/**
* Compute the final lines for optimal ate pairings.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] q - the first point of the pairing, in G_2.
* @param[in] p - the second point of the pairing, in G_1.
* @param[in] a - the loop parameter.
*/
static void pp_fin_k12_oatep(fp12_t r, ep2_t t, ep2_t q, ep_t p) {
ep2_t q1, q2;
fp12_t tmp;
fp12_null(tmp);
ep2_null(q1);
ep2_null(q2);
TRY {
ep2_new(q1);
ep2_new(q2);
fp12_new(tmp);
fp12_zero(tmp);
fp2_set_dig(q1->z, 1);
fp2_set_dig(q2->z, 1);
ep2_frb(q1, q, 1);
ep2_frb(q2, q, 2);
ep2_neg(q2, q2);
pp_add_k12(tmp, t, q1, p);
fp12_mul_dxs(r, r, tmp);
pp_add_k12(tmp, t, q2, p);
fp12_mul_dxs(r, r, tmp);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
fp12_free(tmp);
ep2_free(q1);
ep2_free(q2);
}
}
/**
* Multiplies a point on a Barreto-Lynn-Soctt curve by the cofactor.
*
* @param[out] r - the result.
* @param[in] p - the point to multiply.
*/
void ep2_mul_cof_b12(ep2_t r, ep2_t p) {
bn_t x;
ep2_t t0, t1, t2, t3;
ep2_null(t0);
ep2_null(t1);
ep2_null(t2);
ep2_null(t3);
bn_null(x);
TRY {
ep2_new(t0);
ep2_new(t1);
ep2_new(t2);
ep2_new(t3);
bn_new(x);
fp_param_get_var(x);
/* Compute t0 = xP. */
ep2_mul(t0, p, x);
if (bn_sign(x) == BN_NEG) {
ep2_neg(t0, t0);
}
/* Compute t1 = [x^2]P. */
ep2_mul(t1, t0, x);
if (bn_sign(x) == BN_NEG) {
ep2_neg(t1, t1);
}
/* t2 = (x^2 - x - 1)P = x^2P - x*P - P. */
ep2_sub(t2, t1, t0);
ep2_sub(t2, t2, p);
/* t3 = \psi(x - 1)P. */
ep2_sub(t3, t0, p);
ep2_norm(t3, t3);
ep2_frb(t3, t3, 1);
ep2_add(t2, t2, t3);
/* t3 = \psi^2(2P). */
ep2_dbl(t3, p);
ep2_norm(t3, t3);
ep2_frb(t3, t3, 2);
ep2_add(t2, t2, t3);
ep2_norm(r, t2);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t0);
ep2_free(t1);
ep2_free(t2);
ep2_free(t3);
bn_free(x);
}
}
void pp_map_weilp_k12(fp12_t r, ep_t p, ep2_t q) {
ep_t _p[1], t0[1];
ep2_t _q[1], t1[1];
fp12_t r0, r1;
bn_t n;
ep_null(_p[0]);
ep_null(t0[1]);
ep2_null(_q[0]);
ep2_null(t1[1]);
fp12_null(r0);
fp12_null(r1);
bn_null(n);
TRY {
ep_new(_p[0]);
ep_new(t0[0]);
ep2_new(_q[0]);
ep2_new(t1[0]);
fp12_new(r0);
fp12_new(r1);
bn_new(n);
ep_norm(_p[0], p);
ep2_norm(_q[0], q);
ep_curve_get_ord(n);
bn_sub_dig(n, n, 1);
fp12_set_dig(r0, 1);
fp12_set_dig(r1, 1);
if (!ep_is_infty(_p[0]) && !ep2_is_infty(_q[0])) {
pp_mil_lit_k12(r0, t0, _p, _q, 1, n);
pp_mil_k12(r1, t1, _q, _p, 1, n);
fp12_inv(r1, r1);
fp12_mul(r0, r0, r1);
fp12_inv(r1, r0);
fp12_inv_uni(r0, r0);
}
fp12_mul(r, r0, r1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep_free(_p[0]);
ep_free(t0[0]);
ep2_free(_q[0]);
ep2_free(t1[0]);
fp12_free(r0);
fp12_free(r1);
bn_free(n);
}
}
/**
* Multiplies a point on a Barreto-Naehrig curve by the cofactor.
