void millertate(element_t z, element_t P, element_t Q)
{
element_t Z;
element_t z0;
element_init_same_as(Z, P);
element_init_same_as(z0, z);
element_set(Z, P);
do_tangent(z, Z, Q);
element_double(Z, Z);
do_vert(z0, Z, Q);
element_div(z, z, z0);
element_printf("presquare: z = %B\n", z);
element_square(z, z);
element_printf("square: z = %B\n", z);
do_tangent(z0, Z, Q);
element_mul(z, z, z0);
element_clear(z0);
element_clear(Z);
}
void miller(element_t z, element_t PR, element_t R, element_t P, element_t Q)
{
int m = mpz_sizeinbase(order, 2) - 2;
element_t Z;
element_t z1;
element_t x1;
element_init_same_as(Z, PR);
element_set(Z, P);
element_set1(z);
element_init_same_as(z1, z);
element_init_same_as(x1, z);
do_vert(x1, PR, Q);
element_printf("vert(P+R) %B\n", x1);
do_line(z1, P, R, Q);
element_printf("line(P,R) %B\n", z1);
element_div(x1, x1, z1);
element_printf("x1 %B\n", x1);
element_set(z, x1);
for (;;) {
printf("iteration %d: %d\n", m, mpz_tstbit(order,m));
element_square(z, z);
element_printf("squared: %B\n", z);
do_tangent(z1, Z, Q);
element_mul(z, z, z1);
element_double(Z, Z);
do_vert(z1, Z, Q);
element_div(z, z, z1);
element_printf("pre-if: %B\n", z);
if (mpz_tstbit(order, m)) {
element_mul(z, z, x1);
do_vert(z1, P, Q);
element_mul(z, z, z1);
element_printf("done %B\n", z);
/*
do_line(z1, Z, P, Q);
element_mul(z, z, z1);
element_add(Z, Z, P);
do_vert(z1, Z, Q);
element_div(z, z, z1);
*/
}
if (!m) break;
m--;
}
element_clear(x1);
element_clear(z1);
}
static void miller(element_t res, element_t P, element_ptr QR, element_ptr R, int n) {
// Collate divisions.
mp_bitcnt_t m;
element_t v, vd;
element_t Z;
element_t a, b, c;
const element_ptr cca = curve_a_coeff(P);
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
element_t e0, e1;
mpz_t q;
element_ptr Zx, Zy;
const element_ptr numx = curve_x_coord(QR);
const element_ptr numy = curve_y_coord(QR);
const element_ptr denomx = curve_x_coord(R);
const element_ptr denomy = curve_y_coord(R);
#define do_vertical(e, edenom) { \
element_sub(e0, numx, Zx); \
element_mul((e), (e), e0); \
\
element_sub(e0, denomx, Zx); \
element_mul((edenom), (edenom), e0); \
}
#define do_tangent(e, edenom) { \
/*a = -slope_tangent(A.x, A.y); \
b = 1; \
c = -(A.y + a * A.x); \
but we multiply by 2*A.y to avoid division*/ \
\
/*a = -Ax * (Ax + Ax + Ax + twicea_2) - a_4; \
Common curves: a2 = 0 (and cc->a is a_4), so \
a = -(3 Ax^2 + cc->a) \
b = 2 * Ay \
c = -(2 Ay^2 + a Ax); */ \
\
if (element_is0(Zy)) { \
do_vertical((e), (edenom)); \
} else { \
element_square(a, Zx); \
element_mul_si(a, a, 3); \
element_add(a, a, cca); \
element_neg(a, a); \
\
element_add(b, Zy, Zy); \
\
element_mul(e0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, e0); \
element_neg(c, c); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul((e), (e), e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul((edenom), (edenom), e0); \
} \
}
#define do_line(e, edenom) { \
if (!element_cmp(Zx, Px)) { \
if (!element_cmp(Zy, Py)) { \
do_tangent(e, edenom); \
} else { \
do_vertical(e, edenom); \
} \
} else { \
element_sub(b, Px, Zx); \
element_sub(a, Zy, Py); \
element_mul(c, Zx, Py); \
element_mul(e0, Zy, Px); \
element_sub(c, c, e0); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
} \
}
element_init(a, res->field);
