/* This file is part of the gf2x library. Copyright 2007, 2008, 2009 Richard Brent, Pierrick Gaudry, Emmanuel Thome', Paul Zimmermann This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1307, USA. */ /* General Toom_Cook multiplication, calls KarMul, Toom3Mul, Toom3WMul or Toom4Mul depending on which is expected to be the fastest. */ #include #include #include "gf2x.h" #include "gf2x/gf2x-impl.h" /* We need gf2x_addmul_1_n */ #include "gf2x/gf2x-small.h" #include "gf2x/gf2x-config.h" /* the following routines come from the irred-ntl package from Paul Zimmermann, (http://webloria.loria.fr/~zimmerma/irred/), who contributes them under LGPL for gf2x */ /* c <- a + b */ static void Add (unsigned long *c, const unsigned long *a, const unsigned long *b, long n) { long i; for (i = 0; i < n; i++) c[i] = a[i] ^ b[i]; } /* c <- c + a + b */ static void Add3(unsigned long *c, const unsigned long *a, const unsigned long *b, long n) { long i; for (i = 0; i < n; i++) c[i] ^= a[i] ^ b[i]; } /* c <- a + x * b, return carry out */ static unsigned long AddLsh1(unsigned long *c, const unsigned long *a, const unsigned long *b, long n) { unsigned long cy = 0UL, t; long i; for (i = 0; i < n; i++) { t = a[i] ^ ((b[i] << 1) | cy); cy = b[i] >> (GF2X_WORDSIZE - 1); c[i] = t; } return cy; } /* c <- x * c, return carry out */ static unsigned long Lsh1(unsigned long *c, long n, unsigned long cy) { unsigned long t; long i; for (i = 0; i < n; i++) { t = (c[i] << 1) | cy; cy = c[i] >> (GF2X_WORDSIZE - 1); c[i] = t; } return cy; } /* c <- a + cy, return carry out (0 for n > 0, cy for n=0) */ static unsigned long Add1(unsigned long *c, const unsigned long *a, long n, unsigned long cy) { if (n) { long i; c[0] = a[0] ^ cy; for (i = 1; i < n; i++) c[i] = a[i]; return 0; } else return cy; } /* let c = q*(1+x^2) + X^n*r with X = x^GF2X_WORDSIZE and deg(r) < 2 then c <- q, returns r. (Algorithm from Michel Quercia.) */ static unsigned long DivOnePlusX2(unsigned long * c, long n) { unsigned long t = 0; long i; for (i = 0; i < n; i++) { t ^= c[i]; t ^= t << 2; t ^= t << 4; t ^= t << 8; t ^= t << 16; #if (GF2X_WORDSIZE == 64) t ^= t << 32; #elif (GF2X_WORDSIZE != 32) #error "GF2X_WORDSIZE should be 32 or 64" #endif c[i] = t; t >>= (GF2X_WORDSIZE - 2); } return t; } /******************************************************************** * Below this line, experimental code * (C) 2007 Marco Bodrato * This code is released under the GPL 2.0 license, or any later version. * Modified by Paul Zimmermann, April 2007. * * Reference: http://bodrato.it/papers/#WAIFI2007 * * "Towards Optimal Toom-Cook Multiplication for Univariate and * Multivariate Polynomials in Characteristic 2 and 0." by Marco * BODRATO; in C.Carlet and B.Sunar, editors, "WAIFI'07 proceedings", * LNCS 4547, pp. 119-136. Springer, Madrid, Spain, June 21-22, 2007. */ #if (GF2X_MUL_TOOM_THRESHOLD < 17) #error "GF2X_MUL_TOOM_THRESHOLD should be at least 17" #endif /* c <- ( c + b )/x, return carry */ static unsigned long Rsh1Add(unsigned long *c, const unsigned long *b, long n) { unsigned long cy = 0, t; long i; for (i = n - 1; i >= 0; i--) { t = c[i] ^ b[i]; cy <<= GF2X_WORDSIZE - 1; c[i] = (t >> 1) | cy; cy = t; } return cy; } /* c <- c + (1+x^3) * b, return carry out */ static unsigned long AddLsh13(unsigned long *c, const unsigned long *b, long n) { unsigned long cy = 0UL, t; long i; for (i = 0; i < n; i++) { t = b[i]; c[i] ^= t ^ (t << 3) ^ cy; cy = t >> (GF2X_WORDSIZE - 3); } return cy; } /* c <- c + a + b + d */ static void Add4(unsigned long *c, const unsigned long *a, const unsigned long *b, const unsigned long *d, long n) { long i; for (i = 0; i < n; i++) c[i] ^= a[i] ^ b[i] ^ d[i]; } /* let c = q*(1+x) + X^n*r with X = x^GF2X_WORDSIZE and deg(r) < 1 then c <- q, returns r. (Algorithm from Michel Quercia.) */ static unsigned long DivOnePlusX(unsigned long *c, long n) { unsigned long t = 0; long i; for (i = 0; i < n; i++) { t ^= c[i]; t ^= t << 1; t ^= t << 2; t ^= t << 4; t ^= t << 8; t ^= t << 16; #if (GF2X_WORDSIZE == 64) t ^= t << 32; #elif (GF2X_WORDSIZE != 32) #error "GF2X_WORDSIZE should be 32 or 64" #endif c[i] = t; t >>= (GF2X_WORDSIZE - 1); } return t; } #if (defined(DEBUG)) static void dump(const unsigned long *a, long n) { long i; for (i = 0; i < n; i++) { printf("+%lu*X^%lu", a[i], i); if ((i + 1) % 3 == 0) printf("\n"); } printf(":\n"); } #endif /* \\ gp-pari check code. default(echo, 1); A = (a2*x^2 + a1*x + a0)*Mod(1,2) B = (b2*x^2 + b1*x + b0)*Mod(1,2) C = A * B c0 = polcoeff(C, 0) c1 = polcoeff(C, 1) c2 = polcoeff(C, 2) c3 = polcoeff(C, 3) c4 = polcoeff(C, 4) \\ --- Evaluation phase. 