Any algorithm with these properties would be a huge improvement compared to what we have today:
0. No side-channel leakage of anything but bit counts of input operands. (I suppose there are usages where the mod argument is not sensitive, such as for the elliptic curve usages). This is already true for the present, slow code. 1. Computation of a 2 x 2 matrix in O(1) time. Not necessarily fast. 2. Guaranteed reduction of intermediate operand bit count by a full limb each. 3. If the reduction in (2) happens to be greater than one limb, the subsequent iteration of (1) must still work. I.e., it must allow the bits it depends on to be zero and should not need to locate, say, the least significant 1 bit of the full operands. -- Torbjörn Please encrypt, key id 0xC8601622 _______________________________________________ gmp-devel mailing list gmp-devel@gmplib.org https://gmplib.org/mailman/listinfo/gmp-devel