*
* @param[out] r - the result.
* @param[in] p - the point to multiply.
*/
void ep2_mul_cof_bn(ep2_t r, ep2_t p) {
bn_t x;
ep2_t t0, t1, t2;
ep2_null(t0);
ep2_null(t1);
ep2_null(t2);
bn_null(x);
TRY {
ep2_new(t0);
ep2_new(t1);
ep2_new(t2);
bn_new(x);
fp_param_get_var(x);
/* Compute t0 = xP. */
ep2_mul(t0, p, x);
if (bn_sign(x) == BN_NEG) {
ep2_neg(t0, t0);
}
/* Compute t1 = \psi(3xP). */
ep2_dbl(t1, t0);
ep2_add(t1, t1, t0);
ep2_norm(t1, t1);
ep2_frb(t1, t1, 1);
/* Compute t2 = \psi^3(P) + t0 + t1 + \psi^2(xP). */
ep2_frb(t2, p, 2);
ep2_frb(t2, t2, 1);
ep2_add(t2, t2, t0);
ep2_add(t2, t2, t1);
ep2_frb(t1, t0, 2);
ep2_add(t2, t2, t1);
ep2_norm(r, t2);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t0);
ep2_free(t1);
ep2_free(t2);
bn_free(x);
}
}
void pp_dbl_k12_basic(fp12_t l, ep2_t r, ep2_t q, ep_t p) {
fp2_t s;
ep2_t t;
int one = 1, zero = 0;
fp2_null(s);
ep2_null(t);
TRY {
fp2_new(s);
ep2_new(t);
ep2_copy(t, q);
ep2_dbl_slp_basic(r, s, q);
fp12_zero(l);
if (ep2_curve_is_twist() == EP_MTYPE) {
one ^= 1;
zero ^= 1;
}
fp_mul(l[one][zero][0], s[0], p->x);
fp_mul(l[one][zero][1], s[1], p->x);
fp2_mul(l[one][one], s, t->x);
fp2_sub(l[one][one], t->y, l[one][one]);
fp_copy(l[zero][zero][0], p->y);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp2_free(s);
ep2_free(t);
}
}
void ep2_rand(ep2_t p) {
bn_t n, k;
ep2_t gen;
bn_null(k);
bn_null(n);
ep2_null(gen);
TRY {
bn_new(k);
bn_new(n);
ep2_new(gen);
ep2_curve_get_ord(n);
bn_rand_mod(k, n);
ep2_curve_get_gen(gen);
ep2_mul(p, gen, k);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(k);
bn_free(n);
ep2_free(gen);
}
}
void ep2_sub_basic(ep2_t r, ep2_t p, ep2_t q) {
ep2_t t;
ep2_null(t);
if (p == q) {
ep2_set_infty(r);
return;
}
TRY {
ep2_new(t);
ep2_neg_basic(t, q);
ep2_add_basic(r, p, t);
r->norm = 1;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t);
}
}
void ep2_mul_fix_yaowi(ep2_t r, ep2_t *t, bn_t k) {
int i, j, l;
ep2_t a;
uint8_t win[CEIL(2 * FP_BITS, EP_DEPTH)];
ep2_null(a);
TRY {
ep2_new(a);
ep2_set_infty(r);
ep2_set_infty(a);
l = CEIL(2 * FP_BITS, EP_DEPTH);
bn_rec_win(win, &l, k, EP_DEPTH);
for (j = (1 << EP_DEPTH) - 1; j >= 1; j--) {
for (i = 0; i < l; i++) {
if (win[i] == j) {
ep2_add(a, a, t[i]);
}
}
ep2_add(r, r, a);
}
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(a);
}
}
void ep2_mul(ep2_t r, ep2_t p, bn_t k) {
int i, l;
ep2_t t;
ep2_null(t);
TRY {
ep2_new(t);
