Maestro Linden I've written an implementation of ModPow in LSL (available from https://pastebin.com/DFYLjcQg as canny kept failing to upload it as an attachment, and it exceeds the 2500 character limit for replies) along with a test of 6 values to compute using my function and also using llModPow for comparison.

My UDFs correctly compute all 6 in less than half a second, despite LSL not having 64bit integers, nor unsigned integers and sub-optimally using long division rather than something like Montgomery reduction.

The repeated tests using llModPow all fail and takes over 6 seconds due to the 1s forced delay.

That the LSL version is over 12x faster than llModPow also suggests to me that the 1s forced delay is excessive and/or the implementation is poor.

Logan Elf: Okay, talking to the server team, we know we can update the function so that the x^n component of llModPow() is stored as an S64 internally before the modulo operation.

This would address cases in which abs(x^n) is less than 2^63, but one would still see issues for larger values (which could be hit for large x when n>2).

Just to be sure that updating llModPow() is the best path (and that some new/different function in LSL would be better), what are you using the result for? Are you calculating a sort of hash value?

Maestro Linden I'm doing simple Diffie-Hellman key exchange using xⁿ mod p values (so x, n and p may be very big).

Logan Elf: Thanks for the info. The reason I ask is because we're curious if some higher-level LSL function would be more convenient for you (and probably run faster).

Maestro Linden I guess what I really need is a way for both parties to be able to generate the 256-bit token (could generalise to n-bit). llHMAC can be used to generate big tokens, but you're still stuck with how to pass the random numbers. The beauty of DH is that the random numbers are passed without actually passing the numbers themselves.

Logan Elf I have implemented a fix for this. I'm using an algorithm mentioned here:

Which references this page:

I tried a few inputs, including the one you used to prove the old math incorrect and it now appears to be producing correct values. Also the calculation is Much Faster. This fix will probably be in server update codenamed "bacon" which might be released in Dec24 if you're lucky, but maybe not until Jan25.

BTW:

LSL integers are signed, which means for positive numbers you're limited to primes under 2^31. Under the hood I cast the S32 first to U32, then to U64 which means if you're clever you could try to use primes under 2^32 by feeding it negative numbers, but I didn't test it.

For llVerifyRSA() and friends we use the GnuTLS library. This means if you wanted to do proper Diffie-Hellman negotiation using higher level primes it might be possible to add new LSL methods that wrap the GnuTLS API. I considered embarking on that project for this but decided I would much prefer someone else design it. So, if you or someone else decide llModPow() just isn't cutting it then feel free to propose an LSL API that is a thin wrapper for GnuTLS and I will consider implementing it.

Correction: this fix will be in the server update codenamed "Apple Cobbler" which we expect to be delivered Dec24.