static void e_miller_proj(element_t res, element_t P,
element_ptr QR, element_ptr R,
e_pairing_data_ptr p) {
//collate divisions
int n;
element_t v, vd;
element_t v1, vd1;
element_t Z, Z1;
element_t a, b, c;
const element_ptr cca = curve_a_coeff(P);
element_t e0, e1;
const element_ptr e2 = a, e3 = b;
element_t z, z2;
int i;
element_ptr Zx, Zy;
const element_ptr Px = curve_x_coord(P);
const element_ptr numx = curve_x_coord(QR);
const element_ptr numy = curve_y_coord(QR);
const element_ptr denomx = curve_x_coord(R);
const element_ptr denomy = curve_y_coord(R);
//convert Z from weighted projective (Jacobian) to affine
//i.e. (X, Y, Z) --> (X/Z^2, Y/Z^3)
//also sets z to 1
#define to_affine() { \
element_invert(z, z); \
element_square(e0, z); \
element_mul(Zx, Zx, e0); \
element_mul(e0, e0, z); \
element_mul(Zy, Zy, e0); \
element_set1(z); \
element_set1(z2); \
}
#define proj_double() { \
const element_ptr x = Zx; \
const element_ptr y = Zy; \
/* e0 = 3x^2 + (cc->a) z^4 */ \
element_square(e0, x); \
/* element_mul_si(e0, e0, 3); */ \
element_double(e1, e0); \
element_add(e0, e0, e1); \
element_square(e1, z2); \
element_mul(e1, e1, cca); \
element_add(e0, e0, e1); \
\
/* z_out = 2 y z */ \
element_mul(z, y, z); \
/* element_mul_si(z, z, 2); */ \
element_double(z, z); \
element_square(z2, z); \
\
/* e1 = 4 x y^2 */ \
element_square(e2, y); \
element_mul(e1, x, e2); \
/* element_mul_si(e1, e1, 4); */ \
element_double(e1, e1); \
element_double(e1, e1); \
\
/* x_out = e0^2 - 2 e1 */ \
/* element_mul_si(e3, e1, 2); */ \
element_double(e3, e1); \
element_square(x, e0); \
element_sub(x, x, e3); \
\
/* e2 = 8y^4 */ \
element_square(e2, e2); \
/* element_mul_si(e2, e2, 8); */ \
element_double(e2, e2); \
element_double(e2, e2); \
element_double(e2, e2); \
\
/* y_out = e0(e1 - x_out) - e2 */ \
element_sub(e1, e1, x); \
element_mul(e0, e0, e1); \
element_sub(y, e0, e2); \
}
#define do_tangent(e, edenom) { \
/* a = -(3x^2 + cca z^4) */ \
/* b = 2 y z^3 */ \
/* c = -(2 y^2 + x a) */ \
/* a = z^2 a */ \
element_square(a, z2); \
element_mul(a, a, cca); \
element_square(b, Zx); \
/* element_mul_si(b, b, 3); */ \
element_double(e0, b); \
element_add(b, b, e0); \
element_add(a, a, b); \
element_neg(a, a); \
\
/* element_mul_si(e0, Zy, 2); */ \
element_double(e0, Zy); \
element_mul(b, e0, z2); \
element_mul(b, b, z); \
\
element_mul(c, Zx, a); \
element_mul(a, a, z2); \
element_mul(e0, e0, Zy); \
element_add(c, c, e0); \
element_neg(c, c); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
}
#define do_vertical(e, edenom, Ax) { \
element_mul(e0, numx, z2); \
element_sub(e0, e0, Ax); \
element_mul(e, e, e0); \
\
element_mul(e0, denomx, z2); \
element_sub(e0, e0, Ax); \
element_mul(edenom, edenom, e0); \
}
#define do_line(e, edenom, A, B) { \
element_ptr Ax = curve_x_coord(A); \
element_ptr Ay = curve_y_coord(A); \
element_ptr Bx = curve_x_coord(B); \
element_ptr By = curve_y_coord(B); \
\
element_sub(b, Bx, Ax); \
element_sub(a, Ay, By); \
element_mul(c, Ax, By); \