l = bn_bits(k);
if (bn_get_bit(k, l - 1)) {
ep2_copy(t, p);
} else {
ep2_set_infty(t);
}
for (i = l - 2; i >= 0; i--) {
ep2_dbl(t, t);
if (bn_get_bit(k, i)) {
ep2_add(t, t, p);
}
}
ep2_copy(r, t);
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t);
}
}
int ep2_size_bin(ep2_t a, int pack) {
ep2_t t;
int size = 0;
ep2_null(t);
if (ep2_is_infty(a)) {
return 1;
}
TRY {
ep2_new(t);
ep2_norm(t, a);
size = 1 + 2 * FP_BYTES;
if (!pack) {
size += 2 * FP_BYTES;
}
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
ep2_free(t);
}
return size;
}
void ep2_mul_dig(ep2_t r, ep2_t p, dig_t k) {
int i, l;
ep2_t t;
ep2_null(t);
if (k == 0) {
ep2_set_infty(r);
return;
}
TRY {
ep2_new(t);
l = util_bits_dig(k);
ep2_copy(t, p);
for (i = l - 2; i >= 0; i--) {
ep2_dbl(t, t);
if (k & ((dig_t)1 << i)) {
ep2_add(t, t, p);
}
}
ep2_norm(r, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t);
}
}
void ep2_mul_sim_joint(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l) {
ep2_t t[5];
int u_i, len, offset;
int8_t jsf[4 * (FP_BITS + 1)];
int i;
ep2_null(t[0]);
ep2_null(t[1]);
ep2_null(t[2]);
ep2_null(t[3]);
ep2_null(t[4]);
TRY {
for (i = 0; i < 5; i++) {
ep2_new(t[i]);
}
ep2_set_infty(t[0]);
ep2_copy(t[1], q);
ep2_copy(t[2], p);
ep2_add(t[3], p, q);
ep2_sub(t[4], p, q);
len = 4 * (FP_BITS + 1);
bn_rec_jsf(jsf, &len, k, l);
ep2_set_infty(r);
i = bn_bits(k);
offset = MAX(i, bn_bits(l)) + 1;
for (i = len - 1; i >= 0; i--) {
ep2_dbl(r, r);
if (jsf[i] != 0 && jsf[i] == -jsf[i + offset]) {
u_i = jsf[i] * 2 + jsf[i + offset];
if (u_i < 0) {
ep2_sub(r, r, t[4]);
} else {
ep2_add(r, r, t[4]);
}
} else {
u_i = jsf[i] * 2 + jsf[i + offset];
if (u_i < 0) {
ep2_sub(r, r, t[-u_i]);
} else {
ep2_add(r, r, t[u_i]);
}
}
}
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
for (i = 0; i < 5; i++) {
ep2_free(t[i]);
}
}
}
void ep2_mul_fix_nafwi(ep2_t r, ep2_t *t, bn_t k) {
int i, j, l, d, m;
ep2_t a;
int8_t naf[2 * FP_BITS + 1];
char w;
ep2_null(a);
TRY {
ep2_new(a);
ep2_set_infty(r);
ep2_set_infty(a);
l = 2 * FP_BITS + 1;
bn_rec_naf(naf, &l, k, 2);
d = ((l % EP_DEPTH) == 0 ? (l / EP_DEPTH) : (l / EP_DEPTH) + 1);
for (i = 0; i < d; i++) {
w = 0;
for (j = EP_DEPTH - 1; j >= 0; j--) {
if (i * EP_DEPTH + j < l) {
w = (char)(w << 1);
w = (char)(w + naf[i * EP_DEPTH + j]);
}
}
naf[i] = w;
}
if (EP_DEPTH % 2 == 0) {
m = ((1 << (EP_DEPTH + 1)) - 2) / 3;
} else {
m = ((1 << (EP_DEPTH + 1)) - 1) / 3;
