void fp2_inv(fp2_t c, fp2_t a) {
fp_t t0, t1;
fp_null(t0);
fp_null(t1);
TRY {
fp_new(t0);
fp_new(t1);
/* t0 = a_0^2, t1 = a_1^2. */
fp_sqr(t0, a[0]);
fp_sqr(t1, a[1]);
/* t1 = 1/(a_0^2 + a_1^2). */
#ifndef FP_QNRES
if (fp_prime_get_qnr() != -1) {
if (fp_prime_get_qnr() == -2) {
fp_dbl(t1, t1);
fp_add(t0, t0, t1);
} else {
if (fp_prime_get_qnr() < 0) {
fp_mul_dig(t1, t1, -fp_prime_get_qnr());
fp_add(t0, t0, t1);
} else {
fp_mul_dig(t1, t1, fp_prime_get_qnr());
fp_sub(t0, t0, t1);
}
}
} else {
fp_add(t0, t0, t1);
}
#else
fp_add(t0, t0, t1);
#endif
fp_inv(t1, t0);
/* c_0 = a_0/(a_0^2 + a_1^2). */
fp_mul(c[0], a[0], t1);
/* c_1 = - a_1/(a_0^2 + a_1^2). */
fp_mul(c[1], a[1], t1);
fp_neg(c[1], c[1]);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
}
}
void ep_rhs(fp_t rhs, const ep_t p) {
fp_t t0;
fp_t t1;
fp_null(t0);
fp_null(t1);
TRY {
fp_new(t0);
fp_new(t1);
/* t0 = x1^2. */
fp_sqr(t0, p->x);
/* t1 = x1^3. */
fp_mul(t1, t0, p->x);
/* t1 = x1^3 + a * x1 + b. */
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add(t1, t1, p->x);
break;
#if FP_RDC != MONTY
case OPT_DIGIT:
fp_mul_dig(t0, p->x, ep_curve_get_a()[0]);
fp_add(t1, t1, t0);
break;
#endif
default:
fp_mul(t0, p->x, ep_curve_get_a());
fp_add(t1, t1, t0);
break;
}
switch (ep_curve_opt_b()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add_dig(t1, t1, 1);
break;
#if FP_RDC != MONTY
case OPT_DIGIT:
fp_add_dig(t1, t1, ep_curve_get_b()[0]);
break;
#endif
default:
fp_add(t1, t1, ep_curve_get_b());
break;
}
fp_copy(rhs, t1);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
fp_free(t0);
fp_free(t1);
}
}
/**
* Doubles a point represented in projective coordinates on an ordinary prime
* elliptic curve.
*
* @param r - the result.
* @param p - the point to double.
*/
static void ep_dbl_projc_imp(ep_t r, const ep_t p) {
fp_t t0, t1, t2, t3, t4, t5;
fp_null(t1);
fp_null(t2);
fp_null(t3);
fp_null(t4);
fp_null(t5);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
fp_new(t3);
fp_new(t4);
fp_new(t5);
if (!p->norm && ep_curve_opt_a() == OPT_MINUS3) {
/* dbl-2001-b formulas: 3M + 5S + 8add + 1*4 + 2*8 + 1*3 */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b */
/* t0 = delta = z1^2. */
fp_sqr(t0, p->z);
/* t1 = gamma = y1^2. */
fp_sqr(t1, p->y);
/* t2 = beta = x1 * y1^2. */
fp_mul(t2, p->x, t1);
/* t3 = alpha = 3 * (x1 - z1^2) * (x1 + z1^2). */
fp_sub(t3, p->x, t0);
fp_add(t4, p->x, t0);
fp_mul(t4, t3, t4);
fp_dbl(t3, t4);
fp_add(t3, t3, t4);
/* x3 = alpha^2 - 8 * beta. */
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_dbl(t5, t2);
fp_sqr(r->x, t3);
fp_sub(r->x, r->x, t5);
/* z3 = (y1 + z1)^2 - gamma - delta. */