element_init(b, res->field);
element_init(c, res->field);
element_init(e0, res->field);
element_init(e1, res->field);
element_init(v, res->field);
element_init(vd, res->field);
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
element_set1(vd);
mpz_init(q);
mpz_set_ui(q, n);
m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
for (;;) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
element_double(Z, Z);
do_vertical(vd, v);
if (mpz_tstbit(q, m)) {
do_line(v, vd);
element_add(Z, Z, P);
if (m) {
do_vertical(vd, v);
}
}
if (!m) break;
m--;
}
mpz_clear(q);
element_invert(vd, vd);
element_mul(res, v, vd);
element_clear(v);
element_clear(vd);
element_clear(Z);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(e0);
element_clear(e1);
#undef do_vertical
#undef do_tangent
#undef do_line
}
//TODO: the following code is useless as the Tate pairing is degenerate on singular curves
static void sn_miller(element_t res, mpz_t q, element_t P,
element_ptr Qx, element_ptr Qy) {
//collate divisions
int m;
element_t v, vd;
element_t Z;
element_t a, b, c;
element_t e0, e1;
element_ptr Zx;
element_ptr Zy;
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
#define do_vertical(e) \
element_sub(e0, Qx, Zx); \
element_mul(e, e, e0);
//a = -slope_tangent(Z.x, Z.y);
//b = 1;
//c = -(Z.y + a * Z.x);
//but we multiply by 2*Z.y to avoid division
//a = -Zx * (Zx + Zx + Zx + 2)
//b = 2 * Zy
//c = -(2 Zy^2 + a Zx);
#define do_tangent(e) \
element_double(e0, Zx); \
element_add(a, Zx, e0); \
element_set_si(e0, 2); \
element_add(a, a, e0); \
element_mul(a, a, Zx); \
element_neg(a, a); \
element_add(b, Zy, Zy); \
element_mul(e0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, e0); \
element_neg(c, c); \
element_mul(e0, a, Qx); \
element_mul(e1, b, Qy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0);
//a = -(B.y - A.y) / (B.x - A.x);
//b = 1;
//c = -(A.y + a * A.x);
//but we'll multiply by B.x - A.x to avoid division
#define do_line(e) \
element_sub(b, Px, Zx); \
element_sub(a, Zy, Py); \
element_mul(e0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, e0); \
element_neg(c, c); \
element_mul(e0, a, Qx); \
element_mul(e1, b, Qy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0);
element_init(a, Px->field);
element_init(b, Px->field);
element_init(c, Px->field);
element_init(e0, res->field);
element_init(e1, res->field);
element_init(v, res->field);
element_init(vd, res->field);
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
element_set1(vd);
m = mpz_sizeinbase(q, 2) - 2;
while(m >= 0) {
element_mul(v, v, v);
element_mul(vd, vd, vd);
do_tangent(v);
element_double(Z, Z);
do_vertical(vd);
if (mpz_tstbit(q, m)) {
do_line(v);
element_add(Z, Z, P);
do_vertical(vd);
}
m--;
}
#undef do_tangent
#undef do_vertical
#undef do_line
element_invert(vd, vd);
element_mul(res, v, vd);
element_clear(v);
element_clear(vd);
element_clear(Z);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(e0);
element_clear(e1);
}
static void e_miller_proj(element_t res, element_t P,
element_ptr QR, element_ptr R,
e_pairing_data_ptr p) {
//collate divisions
int n;
element_t v, vd;
element_t v1, vd1;
element_t Z, Z1;
element_t a, b, c;
const element_ptr cca = curve_a_coeff(P);
element_t e0, e1;
const element_ptr e2 = a, e3 = b;
element_t z, z2;
int i;