}
for (j = m; j >= 1; j--) {
for (i = 0; i < d; i++) {
if (naf[i] == j) {
ep2_add(a, a, t[i]);
}
if (naf[i] == -j) {
ep2_sub(a, a, t[i]);
}
}
ep2_add(r, r, a);
}
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(a);
}
}
void pp_map_sim_tatep_k12(fp12_t r, ep_t *p, ep2_t *q, int m) {
ep_t _p[m], t[m];
ep2_t _q[m];
bn_t n;
int i, j;
bn_null(n);
TRY {
bn_new(n);
for (i = 0; i < m; i++) {
ep_null(_p[i]);
ep_null(t[i]);
ep2_null(_q[i]);
ep_new(_p[i]);
ep_new(t[i]);
ep2_new(_q[i]);
}
j = 0;
for (i = 0; i < m; i++) {
if (!ep_is_infty(p[i]) && !ep2_is_infty(q[i])) {
ep_norm(_p[j], p[i]);
ep2_norm(_q[j++], q[i]);
}
}
ep_curve_get_ord(n);
fp12_set_dig(r, 1);
if (j > 0) {
pp_mil_lit_k12(r, t, _p, _q, j, n);
pp_exp_k12(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
for (i = 0; i < m; i++) {
ep_free(_p[i]);
ep_free(t[i]);
ep2_free(_q[i]);
}
}
}
void ep2_mul_sim_basic(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l) {
ep2_t t;
ep2_null(t);
TRY {
ep2_new(t);
ep2_mul(t, q, l);
ep2_mul(r, p, k);
ep2_add(t, t, r);
ep2_norm(r, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(t);
}
}
void ep2_write_bin(uint8_t *bin, int len, ep2_t a, int pack) {
ep2_t t;
ep2_null(t);
if (ep2_is_infty(a)) {
if (len != 1) {
THROW(ERR_NO_BUFFER);
} else {
bin[0] = 0;
return;
}
}
TRY {
ep2_new(t);
ep2_norm(t, a);
if (pack) {
if (len < 2 * FP_BYTES + 1) {
THROW(ERR_NO_BUFFER);
} else {
ep2_pck(t, t);
bin[0] = 2 | fp_get_bit(t->y[0], 0);
fp2_write_bin(bin + 1, 2 * FP_BYTES, t->x, 0);
}
} else {
if (len < 4 * FP_BYTES + 1) {
THROW(ERR_NO_BUFFER);
} else {
bin[0] = 4;
fp2_write_bin(bin + 1, 2 * FP_BYTES, t->x, 0);
fp2_write_bin(bin + 2 * FP_BYTES + 1, 2 * FP_BYTES, t->y, 0);
}
}
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
ep2_free(t);
}
}
void ep2_mul_gen(ep2_t r, bn_t k) {
#ifdef EP_PRECO
ep2_mul_fix(r, ep2_curve_get_tab(), k);
#else
ep2_t g;
ep2_null(g);
TRY {
ep2_new(g);
ep2_curve_get_gen(g);
ep2_mul(r, g, k);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(g);
}
#endif
}
/**
* Compute the Miller loop for pairings of type G_1 x G_2 over the bits of a
* given parameter.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] p - the first pairing argument in affine coordinates.
* @param[in] q - the second pairing argument in affine coordinates.
* @param[in] n - the number of pairings to evaluate.
* @param[in] a - the loop parameter.
