Nat represents an arbitrary natural number
Each Nat has an announced length, which is the number of limbs it has stored.
Operations on this number are allowed to leak this length, but will not leak
any information about the values contained in those limbs. limbs is little-endian in base 2^W with W = bits.UintSize. Add computes x = x + y mod m.
The length of both operands must be the same as the modulus. Both operands
must already be reduced modulo m. BitLenVarTime returns the actual size of x in bits.
The actual size of x (but nothing more) leaks through timing side-channels.
Note that this is ordinarily secret, as opposed to the announced size of x. Bits returns x as a little-endian slice of uint. The length of the slice
matches the announced length of x. The result and x share the same underlying
array. Bytes returns x as a zero-extended big-endian byte slice. The size of the
slice will match the size of m.
x must have the same size as m and it must be less than or equal to m. DivShortVarTime calculates x = x / y and returns the remainder.
It panics if y is zero. Equal returns 1 if x == y, and 0 otherwise.
Both operands must have the same announced length. Exp calculates out = x^e mod m.
The exponent e is represented in big-endian order. The output will be resized
to the size of m and overwritten. x must already be reduced modulo m.
m must be odd, or Exp will panic. ExpShortVarTime calculates out = x^e mod m.
The output will be resized to the size of m and overwritten. x must already
be reduced modulo m. This leaks the exponent through timing side-channels.
m must be odd, or ExpShortVarTime will panic. ExpandFor ensures x has the right size to work with operations modulo m.
The announced size of x must be smaller than or equal to that of m. GCDVarTime calculates x = GCD(a, b) where at least one of a or b is odd, and
both are non-zero. If GCDVarTime returns an error, x is not modified.
The output will be resized to the size of the larger of a and b. InverseVarTime calculates x = a⁻¹ mod m and returns (x, true) if a is
invertible. Otherwise, InverseVarTime returns (x, false) and x is not
modified.
a must be reduced modulo m, but doesn't need to have the same size. The
output will be resized to the size of m and overwritten. IsMinusOne returns 1 if x == -1 mod m, and 0 otherwise.
The length of x must be the same as the modulus. x must already be reduced
modulo m. IsOdd returns 1 if x is odd, and 0 otherwise. IsOne returns 1 if x == 1, and 0 otherwise. IsZero returns 1 if x == 0, and 0 otherwise. Mod calculates out = x mod m.
This works regardless how large the value of x is.
The output will be resized to the size of m and overwritten. Mul calculates x = x * y mod m.
The length of both operands must be the same as the modulus. Both operands
must already be reduced modulo m. SetBytes assigns x = b, where b is a slice of big-endian bytes.
SetBytes returns an error if b >= m.
The output will be resized to the size of m and overwritten. SetOverflowingBytes assigns x = b, where b is a slice of big-endian bytes.
SetOverflowingBytes returns an error if b has a longer bit length than m, but
reduces overflowing values up to 2^⌈log2(m)⌉ - 1.
The output will be resized to the size of m and overwritten. SetUint assigns x = y.
The output will be resized to a single limb and overwritten. ShiftRightVarTime sets x = x >> n.
The announced length of x is unchanged. Sub computes x = x - y mod m.
The length of both operands must be the same as the modulus. Both operands
must already be reduced modulo m. SubOne computes x = x - 1 mod m.
The length of x must be the same as the modulus. TrailingZeroBitsVarTime returns the number of trailing zero bits in x. add computes x += y and returns the carry.
Both operands must have the same announced length. assign sets x <- y if on == 1, and does nothing otherwise.
Both operands must have the same announced length. cmpGeq returns 1 if x >= y, and 0 otherwise.
Both operands must have the same announced length. expand expands x to n limbs, leaving its value unchanged. maybeSubtractModulus computes x -= m if and only if x >= m or if "always" is yes.
It can be used to reduce modulo m a value up to 2m - 1, which is a common
range for results computed by higher level operations.
always is usually a carry that indicates that the operation that produced x
overflowed its size, meaning abstractly x > 2^_W*n > m even if x < m.
x and m operands must have the same announced length. montgomeryMul calculates x = a * b / R mod m, with R = 2^(_W * n) and
n = len(m.nat.limbs), also known as a Montgomery multiplication.
All inputs should be the same length and already reduced modulo m.
x will be resized to the size of m and overwritten. montgomeryReduction calculates x = x / R mod m, with R = 2^(_W * n) and
n = len(m.nat.limbs).
This assumes that x is already reduced mod m. montgomeryRepresentation calculates x = x * R mod m, with R = 2^(_W * n) and
n = len(m.nat.limbs).
Faster Montgomery multiplication replaces standard modular multiplication for
numbers in this representation.
This assumes that x is already reduced mod m. reset returns a zero nat of n limbs, reusing x's storage if n <= cap(x.limbs). resetFor ensures out has the right size to work with operations modulo m.
out is zeroed and may start at any size. resetToBytes assigns x = b, where b is a slice of big-endian bytes, resizing
n to the appropriate size.
The announced length of x is set based on the actual bit size of the input,
ignoring leading zeroes. set assigns x = y, optionally resizing x to the appropriate size.(*Nat) setBytes(b []byte) error shiftIn calculates x = x << _W + y mod m.
This assumes that x is already reduced mod m. sub computes x -= y. It returns the borrow of the subtraction.