element_ptr Zx, Zy;
const element_ptr Px = curve_x_coord(P);
const element_ptr numx = curve_x_coord(QR);
const element_ptr numy = curve_y_coord(QR);
const element_ptr denomx = curve_x_coord(R);
const element_ptr denomy = curve_y_coord(R);
//convert Z from weighted projective (Jacobian) to affine
//i.e. (X, Y, Z) --> (X/Z^2, Y/Z^3)
//also sets z to 1
#define to_affine() { \
element_invert(z, z); \
element_square(e0, z); \
element_mul(Zx, Zx, e0); \
element_mul(e0, e0, z); \
element_mul(Zy, Zy, e0); \
element_set1(z); \
element_set1(z2); \
}
#define proj_double() { \
const element_ptr x = Zx; \
const element_ptr y = Zy; \
/* e0 = 3x^2 + (cc->a) z^4 */ \
element_square(e0, x); \
/* element_mul_si(e0, e0, 3); */ \
element_double(e1, e0); \
element_add(e0, e0, e1); \
element_square(e1, z2); \
element_mul(e1, e1, cca); \
element_add(e0, e0, e1); \
\
/* z_out = 2 y z */ \
element_mul(z, y, z); \
/* element_mul_si(z, z, 2); */ \
element_double(z, z); \
element_square(z2, z); \
\
/* e1 = 4 x y^2 */ \
element_square(e2, y); \
element_mul(e1, x, e2); \
/* element_mul_si(e1, e1, 4); */ \
element_double(e1, e1); \
element_double(e1, e1); \
\
/* x_out = e0^2 - 2 e1 */ \
/* element_mul_si(e3, e1, 2); */ \
element_double(e3, e1); \
element_square(x, e0); \
element_sub(x, x, e3); \
\
/* e2 = 8y^4 */ \
element_square(e2, e2); \
/* element_mul_si(e2, e2, 8); */ \
element_double(e2, e2); \
element_double(e2, e2); \
element_double(e2, e2); \
\
/* y_out = e0(e1 - x_out) - e2 */ \
element_sub(e1, e1, x); \
element_mul(e0, e0, e1); \
element_sub(y, e0, e2); \
}
#define do_tangent(e, edenom) { \
/* a = -(3x^2 + cca z^4) */ \
/* b = 2 y z^3 */ \
/* c = -(2 y^2 + x a) */ \
/* a = z^2 a */ \
element_square(a, z2); \
element_mul(a, a, cca); \
element_square(b, Zx); \
/* element_mul_si(b, b, 3); */ \
element_double(e0, b); \
element_add(b, b, e0); \
element_add(a, a, b); \
element_neg(a, a); \
\
/* element_mul_si(e0, Zy, 2); */ \
element_double(e0, Zy); \
element_mul(b, e0, z2); \
element_mul(b, b, z); \
\
element_mul(c, Zx, a); \
element_mul(a, a, z2); \
element_mul(e0, e0, Zy); \
element_add(c, c, e0); \
element_neg(c, c); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
}
#define do_vertical(e, edenom, Ax) { \
element_mul(e0, numx, z2); \
element_sub(e0, e0, Ax); \
element_mul(e, e, e0); \
\
element_mul(e0, denomx, z2); \
element_sub(e0, e0, Ax); \
element_mul(edenom, edenom, e0); \
}
#define do_line(e, edenom, A, B) { \
element_ptr Ax = curve_x_coord(A); \
element_ptr Ay = curve_y_coord(A); \
element_ptr Bx = curve_x_coord(B); \
element_ptr By = curve_y_coord(B); \
\
element_sub(b, Bx, Ax); \
element_sub(a, Ay, By); \
element_mul(c, Ax, By); \
element_mul(e0, Ay, Bx); \
element_sub(c, c, e0); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
}
element_init(a, res->field);
element_init(b, res->field);
element_init(c, res->field);
element_init(e0, res->field);
element_init(e1, res->field);
element_init(z, res->field);
element_init(z2, res->field);
element_set1(z);
element_set1(z2);
element_init(v, res->field);
element_init(vd, res->field);
element_init(v1, res->field);
element_init(vd1, res->field);
element_init(Z, P->field);
element_init(Z1, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
element_set1(vd);
element_set1(v1);
element_set1(vd1);