fp_add(r->z, p->y, p->z);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t1);
fp_sub(r->z, r->z, t0);
/* y3 = alpha * (4 * beta - x3) - 8 * gamma^2. */
fp_dbl(t1, t1);
fp_sqr(t1, t1);
fp_dbl(t1, t1);
fp_sub(r->y, t2, r->x);
fp_mul(r->y, r->y, t3);
fp_sub(r->y, r->y, t1);
} else if (ep_curve_opt_a() == OPT_ZERO) {
/* dbl-2009-l formulas: 2M + 5S + 6add + 1*8 + 3*2 + 1*3. */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l */
/* A = X1^2 */
fp_sqr(t0, p->x);
/* B = Y1^2 */
fp_sqr(t1, p->y);
/* C = B^2 */
fp_sqr(t2, t1);
/* D = 2*((X1+B)^2-A-C) */
fp_add(t1, t1, p->x);
fp_sqr(t1, t1);
fp_sub(t1, t1, t0);
fp_sub(t1, t1, t2);
fp_dbl(t1, t1);
/* E = 3*A */
fp_dbl(t3, t0);
fp_add(t0, t3, t0);
/* F = E^2 */
fp_sqr(t3, t0);
/* Z3 = 2*Y1*Z1 */
fp_mul(r->z, p->y, p->z);
fp_dbl(r->z, r->z);
/* X3 = F-2*D */
fp_sub(r->x, t3, t1);
fp_sub(r->x, r->x, t1);
/* Y3 = E*(D-X3)-8*C */
fp_sub(r->y, t1, r->x);
fp_mul(r->y, r->y, t0);
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_sub(r->y, r->y, t2);
} else {
/* dbl-2007-bl formulas: 1M + 8S + 1*a + 10add + 1*8 + 2*2 + 1*3 */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl */
/* t0 = x1^2, t1 = y1^2, t2 = y1^4. */
fp_sqr(t0, p->x);
fp_sqr(t1, p->y);
fp_sqr(t2, t1);
if (!p->norm) {
/* t3 = z1^2. */
fp_sqr(t3, p->z);
if (ep_curve_get_a() == OPT_ZERO) {
/* z3 = 2 * y1 * z1. */
fp_mul(r->z, p->y, p->z);
fp_dbl(r->z, r->z);
} else {
/* z3 = (y1 + z1)^2 - y1^2 - z1^2. */
fp_add(r->z, p->y, p->z);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t1);
fp_sub(r->z, r->z, t3);
}
} else {
/* z3 = 2 * y1. */
fp_dbl(r->z, p->y);
}
/* t4 = S = 2*((x1 + y1^2)^2 - x1^2 - y1^4). */
fp_add(t4, p->x, t1);
fp_sqr(t4, t4);
fp_sub(t4, t4, t0);
fp_sub(t4, t4, t2);
fp_dbl(t4, t4);
/* t5 = M = 3 * x1^2 + a * z1^4. */
fp_dbl(t5, t0);
fp_add(t5, t5, t0);
if (!p->norm) {
fp_sqr(t3, t3);
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add(t5, t5, ep_curve_get_a());
break;
case OPT_DIGIT:
fp_mul_dig(t1, t3, ep_curve_get_a()[0]);
fp_add(t5, t5, t1);
break;
default:
fp_mul(t1, ep_curve_get_a(), t3);
fp_add(t5, t5, t1);
break;
}
} else {
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add_dig(t5, t5, (dig_t)1);
break;
case OPT_DIGIT:
fp_add_dig(t5, t5, ep_curve_get_a()[0]);
break;
default:
fp_add(t5, t5, ep_curve_get_a());
break;
}
}
/* x3 = T = M^2 - 2 * S. */
fp_sqr(r->x, t5);
fp_dbl(t1, t4);
fp_sub(r->x, r->x, t1);
/* y3 = M * (S - T) - 8 * y1^4. */
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_sub(t4, t4, r->x);
fp_mul(t5, t5, t4);
fp_sub(r->y, t5, t2);
}
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
fp_free(t3);
fp_free(t4);
fp_free(t5);
}
}
