void ep2_mul_pre_nafwi(ep2_t *t, ep2_t p) {
int l;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ep2_curve_get_ord(n);
l = bn_bits(n) + 1;
l = ((l % EP_DEPTH) == 0 ? (l / EP_DEPTH) : (l / EP_DEPTH) + 1);
ep2_copy(t[0], p);
for (int i = 1; i < l; i++) {
ep2_dbl(t[i], t[i - 1]);
for (int j = 1; j < EP_DEPTH; j++) {
ep2_dbl(t[i], t[i]);
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ep2_mul_pre_combd(ep2_t *t, ep2_t p) {
int i, j, d, e;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ep2_curve_get_ord(n);
d = bn_bits(n);
d = ((d % EP_DEPTH) == 0 ? (d / EP_DEPTH) : (d / EP_DEPTH) + 1);
e = (d % 2 == 0 ? (d / 2) : (d / 2) + 1);
ep2_set_infty(t[0]);
ep2_copy(t[1], p);
for (j = 1; j < EP_DEPTH; j++) {
ep2_dbl(t[1 << j], t[1 << (j - 1)]);
for (i = 1; i < d; i++) {
ep2_dbl(t[1 << j], t[1 << j]);
}
#if defined(EP_MIXED)
ep2_norm(t[1 << j], t[1 << j]);
#endif
for (i = 1; i < (1 << j); i++) {
ep2_add(t[(1 << j) + i], t[i], t[1 << j]);
}
}
ep2_set_infty(t[1 << EP_DEPTH]);
for (j = 1; j < (1 << EP_DEPTH); j++) {
ep2_dbl(t[(1 << EP_DEPTH) + j], t[j]);
for (i = 1; i < e; i++) {
ep2_dbl(t[(1 << EP_DEPTH) + j], t[(1 << EP_DEPTH) + j]);
}
}
#if defined(EP_MIXED)
for (i = 1; i < RELIC_EP_TABLE_COMBD; i++) {
ep2_norm(t[i], t[i]);
}
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ep2_mul(ep2_t r, ep2_t p, bn_t k) {
int i, l;
ep2_t t;
ep2_null(t);
TRY {
ep2_new(t);
l = bn_bits(k);
if (bn_get_bit(k, l - 1)) {
ep2_copy(t, p);
} else {
ep2_set_infty(t);
}
for (i = l - 2; i >= 0; i--) {
ep2_dbl(t, t);
if (bn_get_bit(k, i)) {
ep2_add(t, t, p);
}
}
ep2_copy(r, t);
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t);
}
}
/**
* Multiplies a binary elliptic curve point by an integer using the w-NAF
* method.
*
* @param[out] r - the result.
* @param[in] p - the point to multiply.
* @param[in] k - the integer.
*/
static void ep2_mul_fix_ordin(ep2_t r, ep2_t *table, bn_t k) {
int len, i, n;
int8_t naf[2 * RLC_FP_BITS + 1], *t;
if (bn_is_zero(k)) {
ep2_set_infty(r);
return;
}
/* Compute the w-TNAF representation of k. */
len = 2 * RLC_FP_BITS + 1;
bn_rec_naf(naf, &len, k, EP_DEPTH);
t = naf + len - 1;
ep2_set_infty(r);
for (i = len - 1; i >= 0; i--, t--) {
ep2_dbl(r, r);
n = *t;
if (n > 0) {
ep2_add(r, r, table[n / 2]);
}
if (n < 0) {
ep2_sub(r, r, table[-n / 2]);
}
}
/* Convert r to affine coordinates. */
ep2_norm(r, r);
if (bn_sign(k) == RLC_NEG) {
ep2_neg(r, r);
}
}
void ep2_mul_dig(ep2_t r, ep2_t p, dig_t k) {
int i, l;
ep2_t t;
ep2_null(t);
if (k == 0) {
ep2_set_infty(r);
return;
}
TRY {
ep2_new(t);
l = util_bits_dig(k);
ep2_copy(t, p);
for (i = l - 2; i >= 0; i--) {
ep2_dbl(t, t);
if (k & ((dig_t)1 << i)) {
ep2_add(t, t, p);
}
}