10 add, 4 shift, 5 mul. W0 = (a2*y^2+a1*y)*Mod(1,2) W4 = (b2*y^2+b1*y)*Mod(1,2) W3 = (a2+a1+a0) *Mod(1,2) W2 = (b2+b1+b0) *Mod(1,2) W1 = W2 * W3 \\ C(1) W3 = W3 + W0 W2 = W2 + W4 W0 = W0+a0 *Mod(1,2) W4 = W4+b0 *Mod(1,2) W3 = W2 * W3 \\ C(y+1) W2 = W0 * W4 \\ C(y) W4 = a2 * b2 *Mod(1,2) \\ C(\infty) W0 = a0 * b0 *Mod(1,2) \\ C(0) \\ ------ Interpolation phase. 10 add, 2 shift, 2 div. Since c contains 2n=4k+2r words, then W4 contains 2r words, thus we need k+3 <= 2r. This is true for n >= 17. It is assumed that sa >= 33 so n >= 17. Both methods have
   the same asymptotic complexity. There are 5 calls
   to Toom with sizes at most k+3-d = n/2 + 3 = (sa+1)/4 + 3. A simpler bound on the memory required is 5*n + 17 (equality at n = 19). This often means splitting a loop into the "usual" case and
   "special" cases at the start or end, due to different size arrays etc. // Size(W2) := k; // Explaining the space bound j < 2 * r; j++) { s ^= W2[j] ^ W4[j] ^ W4[j - 3]; // next 2r-3 are usual case W2[j] = s; } for (; j < 2 * r + 3; j++) { s ^= W2[j] ^ W4[j - 3]; // next 3 are special W2[j] = s; } for (; j < 2 * kd + 4; j++) { s ^= W2[j]; // last (k-r-d) == 0 or 1 W2[j] = s; // Size(W2) = 2*kd + 3 } // ASSERT (s == 0); // Division should be exact // W1 += W0 == c1 + c2 + c3 + c4 // W3 += W1 == c3*y*(1+y) for (j = 0; j < 2 * k; j++) { s = W0[j] ^ W1[j]; W1[j] = s; // Size(W0) = Size(W1) = 2*k W3[j] ^= s; // Size(W3) = 2*kd + 4 > 2*k } // ASSERT (W3[0] == 0); // Next division exact // W3 = W3/(y + y^2) == c3 for (j = 0, s = 0; j < 2 * kd + 3; j++) { s ^= W3[j + 1]; W3[j] = s; } W3[j] = 0; // ASSERT (s == 0); // Division exact // Size(W3) := 2*kd + 2 // W1 += W2 + W4 == c1 // Size(W4) == 2*r // W2 += W3 == c2 // <= Size(W1) == 2*k // <= Size(W3) == 2*kd + 2 // < Size(W2) == 2*kd + 4 for (j = 0; j < 2 * r; j++) { // Usual case s = W2[j]; W1[j] ^= s ^ W4[j]; W2[j] = s ^ W3[j]; } for (; j < 2 * k; j++) { // Next 2*(k-r) iterations s = W2[j]; W1[j] ^= s; // No W4[j] here W2[j] = s ^ W3[j]; } for (; j < 2 * kd + 2; j++) { // Next 2*(1-d) iterations s = W2[j]; W1[j] = s; // Extending size of W1 W2[j] = s ^ W3[j]; } for (; j < 2 * kd + 4; j++) // Last 2 iterations W1[j] = W2[j]; // Size(W1) := 2*kd + 4 // Size(W2) = 2*kd + 4 // c = W0 + W1*y + W2*y^2 + W3*y^3 + W4*y^4 // We already have // W0[j] == c[j] for j = 0 .. 2*k-1 because W0 = c, and // W2[j] == c[j] for j = 2*k .. 2*k+2*kd+3 because W2 = c + 2*k for (j = 0; j < 4 - 2 * d; j++) // 4 - 2*d words of W2 c[j + 4 * k] ^= W4[j]; // overlap the W4 region for (; j < 2 * r; j++) // Copy rest of W4 c[j + 4 * k] = W4[j]; // Here c was undefined for (j = 0; j < 2 * kd + 4; j++) c[j + k] ^= W1[j]; // ASSERT (2*kd + 2 + 3*k <= 2*n); // True if n >= 8 so need // GF2X_MUL_TOOMW_THRESHOLD >= 8 for (j = 0; j < 2 * kd + 2; j++) c[j + 3 * k] ^= W3[j]; } #else /* * Below this line, experimental code * (C) 2007 Richard Brent * This code is released under the GPL 2.0 license, or any later version. * * Based on Marco Bodrato's mul-tc3.c but with full-word aligned * operations to reduce overheads. * * Reference: http://bodrato.it/papers/#WAIFI2007 * * "Towards Optimal Toom-Cook Multiplication for Univariate and * Multivariate Polynomials in Characteristic 2 and 0." by Marco * BODRATO; A simpler bound on the memory required is 5*n + 17 (equality at n = 19). By choosing w = 32 or 64 we simplify the coding
   and obtain opportunities for loop optimisation. Both methods have
   the same asymptotic complexity O(n**(ln(5)/ln(3))) = O(n**1.464).