Both operands must have the same announced length. trim reduces the size of x to match its value.
func NewNat() *Nat
func (*Modulus).Nat() *Nat
func (*Nat).Add(y *Nat, m *Modulus) *Nat
func (*Nat).Exp(x *Nat, e []byte, m *Modulus) *Nat
func (*Nat).ExpandFor(m *Modulus) *Nat
func (*Nat).ExpShortVarTime(x *Nat, e uint, m *Modulus) *Nat
func (*Nat).GCDVarTime(a, b *Nat) (*Nat, error)
func (*Nat).InverseVarTime(a *Nat, m *Modulus) (*Nat, bool)
func (*Nat).Mod(x *Nat, m *Modulus) *Nat
func (*Nat).Mul(y *Nat, m *Modulus) *Nat
func (*Nat).SetBytes(b []byte, m *Modulus) (*Nat, error)
func (*Nat).SetOverflowingBytes(b []byte, m *Modulus) (*Nat, error)
func (*Nat).SetUint(y uint) *Nat
func (*Nat).ShiftRightVarTime(n uint) *Nat
func (*Nat).Sub(y *Nat, m *Modulus) *Nat
func (*Nat).SubOne(m *Modulus) *Nat
func extendedGCD(a, m *Nat) (u, A *Nat, err error)
func rr(m *Modulus) *Nat
func (*Nat).assign(on choice, y *Nat) *Nat
func (*Nat).expand(n int) *Nat
func (*Nat).montgomeryMul(a *Nat, b *Nat, m *Modulus) *Nat
func (*Nat).montgomeryReduction(m *Modulus) *Nat
func (*Nat).montgomeryRepresentation(m *Modulus) *Nat
func (*Nat).reset(n int) *Nat
func (*Nat).resetFor(m *Modulus) *Nat
func (*Nat).resetToBytes(b []byte) *Nat
func (*Nat).set(y *Nat) *Nat
func (*Nat).shiftIn(y uint, m *Modulus) *Nat
func (*Nat).trim() *Nat
func crypto/internal/fips140/ecdsa.randomPoint[P](c *ecdsa.Curve[P], generate func([]byte) error) (k *Nat, p P, err error)
func (*Nat).Add(y *Nat, m *Modulus) *Nat
func (*Nat).Equal(y *Nat) choice
func (*Nat).Exp(x *Nat, e []byte, m *Modulus) *Nat
func (*Nat).ExpShortVarTime(x *Nat, e uint, m *Modulus) *Nat
func (*Nat).GCDVarTime(a, b *Nat) (*Nat, error)
func (*Nat).InverseVarTime(a *Nat, m *Modulus) (*Nat, bool)
func (*Nat).Mod(x *Nat, m *Modulus) *Nat
func (*Nat).Mul(y *Nat, m *Modulus) *Nat
func (*Nat).Sub(y *Nat, m *Modulus) *Nat
func extendedGCD(a, m *Nat) (u, A *Nat, err error)
func newModulus(n *Nat) (*Modulus, error)
func rshift1(a *Nat, carry uint)
func (*Nat).add(y *Nat) (c uint)
func (*Nat).assign(on choice, y *Nat) *Nat
func (*Nat).cmpGeq(y *Nat) choice
func (*Nat).montgomeryMul(a *Nat, b *Nat, m *Modulus) *Nat
func (*Nat).montgomeryMul(a *Nat, b *Nat, m *Modulus) *Nat
func (*Nat).set(y *Nat) *Nat
func (*Nat).sub(y *Nat) (c uint)
func crypto/internal/fips140/ecdsa.hashToNat[P](c *ecdsa.Curve[P], e *Nat, hash []byte)
func crypto/internal/fips140/ecdsa.inverse[P](c *ecdsa.Curve[P], kInv, k *Nat)
func crypto/internal/fips140/rsa.newPrivateKey(n *Modulus, e int, d *Nat, p, q *Modulus) (*rsa.PrivateKey, error)
choice represents a constant-time boolean. The value of choice is always
either 1 or 0. We use an int instead of bool in order to make decisions in
constant time by turning it into a mask.
func (*Nat).Equal(y *Nat) choice
func (*Nat).IsMinusOne(m *Modulus) choice
func (*Nat).IsOdd() choice
func (*Nat).IsOne() choice
func (*Nat).IsZero() choice
func ctEq(x, y uint) choice
func not(c choice) choice
func (*Nat).cmpGeq(y *Nat) choice
func ctMask(on choice) uint
func not(c choice) choice
func (*Nat).assign(on choice, y *Nat) *Nat
func (*Nat).maybeSubtractModulus(always choice, m *Modulus)
const no
const yes
Package-Level Functions (total 18, in which 3 are exported)
NewModulus creates a new Modulus from a slice of big-endian bytes. The
modulus must be greater than one.
The number of significant bits and whether the modulus is even is leaked
through timing side-channels.
NewModulusProduct creates a new Modulus from the product of two numbers
represented as big-endian byte slices. The result must be greater than one.
NewNat returns a new nat with a size of zero, just like new(Nat), but with
the preallocated capacity to hold a number of up to preallocTarget bits.
NewNat inlines, so the allocation can live on the stack.
addMulVVW multiplies the multi-word value x by the single-word value y,
adding the result to the multi-word value z and returning the final carry.
It can be thought of as one row of a pen-and-paper column multiplication.
bigEndianUint returns the contents of buf interpreted as a
big-endian encoded uint value.
bitLen is a version of bits.Len that only leaks the bit length of n, but not
its value. bits.Len and bits.LeadingZeros use a lookup table for the
low-order bits on some architectures.
ctEq returns 1 if x == y, and 0 otherwise. The execution time of this
function does not depend on its inputs.
ctMask is all 1s if on is yes, and all 0s otherwise.
extendedGCD computes u and A such that a = GCD(a, m) and u = A*a - B*m.
u will have the size of the larger of a and m, and A will have the size of m.
It is an error if either a or m is zero, or if they are both even.
preallocTarget is the size in bits of the numbers used to implement the most
common and most performant RSA key size. It's also enough to cover some of
the operations of key sizes up to 4096.