n = p->exp1;
for (i=0; i<n; i++) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
proj_double();
do_vertical(vd, v, Zx);
}
to_affine();
if (p->sign1 < 0) {
element_set(v1, vd);
element_set(vd1, v);
do_vertical(vd1, v1, Zx);
element_neg(Z1, Z);
} else {
element_set(v1, v);
element_set(vd1, vd);
element_set(Z1, Z);
}
n = p->exp2;
for (; i<n; i++) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
proj_double();
do_vertical(vd, v, Zx);
}
to_affine();
element_mul(v, v, v1);
element_mul(vd, vd, vd1);
do_line(v, vd, Z, Z1);
element_add(Z, Z, Z1);
do_vertical(vd, v, Zx);
if (p->sign0 > 0) {
do_vertical(v, vd, Px);
}
element_invert(vd, vd);
element_mul(res, v, vd);
element_clear(v);
element_clear(vd);
element_clear(v1);
element_clear(vd1);
element_clear(z);
element_clear(z2);
element_clear(Z);
element_clear(Z1);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(e0);
element_clear(e1);
#undef to_affine
#undef proj_double
#undef do_tangent
#undef do_vertical
#undef do_line
}
static void e_miller_affine(element_t res, element_t P,
element_ptr QR, element_ptr R,
e_pairing_data_ptr p) {
//collate divisions
int n;
element_t v, vd;
element_t v1, vd1;
element_t Z, Z1;
element_t a, b, c;
element_t e0, e1;
const element_ptr Px = curve_x_coord(P);
const element_ptr cca = curve_a_coeff(P);
element_ptr Zx, Zy;
int i;
const element_ptr numx = curve_x_coord(QR);
const element_ptr numy = curve_y_coord(QR);
const element_ptr denomx = curve_x_coord(R);
const element_ptr denomy = curve_y_coord(R);
#define do_vertical(e, edenom, Ax) { \
element_sub(e0, numx, Ax); \
element_mul(e, e, e0); \
\
element_sub(e0, denomx, Ax); \
element_mul(edenom, edenom, e0); \
}
#define do_tangent(e, edenom) { \
/* a = -slope_tangent(A.x, A.y); */ \
/* b = 1; */ \
/* c = -(A.y + a * A.x); */ \
/* but we multiply by 2*A.y to avoid division */ \
\
/* a = -Ax * (Ax + Ax + Ax + twicea_2) - a_4; */ \
/* Common curves: a2 = 0 (and cc->a is a_4), so */ \
/* a = -(3 Ax^2 + cc->a) */ \
/* b = 2 * Ay */ \
/* c = -(2 Ay^2 + a Ax); */ \
\
element_square(a, Zx); \
element_mul_si(a, a, 3); \
element_add(a, a, cca); \
element_neg(a, a); \
\
element_add(b, Zy, Zy); \
\
element_mul(e0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, e0); \
element_neg(c, c); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
}
#define do_line(e, edenom, A, B) { \
element_ptr Ax = curve_x_coord(A); \
element_ptr Ay = curve_y_coord(A); \
element_ptr Bx = curve_x_coord(B); \
element_ptr By = curve_y_coord(B); \
\
element_sub(b, Bx, Ax); \
element_sub(a, Ay, By); \
element_mul(c, Ax, By); \
element_mul(e0, Ay, Bx); \
element_sub(c, c, e0); \
\
element_mul(e0, a, numx); \
element_mul(e1, b, numy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(e, e, e0); \
\
element_mul(e0, a, denomx); \
element_mul(e1, b, denomy); \
element_add(e0, e0, e1); \
element_add(e0, e0, c); \
element_mul(edenom, edenom, e0); \
}
element_init(a, res->field);
element_init(b, res->field);
element_init(c, res->field);
element_init(e0, res->field);
element_init(e1, res->field);
element_init(v, res->field);
element_init(vd, res->field);
element_init(v1, res->field);
element_init(vd1, res->field);
element_init(Z, P->field);
element_init(Z1, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
element_set1(vd);
element_set1(v1);