ep2_norm(r, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t);
}
}
void ep2_mul_sim_joint(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l) {
ep2_t t[5];
int u_i, len, offset;
int8_t jsf[4 * (FP_BITS + 1)];
int i;
ep2_null(t[0]);
ep2_null(t[1]);
ep2_null(t[2]);
ep2_null(t[3]);
ep2_null(t[4]);
TRY {
for (i = 0; i < 5; i++) {
ep2_new(t[i]);
}
ep2_set_infty(t[0]);
ep2_copy(t[1], q);
ep2_copy(t[2], p);
ep2_add(t[3], p, q);
ep2_sub(t[4], p, q);
len = 4 * (FP_BITS + 1);
bn_rec_jsf(jsf, &len, k, l);
ep2_set_infty(r);
i = bn_bits(k);
offset = MAX(i, bn_bits(l)) + 1;
for (i = len - 1; i >= 0; i--) {
ep2_dbl(r, r);
if (jsf[i] != 0 && jsf[i] == -jsf[i + offset]) {
u_i = jsf[i] * 2 + jsf[i + offset];
if (u_i < 0) {
ep2_sub(r, r, t[4]);
} else {
ep2_add(r, r, t[4]);
}
} else {
u_i = jsf[i] * 2 + jsf[i + offset];
if (u_i < 0) {
ep2_sub(r, r, t[-u_i]);
} else {
ep2_add(r, r, t[u_i]);
}
}
}
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
for (i = 0; i < 5; i++) {
ep2_free(t[i]);
}
}
}
void ep2_mul_fix_combd(ep2_t r, ep2_t *t, bn_t k) {
int i, j, d, e, w0, w1, n0, p0, p1;
bn_t n;
if (bn_is_zero(k)) {
ep2_set_infty(r);
return;
}
bn_null(n);
TRY {
bn_new(n);
ep2_curve_get_ord(n);
d = bn_bits(n);
d = ((d % EP_DEPTH) == 0 ? (d / EP_DEPTH) : (d / EP_DEPTH) + 1);
e = (d % 2 == 0 ? (d / 2) : (d / 2) + 1);
ep2_set_infty(r);
n0 = bn_bits(k);
p1 = (e - 1) + (EP_DEPTH - 1) * d;
for (i = e - 1; i >= 0; i--) {
ep2_dbl(r, r);
w0 = 0;
p0 = p1;
for (j = EP_DEPTH - 1; j >= 0; j--, p0 -= d) {
w0 = w0 << 1;
if (p0 < n0 && bn_get_bit(k, p0)) {
w0 = w0 | 1;
}
}
w1 = 0;
p0 = p1-- + e;
for (j = EP_DEPTH - 1; j >= 0; j--, p0 -= d) {
w1 = w1 << 1;
if (i + e < d && p0 < n0 && bn_get_bit(k, p0)) {
w1 = w1 | 1;
}
}
ep2_add(r, r, t[w0]);
ep2_add(r, r, t[(1 << EP_DEPTH) + w1]);
}
ep2_norm(r, r);
if (bn_sign(k) == RLC_NEG) {
ep2_neg(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ep2_mul_fix_combs(ep2_t r, ep2_t *t, bn_t k) {
int i, j, l, w, n0, p0, p1;
bn_t n;
if (bn_is_zero(k)) {
ep2_set_infty(r);
return;
}
bn_null(n);
TRY {
bn_new(n);
ep2_curve_get_ord(n);
l = bn_bits(n);
l = ((l % EP_DEPTH) == 0 ? (l / EP_DEPTH) : (l / EP_DEPTH) + 1);
n0 = bn_bits(k);
p0 = (EP_DEPTH) * l - 1;
w = 0;
p1 = p0--;
for (j = EP_DEPTH - 1; j >= 0; j--, p1 -= l) {
w = w << 1;
if (p1 < n0 && bn_get_bit(k, p1)) {
w = w | 1;
}
}
ep2_copy(r, t[w]);
for (i = l - 2; i >= 0; i--) {
ep2_dbl(r, r);
w = 0;
p1 = p0--;
for (j = EP_DEPTH - 1; j >= 0; j--, p1 -= l) {
w = w << 1;
if (p1 < n0 && bn_get_bit(k, p1)) {
w = w | 1;
}
}
if (w > 0) {
ep2_add(r, r, t[w]);
}
}
ep2_norm(r, r);
if (bn_sign(k) == RLC_NEG) {
ep2_neg(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
/**
* Multiplies a point on a Barreto-Lynn-Soctt curve by the cofactor.
