void pp_dbl_k12_basic(fp12_t l, ep2_t r, ep2_t q, ep_t p) {
fp2_t s;
ep2_t t;
int one = 1, zero = 0;
fp2_null(s);
ep2_null(t);
TRY {
fp2_new(s);
ep2_new(t);
ep2_copy(t, q);
ep2_dbl_slp_basic(r, s, q);
fp12_zero(l);
if (ep2_curve_is_twist() == EP_MTYPE) {
one ^= 1;
zero ^= 1;
}
fp_mul(l[one][zero][0], s[0], p->x);
fp_mul(l[one][zero][1], s[1], p->x);
fp2_mul(l[one][one], s, t->x);
fp2_sub(l[one][one], t->y, l[one][one]);
fp_copy(l[zero][zero][0], p->y);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp2_free(s);
ep2_free(t);
}
}
/**
* Compute the final lines for optimal ate pairings.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] q - the first point of the pairing, in G_2.
* @param[in] p - the second point of the pairing, in G_1.
* @param[in] a - the loop parameter.
*/
static void pp_fin_k12_oatep(fp12_t r, ep2_t t, ep2_t q, ep_t p) {
ep2_t q1, q2;
fp12_t tmp;
fp12_null(tmp);
ep2_null(q1);
ep2_null(q2);
TRY {
ep2_new(q1);
ep2_new(q2);
fp12_new(tmp);
fp12_zero(tmp);
fp2_set_dig(q1->z, 1);
fp2_set_dig(q2->z, 1);
ep2_frb(q1, q, 1);
ep2_frb(q2, q, 2);
ep2_neg(q2, q2);
pp_add_k12(tmp, t, q1, p);
fp12_mul_dxs(r, r, tmp);
pp_add_k12(tmp, t, q2, p);
fp12_mul_dxs(r, r, tmp);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
fp12_free(tmp);
ep2_free(q1);
ep2_free(q2);
}
}
/**
* Compute the Miller loop for pairings of type G_2 x G_1 over the bits of a
* given parameter.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] q - the first pairing argument in affine coordinates.
* @param[in] p - the second pairing argument in affine coordinates.
* @param[in] n - the number of pairings to evaluate.
* @param[in] a - the loop parameter.
*/
static void pp_mil_k12(fp12_t r, ep2_t *t, ep2_t *q, ep_t *p, int m, bn_t a) {
fp12_t l;
ep_t _p[m];
int i, j;
if (m == 0) {
return;
}
fp12_null(l);
TRY {
fp12_new(l);
for (j = 0; j < m; j++) {
ep_null(_p[j]);
ep_new(_p[j]);
#if EP_ADD == BASIC
ep_neg(_p[j], p[i]);
#else
fp_add(_p[j]->x, p[j]->x, p[j]->x);
fp_add(_p[j]->x, _p[j]->x, p[j]->x);
fp_neg(_p[j]->y, p[j]->y);
#endif
ep2_copy(t[j], q[j]);
}
fp12_zero(l);
/* Precomputing. */
pp_dbl_k12(r, t[0], t[0], _p[0]);
if (bn_get_bit(a, bn_bits(a) - 2)) {
for (j = 0; j < m; j++) {
pp_add_k12(l, t[j], q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
for (i = bn_bits(a) - 3; i >= 0; i--) {
fp12_sqr(r, r);
for (j = 0; j < m; j++) {
pp_dbl_k12(l, t[j], t[j], _p[j]);
fp12_mul_dxs(r, r, l);
if (bn_get_bit(a, i)) {
pp_add_k12(l, t[j], q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(l);
for (j = 0; j < m; j++) {
ep_free(_p[j]);
}
}
}
/**
* Compute the Miller loop for pairings of type G_1 x G_2 over the bits of a
* given parameter.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] p - the first pairing argument in affine coordinates.
* @param[in] q - the second pairing argument in affine coordinates.
* @param[in] n - the number of pairings to evaluate.
* @param[in] a - the loop parameter.
*/
static void pp_mil_lit_k12(fp12_t r, ep_t *t, ep_t *p, ep2_t *q, int m, bn_t a) {
fp12_t l;
ep2_t _q[m];
int j;
fp12_null(l);
TRY {
fp12_new(l);
for (j = 0; j < m; j++) {
ep2_null(_q[j]);
ep2_new(_q[j]);
ep_copy(t[j], p[j]);
ep2_neg(_q[j], q[j]);
}
fp12_zero(l);
for (int i = bn_bits(a) - 2; i >= 0; i--) {
fp12_sqr(r, r);
for (j = 0; j < m; j++) {
pp_dbl_lit_k12(l, t[j], t[j], _q[j]);
fp12_mul(r, r, l);
if (bn_get_bit(a, i)) {
pp_add_lit_k12(l, t[j], p[j], q[j]);
fp12_mul(r, r, l);
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(l);
for (j = 0; j < m; j++) {
ep2_free(_q[j]);
}
}
}
void fp12_set_dig(fp12_t a, dig_t b) {
fp12_zero(a);
fp_set_dig(a[0][0][0], b);
}
/**
* Compute the Miller loop for pairings of type G_2 x G_1 over the bits of a
* given parameter represented in sparse form.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] q - the vector of first arguments in affine coordinates.
* @param[in] p - the vector of second arguments in affine coordinates.
* @param[in] n - the number of pairings to evaluate.
* @param[in] s - the loop parameter in sparse form.
* @paramin] len - the length of the loop parameter.
*/
static void pp_mil_sps_k12(fp12_t r, ep2_t *t, ep2_t *q, ep_t *p, int m, int *s,
int len) {
fp12_t l;
ep_t _p[m];
ep2_t _q[m];
int i, j;
if (m == 0) {
return;
}
fp12_null(l);
TRY {
fp12_new(l);
fp12_zero(l);
for (j = 0; j < m; j++) {
ep_null(_p[j]);
ep2_null(_q[j]);
ep_new(_p[j]);
ep2_new(_q[j]);
ep2_copy(t[j], q[j]);
ep2_neg(_q[j], q[j]);
#if EP_ADD == BASIC
ep_neg(_p[j], p[j]);
#else
fp_add(_p[j]->x, p[j]->x, p[j]->x);
fp_add(_p[j]->x, _p[j]->x, p[j]->x);
fp_neg(_p[j]->y, p[j]->y);
#endif
}
pp_dbl_k12(r, t[0], t[0], _p[0]);
for (j = 1; j < m; j++) {
pp_dbl_k12(l, t[j], t[j], _p[j]);
fp12_mul_dxs(r, r, l);
}
if (s[len - 2] > 0) {
for (j = 0; j < m; j++) {
pp_add_k12(l, t[j], q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
if (s[len - 2] < 0) {
for (j = 0; j < m; j++) {
pp_add_k12(l, t[j], _q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
for (i = len - 3; i >= 0; i--) {
fp12_sqr(r, r);
for (j = 0; j < m; j++) {
pp_dbl_k12(l, t[j], t[j], _p[j]);
fp12_mul_dxs(r, r, l);
if (s[i] > 0) {
pp_add_k12(l, t[j], q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
if (s[i] < 0) {
pp_add_k12(l, t[j], _q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(l);
for (j = 0; j < m; j++) {
ep_free(_p[j]);
ep2_free(_q[j]);
}
}
}