element_set1(vd1);
n = p->exp1;
for (i=0; i<n; i++) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
element_double(Z, Z);
do_vertical(vd, v, Zx);
}
if (p->sign1 < 0) {
element_set(v1, vd);
element_set(vd1, v);
do_vertical(vd1, v1, Zx);
element_neg(Z1, Z);
} else {
element_set(v1, v);
element_set(vd1, vd);
element_set(Z1, Z);
}
n = p->exp2;
for (; i<n; i++) {
element_square(v, v);
element_square(vd, vd);
do_tangent(v, vd);
element_double(Z, Z);
do_vertical(vd, v, Zx);
}
element_mul(v, v, v1);
element_mul(vd, vd, vd1);
do_line(v, vd, Z, Z1);
element_add(Z, Z, Z1);
do_vertical(vd, v, Zx);
if (p->sign0 > 0) {
do_vertical(v, vd, Px);
}
element_invert(vd, vd);
element_mul(res, v, vd);
element_clear(v);
element_clear(vd);
element_clear(v1);
element_clear(vd1);
element_clear(Z);
element_clear(Z1);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(e0);
element_clear(e1);
#undef do_vertical
#undef do_tangent
#undef do_line
}
static void cc_miller_no_denom(element_t res, mpz_t q, element_t P,
element_ptr Qx, element_ptr Qy, element_t negalpha) {
mp_bitcnt_t m;
element_t v;
element_t Z;
element_t a, b, c;
element_t t0;
element_t e0, e1;
element_ptr Zx, Zy;
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
#define do_term(i, j, k, flag) { \
element_ptr e2; \
e2 = element_item(e0, i); \
element_mul(e1, element_item(v, j), Qx); \
if (flag == 1) element_mul(e1, e1, negalpha); \
element_mul(element_x(e1), element_x(e1), a); \
element_mul(element_y(e1), element_y(e1), a); \
element_mul(e2, element_item(v, k), Qy); \
element_mul(element_x(e2), element_x(e2), b); \
element_mul(element_y(e2), element_y(e2), b); \
element_add(e2, e2, e1); \
if (flag == 2) element_mul(e2, e2, negalpha); \
element_mul(element_x(e1), element_x(element_item(v, i)), c); \
element_mul(element_y(e1), element_y(element_item(v, i)), c); \
element_add(e2, e2, e1); \
}
// a, b, c lie in Fq
// Qx, Qy lie in Fq^2
// Qx is coefficient of x^4
// Qy is coefficient of x^3
//
// computes v *= (a Qx x^4 + b Qy x^3 + c)
//
// recall x^6 = -alpha thus
// x^4 (u0 + u1 x^1 + ... + u5 x^5) =
// u0 x^4 + u1 x^5
// - alpha u2 - alpha u3 x - alpha u4 x^2 - alpha u5 x^3
// and
// x^4 (u0 + u1 x^1 + ... + u5 x^5) =
// u0 x^3 + u1 x^4 + u2 x^5
// - alpha u3 - alpha u4 x - alpha u5 x^2
#define f_miller_evalfn() { \
do_term(0, 2, 3, 2); \
do_term(1, 3, 4, 2); \
do_term(2, 4, 5, 2); \
do_term(3, 5, 0, 1); \
do_term(4, 0, 1, 0); \
do_term(5, 1, 2, 0); \
element_set(v, e0); \
}
/*
element_ptr e1;
e1 = element_item(e0, 4);
element_mul(element_x(e1), element_x(Qx), a);
element_mul(element_y(e1), element_y(Qx), a);
e1 = element_item(e0, 3);
element_mul(element_x(e1), element_x(Qy), b);
element_mul(element_y(e1), element_y(Qy), b);
element_set(element_x(element_item(e0, 0)), c);
element_mul(v, v, e0);
*/
//a = -3 Zx^2 since cc->a is 0 for D = 3
//b = 2 * Zy
//c = -(2 Zy^2 + a Zx);
#define do_tangent() { \
element_square(a, Zx); \
element_mul_si(a, a, 3); \
element_neg(a, a); \
\
element_add(b, Zy, Zy); \
\
element_mul(t0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, t0); \
element_neg(c, c); \
\
f_miller_evalfn(); \
}
//a = -(B.y - A.y) / (B.x - A.x);
//b = 1;
//c = -(A.y + a * A.x);
//but we'll multiply by B.x - A.x to avoid division
#define do_line() { \
element_sub(b, Px, Zx); \