*
* @param[out] r - the result.
* @param[in] p - the point to multiply.
*/
void ep2_mul_cof_b12(ep2_t r, ep2_t p) {
bn_t x;
ep2_t t0, t1, t2, t3;
ep2_null(t0);
ep2_null(t1);
ep2_null(t2);
ep2_null(t3);
bn_null(x);
TRY {
ep2_new(t0);
ep2_new(t1);
ep2_new(t2);
ep2_new(t3);
bn_new(x);
fp_param_get_var(x);
/* Compute t0 = xP. */
ep2_mul(t0, p, x);
if (bn_sign(x) == BN_NEG) {
ep2_neg(t0, t0);
}
/* Compute t1 = [x^2]P. */
ep2_mul(t1, t0, x);
if (bn_sign(x) == BN_NEG) {
ep2_neg(t1, t1);
}
/* t2 = (x^2 - x - 1)P = x^2P - x*P - P. */
ep2_sub(t2, t1, t0);
ep2_sub(t2, t2, p);
/* t3 = \psi(x - 1)P. */
ep2_sub(t3, t0, p);
ep2_norm(t3, t3);
ep2_frb(t3, t3, 1);
ep2_add(t2, t2, t3);
/* t3 = \psi^2(2P). */
ep2_dbl(t3, p);
ep2_norm(t3, t3);
ep2_frb(t3, t3, 2);
ep2_add(t2, t2, t3);
ep2_norm(r, t2);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t0);
ep2_free(t1);
ep2_free(t2);
ep2_free(t3);
bn_free(x);
}
}
void ep2_mul_pre_combs(ep2_t *t, ep2_t p) {
int i, j, l;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ep2_curve_get_ord(n);
l = bn_bits(n);
l = ((l % EP_DEPTH) == 0 ? (l / EP_DEPTH) : (l / EP_DEPTH) + 1);
ep2_set_infty(t[0]);
ep2_copy(t[1], p);
for (j = 1; j < EP_DEPTH; j++) {
ep2_dbl(t[1 << j], t[1 << (j - 1)]);
for (i = 1; i < l; i++) {
ep2_dbl(t[1 << j], t[1 << j]);
}
#if defined(EP_MIXED)
ep2_norm(t[1 << j], t[1 << j]);
#endif
for (i = 1; i < (1 << j); i++) {
ep2_add(t[(1 << j) + i], t[i], t[1 << j]);
}
}
#if defined(EP_MIXED)
for (i = 1; i < RLC_EP_TABLE_COMBS; i++) {
ep2_norm(t[i], t[i]);
}
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
/**
* Multiplies a point on a Barreto-Naehrig curve by the cofactor.
*
* @param[out] r - the result.
* @param[in] p - the point to multiply.
*/
void ep2_mul_cof_bn(ep2_t r, ep2_t p) {
bn_t x;
ep2_t t0, t1, t2;
ep2_null(t0);
ep2_null(t1);
ep2_null(t2);
bn_null(x);
TRY {
ep2_new(t0);
ep2_new(t1);
ep2_new(t2);
bn_new(x);
fp_param_get_var(x);
/* Compute t0 = xP. */
ep2_mul(t0, p, x);
if (bn_sign(x) == BN_NEG) {
ep2_neg(t0, t0);
}
/* Compute t1 = \psi(3xP). */
ep2_dbl(t1, t0);
ep2_add(t1, t1, t0);
ep2_norm(t1, t1);
ep2_frb(t1, t1, 1);
/* Compute t2 = \psi^3(P) + t0 + t1 + \psi^2(xP). */
ep2_frb(t2, p, 2);
ep2_frb(t2, t2, 1);
ep2_add(t2, t2, t0);
ep2_add(t2, t2, t1);
ep2_frb(t1, t0, 2);
ep2_add(t2, t2, t1);
ep2_norm(r, t2);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t0);
ep2_free(t1);
ep2_free(t2);
bn_free(x);
}
}
void ep2_tab(ep2_t * t, ep2_t p, int w) {
if (w > 2) {
ep2_dbl(t[0], p);
#if defined(EP_MIXED)
ep2_norm(t[0], t[0]);
#endif
ep2_add(t[1], t[0], p);
for (int i = 2; i < (1 << (w - 2)); i++) {
ep2_add(t[i], t[i - 1], t[0]);
}
#if defined(EP_MIXED)
for (int i = 1; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_norm(t[i], t[i]);
}
#endif
}
ep2_copy(t[0], p);
}
void ep2_add_projc(ep2_t r, ep2_t p, ep2_t q) {
if (ep2_is_infty(p)) {
ep2_copy(r, q);
return;
}
if (ep2_is_infty(q)) {
ep2_copy(r, p);
return;
}
if (p == q) {
/* TODO: This is a quick hack. Should we fix this? */
ep2_dbl(r, p);
return;
}
ep2_add_projc_imp(r, p, q);
}
void ep2_mul_pre_basic(ep2_t *t, ep2_t p) {
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ep2_curve_get_ord(n);
ep2_copy(t[0], p);
for (int i = 1; i < bn_bits(n); i++) {
ep2_dbl(t[i], t[i - 1]);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
/**
* Precomputes a table for a point multiplication on an ordinary curve.