*/
static void pp_mil_lit_k12(fp12_t r, ep_t *t, ep_t *p, ep2_t *q, int m, bn_t a) {
fp12_t l;
ep2_t _q[m];
int j;
fp12_null(l);
TRY {
fp12_new(l);
for (j = 0; j < m; j++) {
ep2_null(_q[j]);
ep2_new(_q[j]);
ep_copy(t[j], p[j]);
ep2_neg(_q[j], q[j]);
}
fp12_zero(l);
for (int i = bn_bits(a) - 2; i >= 0; i--) {
fp12_sqr(r, r);
for (j = 0; j < m; j++) {
pp_dbl_lit_k12(l, t[j], t[j], _q[j]);
fp12_mul(r, r, l);
if (bn_get_bit(a, i)) {
pp_add_lit_k12(l, t[j], p[j], q[j]);
fp12_mul(r, r, l);
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(l);
for (j = 0; j < m; j++) {
ep2_free(_q[j]);
}
}
}
int ep2_is_valid(ep2_t p) {
ep2_t t;
int r = 0;
ep2_null(t);
TRY {
ep2_new(t);
ep2_norm(t, p);
ep2_rhs(t->x, t);
fp2_sqr(t->y, t->y);
r = (fp2_cmp(t->x, t->y) == CMP_EQ) || ep2_is_infty(p);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
ep2_free(t);
}
return r;
}
void ep2_mul_sim_gen(ep2_t r, bn_t k, ep2_t q, bn_t l) {
ep2_t gen;
ep2_null(gen);
TRY {
ep2_new(gen);
ep2_curve_get_gen(gen);
#if EP_FIX == LWNAF && defined(EP_PRECO)
ep2_mul_sim_plain(r, gen, k, q, l, ep2_curve_get_tab());
#else
ep2_mul_sim(r, gen, k, q, l);
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(gen);
}
}
void pp_map_tatep_k12(fp12_t r, ep_t p, ep2_t q) {
ep_t _p[1], t[1];
ep2_t _q[1];
bn_t n;
ep_null(_p[0]);
ep_null(t[0]);
ep2_null(_q[0]);
bn_null(n);
TRY {
ep_new(_p[0]);
ep_new(t[0]);
ep2_new(_q[0]);
bn_new(n);
ep_norm(_p[0], p);
ep2_norm(_q[0], q);
ep_curve_get_ord(n);
fp12_set_dig(r, 1);
if (!ep_is_infty(p) && !ep2_is_infty(q)) {
pp_mil_lit_k12(r, t, _p, _q, 1, n);
pp_exp_k12(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep_free(_p[0]);
ep_free(t[0]);
ep2_free(_q[0]);
bn_free(n);
}
}
void pp_map_sim_weilp_k12(fp12_t r, ep_t *p, ep2_t *q, int m) {
ep_t _p[m], t0[m];
ep2_t _q[m], t1[m];
fp12_t r0, r1;
bn_t n;
int i, j;
fp12_null(r0);
fp12_null(r1);
bn_null(r);
TRY {
fp12_new(r0);
fp12_new(r1);
bn_new(n);
for (i = 0; i < m; i++) {
ep_null(_p[i]);
ep_null(t0[i]);
ep2_null(_q[i]);
ep2_null(t1[i]);
ep_new(_p[i]);
ep_new(t0[i]);
ep2_new(_q[i]);
ep2_new(t1[i]);
}
j = 0;
for (i = 0; i < m; i++) {
if (!ep_is_infty(p[i]) && !ep2_is_infty(q[i])) {
ep_norm(_p[j], p[i]);
ep2_norm(_q[j++], q[i]);
}
}
ep_curve_get_ord(n);
bn_sub_dig(n, n, 1);
fp12_set_dig(r0, 1);
fp12_set_dig(r1, 1);
if (j > 0) {
pp_mil_lit_k12(r0, t0, _p, _q, j, n);
pp_mil_k12(r1, t1, _q, _p, j, n);
fp12_inv(r1, r1);
fp12_mul(r0, r0, r1);
fp12_inv(r1, r0);
fp12_inv_uni(r0, r0);
}
fp12_mul(r, r0, r1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(r0);
fp12_free(r1);
bn_free(n);