   We try to combine loops as far as possible to reduce overheads and memory
   references. This often means splitting a loop into the "usual" case and
   "special" cases at the start or end, due to different size arrays etc.

   In the comments " + " means addition in GF(2) and " ^ " means
   exponentiation.

   Evaluation phase                                   Size is (max) size in words

   W0 = a1*y + a2*y^2 == A(y) - a0 == A(1+y) - A(1)
   W4 = b1*y + b2*y^2 == B(y) - b0 == B(1+y) - B(1)
   W5 = a0 + a1 + a2 == A(1)
   W2 = b0 + b1 + b2 == B(1)

   W0[0] = W4[0] = 0;
   W0[1] = a1[0]; W4[1] = b1[0];                      // No a2, b2 here
   W5[0] = a0[0] ^ a1[0] ^ (u2 = a2[0]);
   W2[0] = b0[0] ^ b1[0] ^ (v2 = b2[0]);

   for (j = 1; j < r; j++)                            // Next r-1 iterations
   {                                                  // This is the usual case
      unsigned long u1, v1;
      W0[j+1] = (u1 = a1[j]) ^ u2;                    // Size(a1) = Size(b1) = k
      W4[j+1] = (v1 = b1[j]) ^ v2;
      W5[j] = a0[j] ^ u1 ^ (u2 = a2[j]);              // Size(a2) = Size(b2) = r
      W2[j] = b0[j] ^ v1 ^ (v2 = b2[j]);
   }

   for (; j < k; j++)                                 // Last iterations for W5, W2
   {
      W0[j+1] = a1[j];                                // Omit a2, b2 here
      W4[j+1] = b1[j];
      W5[j] = a0[j] ^ a1[j];                          // Size(W5) := k
      W2[j] = b0[j] ^ b1[j]; // Size(W2) := k;
   }

   W0[k+1] = W4[k+1] = 0;                             // In case r == k
   W0[r+1] ^= a2[r-1];                                // Size(W0) := kd+2
   W4[r+1] ^= b2[r-1];                                // Size(W4) := kd+2

   // Recursive calls mixed with further evaluation
   // There are 5 recursive calls with sizes at most k+2.
   // Thus it is necessary that n > 4 (but we assume that
   // Karatsuba's method or some other method will be used
   // for very small n, say n < GF2X_MUL_TOOMW_THRESHOLD).