*
* @param[out] t - the destination table.
* @param[in] p - the point to multiply.
*/
static void ep2_mul_pre_ordin(ep2_t *t, ep2_t p) {
int i;
ep2_dbl(t[0], p);
#if defined(EP_MIXED)
ep2_norm(t[0], t[0]);
#endif
#if EP_DEPTH > 2
ep2_add(t[1], t[0], p);
for (i = 2; i < (1 << (EP_DEPTH - 2)); i++) {
ep2_add(t[i], t[i - 1], t[0]);
}
#if defined(EP_MIXED)
for (i = 1; i < (1 << (EP_DEPTH - 2)); i++) {
ep2_norm(t[i], t[i]);
}
#endif
#endif
ep2_copy(t[0], p);
}
static void ep2_mul_sim_ordin(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l, int gen) {
int len, l0, l1, i, n0, n1, w;
signed char naf0[FP_BITS + 1], naf1[FP_BITS + 1], *t0, *t1;
ep2_t table0[1 << (EP_WIDTH - 2)];
ep2_t table1[1 << (EP_WIDTH - 2)];
ep2_t *t = NULL;
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_null(table0[i]);
ep2_null(table1[i]);
}
if (gen) {
#if defined(EP_PRECO)
t = ep2_curve_get_tab();
#endif
} else {
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(table0[i]);
}
ep2_tab(table0, p, EP_WIDTH);
t = table0;
}
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(table1[i]);
}
/* Compute the precomputation table. */
ep2_tab(table1, q, EP_WIDTH);
/* Compute the w-TNAF representation of k. */
if (gen) {
w = EP_DEPTH;
} else {
w = EP_WIDTH;
}
l0 = l1 = FP_BITS + 1;
bn_rec_naf(naf0, &l0, k, w);
bn_rec_naf(naf1, &l1, l, EP_WIDTH);
len = MAX(l0, l1);
t0 = naf0 + len - 1;
t1 = naf1 + len - 1;
for (i = l0; i < len; i++)
naf0[i] = 0;
for (i = l1; i < len; i++)
naf1[i] = 0;
ep2_set_infty(r);
for (i = len - 1; i >= 0; i--, t0--, t1--) {
ep2_dbl(r, r);
n0 = *t0;
n1 = *t1;
if (n0 > 0) {
ep2_add(r, r, t[n0 / 2]);
}
if (n0 < 0) {
ep2_sub(r, r, t[-n0 / 2]);
}
if (n1 > 0) {
ep2_add(r, r, table1[n1 / 2]);
}
if (n1 < 0) {
ep2_sub(r, r, table1[-n1 / 2]);
}
}
/* Convert r to affine coordinates. */
ep2_norm(r, r);
/* Free the precomputation table. */
for (i = 0; i < 1 << (EP_WIDTH - 2); i++) {
ep2_free(table0[i]);
ep2_free(table1[i]);
}
}
void ep2_mul_sim_trick(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l) {
ep2_t t0[1 << (EP_WIDTH / 2)];
ep2_t t1[1 << (EP_WIDTH / 2)];
ep2_t t[1 << EP_WIDTH];
bn_t n;
int l0, l1, w = EP_WIDTH / 2;
uint8_t w0[CEIL(2 * FP_BITS, w)], w1[CEIL(2 * FP_BITS, w)];
bn_null(n);
for (int i = 0; i < 1 << EP_WIDTH; i++) {
ep2_null(t[i]);
}
for (int i = 0; i < 1 << (EP_WIDTH / 2); i++) {
ep2_null(t0[i]);
ep2_null(t1[i]);
}
TRY {
bn_new(n);
ep2_curve_get_ord(n);
for (int i = 0; i < (1 << w); i++) {