element_mul(e0, Ay, Bx); \
element_sub(c, c, e0); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
}
element_init(a, res->field);
element_init(b, res->field);
element_init(c, res->field);
element_init(e0, res->field);
element_init(e1, res->field);
element_init(z, res->field);
element_init(z2, res->field);
element_set1(z);
element_set1(z2);
element_init(v, res->field);
element_init(vd, res->field);
element_init(v1, res->field);
element_init(vd1, res->field);
element_init(Z, P->field);
element_init(Z1, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
element_set1(vd);
element_set1(v1);
element_set1(vd1);
n = p->exp1;
for (i=0; i<n; i++) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
proj_double();
do_vertical(vd, v, Zx);
}
to_affine();
if (p->sign1 < 0) {
element_set(v1, vd);
element_set(vd1, v);
do_vertical(vd1, v1, Zx);
element_neg(Z1, Z);
} else {
element_set(v1, v);
element_set(vd1, vd);
element_set(Z1, Z);
}
n = p->exp2;
for (; i<n; i++) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
proj_double();
do_vertical(vd, v, Zx);
}
to_affine();
element_mul(v, v, v1);
element_mul(vd, vd, vd1);
do_line(v, vd, Z, Z1);
element_add(Z, Z, Z1);
do_vertical(vd, v, Zx);
if (p->sign0 > 0) {
do_vertical(v, vd, Px);
}
element_invert(vd, vd);
element_mul(res, v, vd);
element_clear(v);
element_clear(vd);
element_clear(v1);
element_clear(vd1);
element_clear(z);
element_clear(z2);
element_clear(Z);
element_clear(Z1);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(e0);
element_clear(e1);
#undef to_affine
#undef proj_double
#undef do_tangent
#undef do_vertical
#undef do_line
}
// Miller's algorithm, assuming we can ignore the denominator. We can do this
// with careful group selection when the embedding degree is even. See thesis.
// This version uses projective coordinates, which don't seem much faster.
static void cc_miller_no_denom_proj(element_t res, mpz_t q, element_t P,
element_ptr Qx, element_ptr Qy) {
mp_bitcnt_t m;
element_t v;
element_t Z;
element_t a, b, c;
element_t t0, t1;
element_ptr t2 = a, t3 = b, t4 = c;
element_t e0;
element_t z, z2;
element_ptr Zx, Zy;
const element_ptr curve_a = curve_a_coeff(P);
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
#define proj_double() { \
/* t0 = 3x^2 + (curve_a) z^4 */ \
element_square(t0, Zx); \
/* element_mul_si(t0, t0, 3); */ \
element_double(t1, t0); \
element_add(t0, t0, t1); \
element_square(t1, z2); \
element_mul(t1, t1, curve_a); \
element_add(t0, t0, t1); \
\
/* z_out = 2 y z */ \
element_mul(z, Zy, z); \
/* element_mul_si(z, z, 2); */ \
element_double(z, z); \
element_square(z2, z); \
\
/* t1 = 4 x y^2 */ \
element_square(t2, Zy); \
element_mul(t1, Zx, t2); \
/* element_mul_si(t1, t1, 4); */ \
element_double(t1, t1); \
element_double(t1, t1); \
\
/* x_out = t0^2 - 2 t1 */ \
/* element_mul_si(t3, t1, 2); */ \
element_double(t3, t1); \
element_square(Zx, t0); \
element_sub(Zx, Zx, t3); \
\
/* t2 = 8y^4 */ \
element_square(t2, t2); \
/* element_mul_si(t2, t2, 8); */ \