   // W1 = W2 * W5 == C(1)
   gf2x_mul_toom (W1, W2, W5, k, stk);                // Size(W1) := 2*k

   // W5 += W0 == A(1+y)                              // Size(W5) < Size(W0)
   // W2 += W4 == B(1+y)                              // Size(W2) < Size(W4)
   // W0 += a0 == A(y)                                // Size(W0) > Size(a0)
   // W4 += b0 == B(y)                                // Size(W4) > Size(b0)

   for (j = 0; j < k; j++)                            // First k iterations
   {
      unsigned long u, v;
      W5[j] ^= (u = W0[j]);
      W2[j] ^= (v = W4[j]);
      W0[j] = u ^ a0[j];
      W4[j] = v ^ b0[j];
   }

   for (; j < kd+2; j++)                              // Last 2-d iterations
   {
      W5[j] = W0[j];                                  // Size(W5) := kd+2
      W2[j] = W4[j];                                  // Size(W2) := kd+2
   }

   // W3 = W2 * W5 == C(1+y)
   // Output argument in recursive call must differ from inputs.
   // That is why we need both W3 and W5.
   // ASSERT ((kd+2) <= (n/3 + 2)); // Explaining the space bound
   gf2x_mul_toom (W3, W2, W5, kd+2, stk);             // Size(W3) := 2*kd + 4

   // W2 = W0 * W4 == C(y)
   gf2x_mul_toom (W2, W0, W4, kd+2, stk);             // Size(W2) := 2*kd + 4

   // W0 = a0 * b0 == c0 == C(0/1) == C(0)
   gf2x_mul_toom (W0, a0, b0, k, stk);                // Size(W0) := 2*k
                                                      // so c[0..(2k-1)] defined
   // W4 = a2 * b2 == c4 == C(1/0) == C(infinity)
   gf2x_mul_toom (W4, a2, b2, r, stk);                // Size(W4) := 2*r

   // Interpolation phase

   // W3 += W2 == c1 + c2 + c3*(1 + y + y^2) + c4
   // W2 += W0 == C(y) + C(0)

   for (j = 0; j < 2*k; j++) {                        // First 2*k iterations
      s = W2[j];
      W3[j] ^= s;                                     // Size(W0) = 2*k
      W2[j] = s ^ W0[j];                              // other sizes 2*kd + 4
   }

   for (; j < 2*kd+4; j++)
      W3[j] ^= W2[j];                                 // Last 4 - 2*d iterations

   // ASSERT (W2[0] == 0);                            // Division should be exact

   // W2 = W2/y + W3
   for (j = 0; j < 2*kd + 3; j++)
      W2[j] = W2[j+1] ^ W3[j];
   W2[j] = W3[j];                                     // Size(W2) := 2*kd + 4

   // W2 = (W2 + W4*(1+y^3))/(1+y) == c2 + c3

   for (j = 0, s = 0; j < 3; j++) {
      s ^= W2[j] ^ W4[j];
      W2[j] = s;                                      // first 3 iterations special
   }