element_sub(a, Zy, Py); \
element_mul(t0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, t0); \
element_neg(c, c); \
\
f_miller_evalfn(); \
}
element_init(a, Px->field);
element_init(b, a->field);
element_init(c, a->field);
element_init(t0, a->field);
element_init(e0, res->field);
element_init(e1, Qx->field);
element_init(v, res->field);
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
//TODO: sliding NAF
for(;;) {
do_tangent();
if (!m) break;
element_double(Z, Z);
if (mpz_tstbit(q, m)) {
do_line();
element_add(Z, Z, P);
}
m--;
element_square(v, v);
}
element_set(res, v);
element_clear(v);
element_clear(Z);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(t0);
element_clear(e0);
element_clear(e1);
#undef do_term
#undef f_miller_evalfn
#undef do_tangent
#undef do_line
}
static void d_pairing_pp_init(pairing_pp_t p, element_ptr in1, pairing_t pairing) {
element_ptr P = in1;
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
element_t Z;
mp_bitcnt_t m;
pptr info = pairing->data;
element_t t0;
element_t a, b, c;
field_ptr Fq = info->Fq;
pp_coeff_t *coeff;
mpz_ptr q = pairing->r;
pp_coeff_ptr pp;
const element_ptr cca = curve_a_coeff(P);
element_ptr Zx;
element_ptr Zy;
#define store_abc() { \
element_init(pp->a, Fq); \
element_init(pp->b, Fq); \
element_init(pp->c, Fq); \
element_set(pp->a, a); \
element_set(pp->b, b); \
element_set(pp->c, c); \
pp++; \
}
#define do_tangent() { \
/* a = -slope_tangent(Z.x, Z.y); */ \
/* b = 1; */ \
/* c = -(Z.y + a * Z.x); */ \
/* but we multiply by 2*Z.y to avoid division. */ \
\
/* a = -Zx * (3 Zx + twicea_2) - a_4; */ \
/* Common curves: a2 = 0 (and cc->a is a_4), so */ \
/* a = -(3 Zx^2 + cc->a) */ \
/* b = 2 * Zy */ \
/* c = -(2 Zy^2 + a Zx); */ \
\
element_square(a, Zx); \
element_double(t0, a); \
element_add(a, a, t0); \
element_add(a, a, cca); \
element_neg(a, a); \
\
element_add(b, Zy, Zy); \
\
element_mul(t0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, t0); \
element_neg(c, c); \
\
store_abc(); \
}
#define do_line() { \
/* a = -(B.y - A.y) / (B.x - A.x); */ \
/* b = 1; */ \
/* c = -(A.y + a * A.x); */ \
/* but we'll multiply by B.x - A.x to avoid division */ \
\
element_sub(b, Px, Zx); \
element_sub(a, Zy, Py); \
element_mul(t0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, t0); \
element_neg(c, c); \
\
store_abc(); \
}
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_init(t0, Fq);
element_init(a, Fq);
element_init(b, Fq);
element_init(c, Fq);
m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
p->data = pbc_malloc(sizeof(pp_coeff_t) * 2 * m);
coeff = (pp_coeff_t *) p->data;
pp = coeff[0];
for(;;) {
do_tangent();
if (!m) break;
element_double(Z, Z);
if (mpz_tstbit(q, m)) {
do_line();
element_add(Z, Z, P);
}
m--;
}
element_clear(t0);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(Z);
#undef store_abc
#undef do_tangent
#undef do_line
}
// Same as above, but with affine coordinates.
static void cc_miller_no_denom_affine(element_t res, mpz_t q, element_t P,
element_ptr Qx, element_ptr Qy) {
mp_bitcnt_t m;
element_t v;
element_t Z;
element_t a, b, c;
element_t t0;
element_t e0;
const element_ptr cca = curve_a_coeff(P);
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
element_ptr Zx, Zy;
/* TODO: when exactly is this not needed?