element_double(t2, t2); \
element_double(t2, t2); \
element_double(t2, t2); \
\
/* y_out = t0(t1 - x_out) - t2 */ \
element_sub(t1, t1, Zx); \
element_mul(t0, t0, t1); \
element_sub(Zy, t0, t2); \
}
#define proj_mixin() { \
/* t2 = Px z^2 */ \
element_mul(t2, z2, Px); \
\
/* t3 = Zx - t2 */ \
element_sub(t3, Zx, t2); \
\
/* t0 = Py z^3 */ \
element_mul(t0, z2, Py); \
element_mul(t0, t0, z); \
\
/* t1 = Zy - t0 */ \
element_sub(t1, Zy, t0); \
\
/* e7 = Zx + t2, use t2 to double for e7 */ \
element_add(t2, Zx, t2); \
\
/* e8 = Zy + t0, use t0 to double for e8 */ \
element_add(t0, Zy, t0); \
\
/* z = z t3 */ \
element_mul(z, z, t3); \
element_square(z2, z); \
\
/* Zx = t1^2 - e7 t3^2 */ \
/* t3 now holds t3^3, */ \
/* t4 holds e7 t3^2. */ \
element_square(t4, t3); \
element_mul(t3, t4, t3); \
element_square(Zx, t1); \
element_mul(t4, t2, t4); \
element_sub(Zx, Zx, t4); \
\
/* t4 = e7 t3^2 - 2 Zx */ \
element_sub(t4, t4, Zx); \
element_sub(t4, t4, Zx); \
\
/* Zy = (t4 t1 - e8 t3^3)/2 */ \
element_mul(t4, t4, t1); \
element_mul(t0, t0, t3); \
element_sub(t4, t4, t0); \
element_halve(Zy, t4); \
}
#define do_tangent() { \
/* a = -(3x^2 + cca z^4) */ \
/* b = 2 y z^3 */ \
/* c = -(2 y^2 + x a) */ \
/* a = z^2 a */ \
element_square(a, z2); \
element_mul(a, a, curve_a); \
element_square(b, Zx); \
/* element_mul_si(b, b, 3); */ \
element_double(t0, b); \
element_add(b, b, t0); \
element_add(a, a, b); \
element_neg(a, a); \
\
element_mul(b, z, z2); \
element_mul(b, b, Zy); \
element_mul_si(b, b, 2); \
\
element_mul(c, Zx, a); \
element_mul(a, a, z2); \
element_square(t0, Zy); \
element_mul_si(t0, t0, 2); \
element_add(c, c, t0); \
element_neg(c, c); \
\
d_miller_evalfn(e0, a, b, c, Qx, Qy); \
element_mul(v, v, e0); \
}
#define do_line() { \
/* a = -(Py z^3 - Zy) */ \
/* b = Px z^3 - Zx z */ \
/* c = Zx z Py - Zy Px; */ \
\
element_mul(t0, Zx, z); \
element_mul(t1, z2, z); \
\
element_mul(a, Py, t1); \
element_sub(a, Zy, a); \
\
element_mul(b, Px, t1); \
element_sub(b, b, t0); \
\
element_mul(t0, t0, Py); \
element_mul(c, Zy, Px); \
element_sub(c, t0, c); \
\
d_miller_evalfn(e0, a, b, c, Qx, Qy); \
element_mul(v, v, e0); \
}
element_init(a, Px->field);
element_init(b, a->field);
element_init(c, a->field);
element_init(t0, a->field);
element_init(t1, a->field);
element_init(e0, res->field);
element_init(z, a->field);
element_init(z2, a->field);
element_set1(z);
element_set1(z2);
element_init(v, res->field);
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_x_coord(Z);
element_set1(v);
m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
for(;;) {
do_tangent();
if (!m) break;
proj_double();
if (mpz_tstbit(q, m)) {
do_line();
proj_mixin();
}
m--;
element_square(v, v);
}
element_set(res, v);
element_clear(v);
element_clear(Z);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(t0);
element_clear(t1);
element_clear(e0);
element_clear(z);
element_clear(z2);
#undef proj_double
#undef proj_mixin
#undef do_tangent
#undef do_line
}