   for (; j < 2*r; j++) { s ^= W2[j] ^ W4[j] ^ W4[j-3]; // next 2r-3 are usual case W2[j] = s; } for (; j < 2*r+3; j++) { s ^= W2[j] ^ W4[j-3]; // next 3 are special W2[j] = s; } for (; j < 2*kd+4; j++) { s ^= W2[j]; // last (k-r-d) == 0 or 1 W2[j] = s; // Size(W2) = 2*kd + 3 } // ASSERT (s == 0); // Division should be exact // W1 += W0 == c1 + c2 + c3 + c4 // W3 += W1 == c3*y*(1+y) for (long j = 0; j < 2*k; j++) { s = W0[j] ^ W1[j]; W1[j] = s; // Size(W0) = Size(W1) = 2*k W3[j] ^= s; // Size(W3) = 2*kd + 4 > 2*k } // ASSERT (W3[0] == 0); // Next division exact // W3 = W3/(y + y^2) == c3 for (j = 0, s = 0; j < 2*kd + 3; j++) { s ^= W3[j+1]; W3[j] = s; } W3[j] = 0; // ASSERT (s == 0); // Division exact // Size(W3) := 2*kd + 2 // W1 += W2 + W4 == c1 // Size(W4) == 2*r // W2 += W3 == c2 // <= Size(W1) == 2*k // <= Size(W3) == 2*kd + 2 // < Size(W2) == 2*kd + 4 for (j = 0; j < 2*r; j++) { // Usual case s = W2[j]; W1[j] ^= s ^ W4[j]; W2[j] = s ^ W3[j]; } for (; j < 2*k; j++) { // Next 2*(k-r) iterations s = W2[j]; W1[j] ^= s; // No W4[j] here W2[j] = s ^ W3[j]; } for (; j < 2*kd + 2; j++) { // Next 2*(1-d) iterations s = W2[j]; W1[j] = s; // Extending size of W1 W2[j] = s ^ W3[j]; } for (; j < 2*kd + 4; j++) // Last 2 iterations W1[j] = W2[j]; // Size(W1) := 2*kd + 4 // Size(W2) = 2*kd + 4 // c = W0 + W1*y + W2*y^2 + W3*y^3 + W4*y^4 // We already have // W0[j] == c[j] for j = 0 .. 2*k-1 because W0 = c, and // W2[j] == c[j] for j = 2*k .. 2*k+2*kd+3 because W2 = c + 2*k for (j = 0; j < 4 - 2*d; j++) // 4 - 2*d words of W2 c[j+4*k] ^= W4[j]; // overlap the W4 region for (; j < 2*r; j++) // Copy rest of W4 c[j+4*k] = W4[j]; // Here c was undefined for (long j = 0; j < 2*kd + 4; j++) c[j+k] ^= W1[j]; // ASSERT (2*kd + 2 + 3*k <= 2*n); // True if n >= 8 so need // GF2X_MUL_TOOMW_THRESHOLD >= 8 for (long j = 0; j < 2*kd + 2; j++) c[j+3*k] ^= W3[j]; } #endif /******************************************************************** * Below this line, experimental code * (C) 2007 Marco Bodrato * Modified by Paul Zimmermann, April 2007. * This code is released under the GPL 2.0 license, or any later version. * * Reference: http://bodrato.it/papers/#WAIFI2007 * * "Towards Optimal Toom-Cook Multiplication for Univariate and * Multivariate Polynomials in Characteristic 2 and 0." by Marco * BODRATO; Springer, Madrid, Spain, June 21-22, 2007. */ #if (GF2X_MUL_TOOM4_THRESHOLD < 30) #error "GF2X_MUL_TOOM4_THRESHOLD should be at least 30" #endif /* c <- x * a + x^2 * b, return carry out */ static unsigned long AddLsh1Lsh2(unsigned long * c, const unsigned long * a, const unsigned long * b, long n) { unsigned long cy = 0UL, t; long i; for (i = 0; i < n; i++) { t = (a[i] << 1) ^ ((b[i] << 2) | cy); cy = (a[i] >> (GF2X_WORDSIZE - 1)) ^ (b[i] >> (GF2X_WORDSIZE - 2)); c[i] = t; } return cy; } /* c <- a + x^2 * b, return carry out */ static unsigned long AddLsh2(unsigned long * c, const unsigned long * a, const unsigned long * b, long n) { unsigned long cy = 0UL, t; long i; for (i = 0; i < n; i++) { t = a[i] ^ ((b[i] << 2) | cy); cy = b[i] >> (GF2X_WORDSIZE - 2); c[i] = t; } return cy; } /* c <- a + x^6 * b, return carry out */ static unsigned long AddLsh6(unsigned long * c, const unsigned long * a, const unsigned long * b, long n) { unsigned long cy = 0UL, t; long i; for (i = 0; i < n; i++) { t = a[i] ^ ((b[i] << 6) | cy); cy = b[i] >> (GF2X_WORDSIZE - 6); c[i] = t; } return cy; } /* let c = q*(x+x^4) + X^n*r with X = x^GF2X_WORDSIZE and deg(r) < 1 then c <- q, returns r. */ static unsigned long DivExactD1(unsigned long * c, long n) { unsigned long t = 0; long i; for (i = 0; i < n; i++) { t ^= (c[i] >> 1) | ((i + 1 < n) ? (c[i + 1] << (GF2X_WORDSIZE - 1)) : 0); t ^= t << 3 ^ t << 6; t ^= t << 9 ^ t << 18; t ^= t << 27 #if (GF2X_WORDSIZE == 64) ^ t << 54 #elif (GF2X_WORDSIZE != 32) #error "GF2X_WORDSIZE should be 32 or 64" #endif ; c[i] = t; t >>= (GF2X_WORDSIZE - 3); } return t; } /* let c = q*(x^2+x^4) + X^n*r with X = x^GF2X_WORDSIZE and deg(r) < 1 then c <- q, returns r. */ static unsigned long DivExactD2(unsigned long * c, long n) { /* c <- c/x^2 */ unsigned long cy = 0, t; long i; for (i = n - 1; i >= 0; i--) { t = (c[i] >> 2) | (cy << (GF2X_WORDSIZE - 2)); cy = c[i]; /* no need to mask the low 2 bits, since they will disappear with the next cy << (GF2X_WORDSIZE - 2) */ c[i] = t; } return DivOnePlusX2(c, n); } #if 0 /* Same as DivExactD2, but with one pass only. However, does not seem to give a significant speedup, thus disabled for now. */ static unsigned long DivExactD2a(unsigned long * c, long n) { unsigned long t, ci; t = c[0]; t ^= t << 2; t ^= t << 4; t ^= t << 8; t ^= t << 16; #if (GF2X_WORDSIZE == 64) t ^= t << 32; #elif (GF2X_WORDSIZE != 32) #error "GF2X_WORDSIZE should be 32 or 64" #endif ci = t; t >>= (GF2X_WORDSIZE - 2); for (long i = 1; i < n; i++) { t ^= c[i]; t ^= t << 2; t ^= t << 4; t ^= t << 8; t ^= t << 16; #if (GF2X_WORDSIZE == 64) t ^= t << 32; #endif /* now t is the result of the division of c[i] by (1+x^2), and t >> (GF2X_WORDSIZE - 2) the corresponding carry */ c[i - 1] = (ci >> 2) | (t << (GF2X_WORDSIZE - 2)); ci = t; t >>= (GF2X_WORDSIZE - 2); } c[n - 1] = ci >> 2; return t; } #endif /* \\ gp-pari check code. \\ (C) 2007 Marco Bodrato \\ This code is released under the GPL 2.0 license, or any later version. U0=u0*Mod(1,2);U1=u1*Mod(1,2);U2=u2*Mod(1,2);U3=u3*Mod(1,2); V0=v0*Mod(1,2);V1=v1*Mod(1,2);V2=v2*Mod(1,2);V3=v3*Mod(1,2); U = U3*Y^3 + U2*Y^2*X + U1*Y*X^2 + U0*X^3 V = V3*Y^3 + V2*Y^2*X + V1*Y*X^2 + V0*X^3 \\ P(X,Y): P0=(1,0); P1=(x+1,1); P2=(x,1); P3=(1,1); P4=(1,x); P5=(1,x+1); P6=(0,1) \\Evaluation phase: 13*2 add, 7*2 shift, 2Smul; 7 mul (n) W1 = U0 + U1 + U2 + U3 ; W2 = V0 + V1 + V2 + V3 W0 = U1 +(U2 + U3*x)*x ; W6 = V1 +(V2 + V3*x)*x W4 = W1 +(W0 + U3*(x+1))*x; W3 = W2 +(W6 + V3*(x+1))*x W0 = W0*x + U0 ; W6 = W6*x + V0 W5 = W4 * W3 ; W4 = W0 * W6 W3 = W1 * W2 W0 =(U2 +(U1 + U0*x)*x)*x ; W6 =(V2 +(V1 + V0*x)*x)*x W1 = W1 + W0 + U0*(x^2+x) ; W2 = W2 + W6 + V0*(x^2+x) W0 = W0 + U3 ; W6 = W6 + V3 W1 = W1 * W2 ; W2 = W0 * W6 W6 = U3 * V3 ; W0 = U0 * V0 \\Interpolation: 22 add, 4 shift, 5 Smul, 4 div (2n) d1=(x^4+x)*Mod(1,2) ; d1== (x)^1*(x+1)^1*(x^2+x+1)^1 *Mod(1,2) d2=(x^4+x^2)*Mod(1,2) ; d2== (x)^2*(x+1)^2*(x^2+x+1)^0 *Mod(1,2) W1 = W1 + W2 + W0*(x^4+x^2+1) W5 =(W5 + W4 + W1 + W6*(x^4+x^2+1))/d1 W2 = W2 + W6 + W0*(x^6) W4 = W4 + W2 + W0 + W6*(x^6) W4 =(W4 + W5*(x^5+x))/d2 W3 = W3 + W0 + W6 W1 = W1 + W3 W2 = W2 +(W1 + W3*x)*x W3 = W3 + W4 + W5 W1 =(W1 + W3*(x^2+x))/d1 W5 = W5 + W1 W2 =(W2 + W5*(x^2+x))/d2 W4 = W4 + W2 \\Recomposition W = W6*Y^6 + W5*Y^5*X + W4*Y^4*X^2+ W3*Y^3*X^3+ W2*Y^2*X^4+ W1*Y*X^5 + W0*X^6 W == U*V Memory Usage: stk must have space for sp(n), where sp(n) = 6k+2 + sp(k+1) with k = ceil(n/4). */ void gf2x_mul_tc4(unsigned long * c, const unsigned long * a, const unsigned long * b, long n, unsigned long * stk) { long k = (n + 3) / 4; /* ceil(n/4) */ long r = n - 3 * k; unsigned long cy, cy1, cy2, cy3, cy4; unsigned long *W0 = c; unsigned long *W1 = stk; unsigned long *W2 = c + 2 * k; unsigned long *W3 = stk + 2 * k; unsigned long *W4 = c + 4 * k; unsigned long *W5 = stk + 4 * k; unsigned long *W6 = c + 6 * k; unsigned long *newstk = stk + 6 * k + 2; /* \\Evaluation phase: 13*2 add, 7*2 shift, 2Smul; 7 mul (n) */ /* W1 = U0 + U1 + U2 + U3 ; W2 = V0 + V1 + V2 + V3 */ Add(W1, a, a + 3 * k, r); Add1(W1 + r, a + r, k - r, 0); Add3(W1, a + k, a + 2 * k, k); /* U0 + U1 + U2 + U3 */ Add(W2 + 2, b, b + 3 * k, r); Add1(W2 + r + 2, b + r, k - r, 0); Add3(W2 + 2, b + k, b + 2 * k, k); /* V0 + V1 + V2 + V3 */ /* Add (W1, a, a + k, k); */ /* Add (W1, W1, a + 2 * k, k); */ /* Add (W1, W1, a + 3 * k, r); /\* U0 + U1 + U2 + U3 *\/ */ /* Add (W2+2, b, b + k, k); */ /* Add (W2+2,W2+2, b + 2 * k, k); */ /* Add (W2+2,W2+2, b + 3 * k, r); /\* V0 + V1 + V2 + V3 *\/ */ /* W0 = U1 +(U2 + U3*x)*x ; W6 = V1 +(V2 + V3*x)*x */ cy = AddLsh1(W0, a + 2 * k, a + 3 * k, r); /* U2 + x U3 */ cy = Add1(W0 + r, a + 2 * k + r, k - r, cy); W0[k] = (cy << 1) ^ AddLsh1(W0, a + k, W0, k); /* U1+x U2 + x^2 U3 */ cy = AddLsh1(W6 + 2, b + 2 * k, b + 3 * k, r); /* V2 + x V3 */ cy = Add1(W6 + 2 + r, b + 2 * k + r, k - r, cy); W6[k + 2] = (cy << 1) ^ AddLsh1(W6 + 2, b + k, W6 + 2, k); /* V1+x V2 + x^2 V3 */ /* since we use W6[k+2], and we have space for 2r words in W6, we need k+3 <= 2*r, which requires n>=30. */ /* W4 = W1 +(W0 + U3*(x+1))*x; W3 = W2 +(W6 + V3*(x+1))*x */ cy = AddLsh1(W4 + 2, W0, a + 3 * k, r); /* W0 + x U3 */ cy = Add1(W4 + 2 + r, W0 + r, k + 1 - r, cy); /* cy == 0 */ ASSERT(cy == 0); Add(W4 + 2, W4 + 2, a + 3 * k, r); /* W0 + x U3 + U3 */ W4[k + 2] = (W4[k + 2] << 1) ^ AddLsh1(W4 + 2, W1, W4 + 2, k); /* W1+x(W0 +(x+1) U3) */ cy = AddLsh1(W3 + 2, W6 + 2, b + 3 * k, r); /* W6 + x V3 */ cy = Add1(W3 + 2 + r, W6 + 2 + r, k + 1 - r, cy); /* cy == 0 */ Add(W3 + 2, W3 + 2, b + 3 * k, r); /* W6 + x V3 + V3 */ W3[k + 2] = (W3[k + 2] << 1) ^ AddLsh1(W3 + 2, W2 + 2, W3 + 2, k); /* W2+x(W6 + (x+1) V3) */ /* W0 = W0*x + U0 ; W6 = W6*x + V0 */ W0[k] = (W0[k] << 1) ^ AddLsh1(W0, a, W0, k); /* U0+x W0 */ W6[k + 2] = (W6[k + 2] << 1) ^ AddLsh1(W6 + 2, b, W6 + 2, k); /* V0+x W6 */ /* W5 = W4 * W3 ; W4 = W0 * W6 */ gf2x_mul_toom(W5, W4 + 2, W3 + 2, k + 1, newstk); /* W5 : 2*k+1 */ gf2x_mul_toom(W4, W0, W6 + 2, k + 1, newstk); /* W4 : 2*k+1 */ cy4 = W6[0]; /* Take care of overlapping byte. */ /* W3 = W1 * W2 */ gf2x_mul_toom(W3, W1, W2 + 2, k, newstk); /* W3 : 2*k */ /* W0 =(U2 +(U1 + U0*x)*x)*x ; W6 =(V2 +(V1 + V0*x)*x)*x */ cy = AddLsh1(W0, a + 1 * k, a + 0 * k, k); /* U1 + x U0 */ W0[k] = (cy << 2) ^ AddLsh1Lsh2(W0, a + 2 * k, W0, k); /* U2+x U1 + x^2 U0 */ cy = AddLsh1(W6 + 2, b + 1 * k, b + 0 * k, k); /* V1 + x V0 */ W6[k + 2] = (cy << 2) ^ AddLsh1Lsh2(W6 + 2, b + 2 * k, W6 + 2, k); /* V2+x V1 + x^2 V0 */ /* W1 = W1 + W0 + U0*(x^2+x) ; W2 = W2 + W6 + V0*(x^2+x) */ W1[k] = gf2x_addmul_1_n(W1, W1, a, k, 4 + 2); Add(W0 + k + 1, W1, W0, k + 1); W2[k + 2] = gf2x_addmul_1_n(W2 + 2, W2 + 2, b, k, 4 + 2); Add(W2 + 2, W2 + 2, W6 + 2, k + 1); /* W0 = W0 + U3 ; W6 = W6 + V3 */ Add(W0, W0, a + 3 * k, r); /* + U3 */ Add(W6 + 2, W6 + 2, b + 3 * k, r); /* + V3 */ /* W1 = W1 * W2 ; W2 = W0 * W6 */ cy = W3[0]; cy2 = W3[1]; /* Take care of overlapping byte. */ gf2x_mul_toom(W1, W0 + k + 1, W2 + 2, k + 1, newstk); /* W1 : 2*k+1 */ cy1 = W3[0]; W3[0] = cy; W3[1] = cy2; cy = W4[0]; cy2 = W4[1]; /* Take care of overlapping byte. */ gf2x_mul_toom(W2, W0, W6 + 2, k + 1, newstk); /* W2 : 2*k+1 */ W4[1] = cy2; cy2 = W4[0]; W4[0] = cy; /* W6 = U3 * V3 ; W0 = U0 * V0 */ gf2x_mul_toom(W0, a, b, k, newstk); /* W0 : 2*k */ gf2x_mul_toom(W6, a + 3 * k, b + 3 * k, r, newstk); /* W6 : 2*r */ /* \\Interpolation: 22 add, 4 shift, 5 Smul, 4 div (2n) */ /* d1=(x^4+x)*Mod(1,2) ; d1== (x)^1*(x+1)^1*(x^2+x+1)^1 *Mod(1,2) */ /* d2=(x^4+x^2)*Mod(1,2) ; d2== (x)^2*(x+1)^2*(x^2+x+1)^0 *Mod(1,2) */ /* W1 = W1 + W2 + W0*(x^4+x^2+1) */ Add(W1, W1, W2, 2 * k); cy1 ^= cy2 ^ gf2x_addmul_1_n(W1, W1, W0, 2 * k, 16 + 4 + 1); /* W5 =(W5 + W4 + W1 + W6*(x^4+x^2+1))/d1 */ Add3(W5, W4, W1, 2 * k); W5[2 * k] ^= cy1 ^ cy4; W5[2 * r] ^= gf2x_addmul_1_n(W5, W5, W6, 2 * r, 16 + 4 + 1); DivExactD1(W5, 2 * k + 1); /* W2 = W2 + W6 + W0*(x^6) */ Add(W2, W2, W6, 2 * r); cy2 ^= AddLsh6(W2, W2, W0, 2 * k); /* W4 = W4 + W2 + W0 + W6*(x^6) */ Add3(W4, W2, W0, 2 * k); cy3 = AddLsh6(W4, W4, W6, 2 * r); cy = W6[0]; /* save W6[0]=W4[2k]: we cannot do it before the AddLsh6 call because W6 is used as input */ W6[0] = cy4 ^ cy2; W4[2 * r] ^= cy3; /* must come after W6[0] = cy4 in case r=k */ /* W4 =(W4 + W5*(x^5+x))/d2 */ gf2x_addmul_1_n(W4, W4, W5, 2 * k + 1, 32 + 2); DivExactD2(W4, 2 * k + 1); W6[0] = cy; /* W3 = W3 + W0 + W6 */ Add3(W3, W0, W6, 2 * r); if (r != k) Add(W3 + 2 * r, W3 + 2 * r, W0 + 2 * r, 2 * (k - r)); /* warning: 2r instead of r */ /* W1 = W1 + W3 */ Add(W1, W1, W3, 2 * k); /* W2 = W2 +(W1 + W3*x)*x */ cy2 ^= AddLsh1(W2, W2, W1, 2 * k) ^ AddLsh2(W2, W2, W3, 2 * k) ^ (cy1 << 1); /* W3 = W3 + W4 + W5 */ Add3(W3, W4, W5, 2 * k); /* W1 =(W1 + W3*(x^2+x))/d1 */ cy = W3[0]; cy1 ^= gf2x_addmul_1_n(W1, W1, W3, 2 * k, 4 + 2); W3[0] = cy1; DivExactD1(W1, 2 * k + 1); W3[0] = cy; /* W5 = W5 + W1 */ Add(W5, W5, W1, 2 * k); /* W2 =(W2 + W5*(x^2+x))/d2 */ cy = W4[0]; W4[0] = cy2 ^ gf2x_addmul_1_n(W2, W2, W5, 2 * k, 4 + 2); DivExactD2(W2, 2 * k + 1); W4[0] = cy; /* W4 = W4 + W2 */ Add(W4, W4, W2, 2 * k); /* \\Recomposition */ /* W = W6*Y^6 + W5*Y^5 + W4*Y^4+ W3*Y^3+ W2*Y^2+ W1*Y + W0 */ Add(c + k, c + k, W1, 6 * k); }