void do_vertical() {
mapbase(e0, Z->x);
element_sub(e0, Qx, e0);
element_mul(v, v, e0);
}
*/
#define do_tangent() { \
/* a = -(3 Zx^2 + cc->a) */ \
/* b = 2 * Zy */ \
/* c = -(2 Zy^2 + a Zx); */ \
\
element_square(a, Zx); \
element_mul_si(a, a, 3); \
element_add(a, a, cca); \
element_neg(a, a); \
\
element_add(b, Zy, Zy); \
\
element_mul(t0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, t0); \
element_neg(c, c); \
\
d_miller_evalfn(e0, a, b, c, Qx, Qy); \
element_mul(v, v, e0); \
}
#define do_line() { \
/* a = -(B.y - A.y) / (B.x - A.x); */ \
/* b = 1; */ \
/* c = -(A.y + a * A.x); */ \
/* but we multiply by B.x - A.x to avoid division. */ \
\
element_sub(b, Px, Zx); \
element_sub(a, Zy, Py); \
element_mul(t0, b, Zy); \
element_mul(c, a, Zx); \
element_add(c, c, t0); \
element_neg(c, c); \
\
d_miller_evalfn(e0, a, b, c, Qx, Qy); \
element_mul(v, v, e0); \
}
element_init(a, Px->field);
element_init(b, a->field);
element_init(c, a->field);
element_init(t0, a->field);
element_init(e0, res->field);
element_init(v, res->field);
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_y_coord(Z);
element_set1(v);
m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
for(;;) {
do_tangent();
if (!m) break;
element_double(Z, Z);
if (mpz_tstbit(q, m)) {
do_line();
element_add(Z, Z, P);
}
m--;
element_square(v, v);
}
element_set(res, v);
element_clear(v);
element_clear(Z);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(t0);
element_clear(e0);
#undef do_tangent
#undef do_line
}
// Miller's algorithm, assuming we can ignore the denominator. We can do this
// with careful group selection when the embedding degree is even. See thesis.
// This version uses projective coordinates, which don't seem much faster.
static void cc_miller_no_denom_proj(element_t res, mpz_t q, element_t P,
element_ptr Qx, element_ptr Qy) {
mp_bitcnt_t m;
element_t v;
element_t Z;
element_t a, b, c;
element_t t0, t1;
element_ptr t2 = a, t3 = b, t4 = c;
element_t e0;
element_t z, z2;
element_ptr Zx, Zy;
const element_ptr curve_a = curve_a_coeff(P);
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
#define proj_double() { \
/* t0 = 3x^2 + (curve_a) z^4 */ \
element_square(t0, Zx); \
/* element_mul_si(t0, t0, 3); */ \
element_double(t1, t0); \
element_add(t0, t0, t1); \
element_square(t1, z2); \
element_mul(t1, t1, curve_a); \
element_add(t0, t0, t1); \
\
/* z_out = 2 y z */ \
element_mul(z, Zy, z); \
/* element_mul_si(z, z, 2); */ \
element_double(z, z); \
element_square(z2, z); \
\
/* t1 = 4 x y^2 */ \
element_square(t2, Zy); \
element_mul(t1, Zx, t2); \
/* element_mul_si(t1, t1, 4); */ \
element_double(t1, t1); \
element_double(t1, t1); \
\
/* x_out = t0^2 - 2 t1 */ \
/* element_mul_si(t3, t1, 2); */ \
element_double(t3, t1); \
element_square(Zx, t0); \
element_sub(Zx, Zx, t3); \
\
/* t2 = 8y^4 */ \
element_square(t2, t2); \
/* element_mul_si(t2, t2, 8); */ \
element_double(t2, t2); \
element_double(t2, t2); \