ep2_new(t0[i]);
ep2_new(t1[i]);
}
for (int i = 0; i < (1 << EP_WIDTH); i++) {
ep2_new(t[i]);
}
ep2_set_infty(t0[0]);
for (int i = 1; i < (1 << w); i++) {
ep2_add(t0[i], t0[i - 1], p);
}
ep2_set_infty(t1[0]);
for (int i = 1; i < (1 << w); i++) {
ep2_add(t1[i], t1[i - 1], q);
}
for (int i = 0; i < (1 << w); i++) {
for (int j = 0; j < (1 << w); j++) {
ep2_add(t[(i << w) + j], t0[i], t1[j]);
}
}
l0 = l1 = CEIL(2 * FP_BITS, w);
bn_rec_win(w0, &l0, k, w);
bn_rec_win(w1, &l1, l, w);
for (int i = l0; i < l1; i++) {
w0[i] = 0;
}
for (int i = l1; i < l0; i++) {
w1[i] = 0;
}
ep2_set_infty(r);
for (int i = MAX(l0, l1) - 1; i >= 0; i--) {
for (int j = 0; j < w; j++) {
ep2_dbl(r, r);
}
ep2_add(r, r, t[(w0[i] << w) + w1[i]]);
}
ep2_norm(r, r);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
for (int i = 0; i < (1 << w); i++) {
ep2_free(t0[i]);
ep2_free(t1[i]);
}
for (int i = 0; i < (1 << EP_WIDTH); i++) {
ep2_free(t[i]);
}
}
}
static void ep2_mul_sim_plain(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l,
ep2_t *t) {
int len, l0, l1, i, n0, n1, w, gen;
int8_t naf0[2 * FP_BITS + 1], naf1[2 * FP_BITS + 1], *_k, *_m;
ep2_t t0[1 << (EP_WIDTH - 2)];
ep2_t t1[1 << (EP_WIDTH - 2)];
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_null(t0[i]);
ep2_null(t1[i]);
}
TRY {
gen = (t == NULL ? 0 : 1);
if (!gen) {
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(t0[i]);
}
ep2_tab(t0, p, EP_WIDTH);
t = (ep2_t *)t0;
}
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(t1[i]);
}
/* Compute the precomputation table. */
ep2_tab(t1, q, EP_WIDTH);
/* Compute the w-TNAF representation of k. */
if (gen) {
w = EP_DEPTH;
} else {
w = EP_WIDTH;
}
l0 = l1 = 2 * FP_BITS + 1;
bn_rec_naf(naf0, &l0, k, w);
bn_rec_naf(naf1, &l1, l, EP_WIDTH);
len = MAX(l0, l1);
_k = naf0 + len - 1;
_m = naf1 + len - 1;
for (i = l0; i < len; i++)
naf0[i] = 0;
for (i = l1; i < len; i++)
naf1[i] = 0;
ep2_set_infty(r);
for (i = len - 1; i >= 0; i--, _k--, _m--) {
ep2_dbl(r, r);
n0 = *_k;
n1 = *_m;
if (n0 > 0) {
ep2_add(r, r, t[n0 / 2]);
}
if (n0 < 0) {
ep2_sub(r, r, t[-n0 / 2]);
}
if (n1 > 0) {
ep2_add(r, r, t1[n1 / 2]);
}
if (n1 < 0) {
ep2_sub(r, r, t1[-n1 / 2]);
}
}
/* Convert r to affine coordinates. */
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
/* Free the precomputation tables. */
if (!gen) {
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_free(t0[i]);
}
}
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_free(t1[i]);
}
}
}