]);
764	ell_mul(xb[j], zb[j], 2*j , An, Ad, N);
765	gtog(zb[j], xzb[j]);
766	mulg(xb[j], xzb[j]);
767	s_modg(N, xzb[j]);
768	}
769	modcount = 0;
770	printf("\nCommencing second stage, curve %d...\n",pass); fflush(stdout);
771	count = 0;
772	itog(1, gg);
773
774	while (1)
775	{
776	gtog(zb[0], xzb[0]);
777	mulg(xb[0], xzb[0]);
778	s_modg(N, xzb[0]);
779	mulg(zb[0], gg);
780	s_modg(N,gg); /* Accumulate. */
781	for (j = 1; j < D; j++)
782	{
783	if (!isprime(kD+1+ 2j))
784	continue;
785
786	/* Next, accumulate (xa - xb)(za + zb) - xa za + xb zb. */
787	gtog(xb[0], t1);
788	subg(xb[j], t1);
789	gtog(zb[0], t2);
790	addg(zb[j], t2);
791	mulg(t1, t2);
792	s_modg(N, t1);
793	subg(xzb[0], t2);
794	addg(xzb[j], t2);
795	s_modg(N, t2);
796	--modcount;
797	mulg(t2, gg);
798	s_modg(N, gg);
799	if((++count)%1000==0)
800	dot();
801	}
802
803	k += 2;
804	if(k*D > C)
805	break;
806	gtog(xb[D+1], xs);
807	gtog(zb[D+1], zs);
808	ell_odd(xb[D], zb[D], xb[D+1], zb[D+1], xb[0], zb[0], N);
809	gtog(xs, xb[0]);
810	gtog(zs, zb[0]);
811	}
812
813	gcdg(N, gg);
814	if((!isone(gg))&&(bitlen(gg)>limitbits))
815	{
816	fprintf(stdout,"\n");
817	gwriteln(gg, stdout);
818	fflush(stdout);
819	reset_mod(gg, N);
820	if (isone(N))
821	{
822	printf("\n");
823	exit(0);
824	}
825	else
826	{
827	printf("* ");
828	fflush(stdout);
829	}
830	if (bigprimeq(N))
831	{
832	gout(N);
833	exit(0);
834	}
835	continue;
836	}
837
838	printf("\n");
839	fflush(stdout);
840	}
841
842	return 0;
843	}
844