element_double(t2, t2); \
\
/* y_out = t0(t1 - x_out) - t2 */ \
element_sub(t1, t1, Zx); \
element_mul(t0, t0, t1); \
element_sub(Zy, t0, t2); \
}
#define proj_mixin() { \
/* t2 = Px z^2 */ \
element_mul(t2, z2, Px); \
\
/* t3 = Zx - t2 */ \
element_sub(t3, Zx, t2); \
\
/* t0 = Py z^3 */ \
element_mul(t0, z2, Py); \
element_mul(t0, t0, z); \
\
/* t1 = Zy - t0 */ \
element_sub(t1, Zy, t0); \
\
/* e7 = Zx + t2, use t2 to double for e7 */ \
element_add(t2, Zx, t2); \
\
/* e8 = Zy + t0, use t0 to double for e8 */ \
element_add(t0, Zy, t0); \
\
/* z = z t3 */ \
element_mul(z, z, t3); \
element_square(z2, z); \
\
/* Zx = t1^2 - e7 t3^2 */ \
/* t3 now holds t3^3, */ \
/* t4 holds e7 t3^2. */ \
element_square(t4, t3); \
element_mul(t3, t4, t3); \
element_square(Zx, t1); \
element_mul(t4, t2, t4); \
element_sub(Zx, Zx, t4); \
\
/* t4 = e7 t3^2 - 2 Zx */ \
element_sub(t4, t4, Zx); \
element_sub(t4, t4, Zx); \
\
/* Zy = (t4 t1 - e8 t3^3)/2 */ \
element_mul(t4, t4, t1); \
element_mul(t0, t0, t3); \
element_sub(t4, t4, t0); \
element_halve(Zy, t4); \
}
#define do_tangent() { \
/* a = -(3x^2 + cca z^4) */ \
/* b = 2 y z^3 */ \
/* c = -(2 y^2 + x a) */ \
/* a = z^2 a */ \
element_square(a, z2); \
element_mul(a, a, curve_a); \
element_square(b, Zx); \
/* element_mul_si(b, b, 3); */ \
element_double(t0, b); \
element_add(b, b, t0); \
element_add(a, a, b); \
element_neg(a, a); \
\
element_mul(b, z, z2); \
element_mul(b, b, Zy); \
element_mul_si(b, b, 2); \
\
element_mul(c, Zx, a); \
element_mul(a, a, z2); \
element_square(t0, Zy); \
element_mul_si(t0, t0, 2); \
element_add(c, c, t0); \
element_neg(c, c); \
\
d_miller_evalfn(e0, a, b, c, Qx, Qy); \
element_mul(v, v, e0); \
}
#define do_line() { \
/* a = -(Py z^3 - Zy) */ \
/* b = Px z^3 - Zx z */ \
/* c = Zx z Py - Zy Px; */ \
\
element_mul(t0, Zx, z); \
element_mul(t1, z2, z); \
\
element_mul(a, Py, t1); \
element_sub(a, Zy, a); \
\
element_mul(b, Px, t1); \
element_sub(b, b, t0); \
\
element_mul(t0, t0, Py); \
element_mul(c, Zy, Px); \
element_sub(c, t0, c); \
\
d_miller_evalfn(e0, a, b, c, Qx, Qy); \
element_mul(v, v, e0); \
}
element_init(a, Px->field);
element_init(b, a->field);
element_init(c, a->field);
element_init(t0, a->field);
element_init(t1, a->field);
element_init(e0, res->field);
element_init(z, a->field);
element_init(z2, a->field);
element_set1(z);
element_set1(z2);
element_init(v, res->field);
element_init(Z, P->field);
element_set(Z, P);
Zx = curve_x_coord(Z);
Zy = curve_x_coord(Z);
element_set1(v);
m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
for(;;) {
do_tangent();
if (!m) break;
proj_double();
if (mpz_tstbit(q, m)) {
do_line();
proj_mixin();
}
m--;
element_square(v, v);
}
element_set(res, v);
element_clear(v);
element_clear(Z);
element_clear(a);
element_clear(b);
element_clear(c);
element_clear(t0);
element_clear(t1);
element_clear(e0);
element_clear(z);
element_clear(z2);
#undef proj_double
#undef proj_mixin
#undef do_tangent
#undef do_line
}