for (i = 0; i < m; i++) {
ep_free(_p[i]);
ep_free(t0[i]);
ep2_free(_q[i]);
ep2_free(t1[i]);
}
}
}
void pp_map_oatep_k12(fp12_t r, ep_t p, ep2_t q) {
ep_t _p[1];
ep2_t t[1], _q[1];
bn_t a;
int len = FP_BITS, s[FP_BITS];
ep_null(_p[0]);
ep2_null(_q[0]);
ep2_null(t[0]);
bn_null(a);
TRY {
ep_new(_p[0]);
ep2_new(_q[0]);
ep2_new(t[0]);
bn_new(a);
fp_param_get_var(a);
bn_mul_dig(a, a, 6);
bn_add_dig(a, a, 2);
fp_param_get_map(s, &len);
fp12_set_dig(r, 1);
ep_norm(_p[0], p);
ep2_norm(_q[0], q);
if (!ep_is_infty(_p[0]) && !ep2_is_infty(_q[0])) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, 1, s, len);
if (bn_sign(a) == BN_NEG) {
/* f_{-a,Q}(P) = 1/f_{a,Q}(P). */
fp12_inv_uni(r, r);
ep2_neg(t[0], t[0]);
}
pp_fin_k12_oatep(r, t[0], _q[0], _p[0]);
pp_exp_k12(r, r);
break;
case B12_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, 1, s, len);
if (bn_sign(a) == BN_NEG) {
fp12_inv_uni(r, r);
ep2_neg(t[0], t[0]);
}
pp_exp_k12(r, r);
break;
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep_free(_p[0]);
ep2_free(_q[0]);
ep2_free(t[0]);
bn_free(a);
}
}
void ep2_mul_sim_trick(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l) {
ep2_t t0[1 << (EP_WIDTH / 2)];
ep2_t t1[1 << (EP_WIDTH / 2)];
ep2_t t[1 << EP_WIDTH];
bn_t n;
int l0, l1, w = EP_WIDTH / 2;
uint8_t w0[CEIL(2 * FP_BITS, w)], w1[CEIL(2 * FP_BITS, w)];
bn_null(n);
for (int i = 0; i < 1 << EP_WIDTH; i++) {
ep2_null(t[i]);
}
for (int i = 0; i < 1 << (EP_WIDTH / 2); i++) {
ep2_null(t0[i]);
ep2_null(t1[i]);
}
TRY {
bn_new(n);
ep2_curve_get_ord(n);
for (int i = 0; i < (1 << w); i++) {
ep2_new(t0[i]);
ep2_new(t1[i]);
}
for (int i = 0; i < (1 << EP_WIDTH); i++) {
ep2_new(t[i]);
}
ep2_set_infty(t0[0]);
for (int i = 1; i < (1 << w); i++) {
ep2_add(t0[i], t0[i - 1], p);
}
ep2_set_infty(t1[0]);
for (int i = 1; i < (1 << w); i++) {
ep2_add(t1[i], t1[i - 1], q);
}
for (int i = 0; i < (1 << w); i++) {
for (int j = 0; j < (1 << w); j++) {
ep2_add(t[(i << w) + j], t0[i], t1[j]);
}
}
l0 = l1 = CEIL(2 * FP_BITS, w);
bn_rec_win(w0, &l0, k, w);
bn_rec_win(w1, &l1, l, w);
for (int i = l0; i < l1; i++) {
w0[i] = 0;
}
for (int i = l1; i < l0; i++) {
w1[i] = 0;
}
ep2_set_infty(r);
for (int i = MAX(l0, l1) - 1; i >= 0; i--) {
for (int j = 0; j < w; j++) {
ep2_dbl(r, r);
}
ep2_add(r, r, t[(w0[i] << w) + w1[i]]);
}
ep2_norm(r, r);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
for (int i = 0; i < (1 << w); i++) {
ep2_free(t0[i]);
ep2_free(t1[i]);
}
for (int i = 0; i < (1 << EP_WIDTH); i++) {
ep2_free(t[i]);
}
}
}
void ep2_curve_set_twist(int type) {
char str[2 * FP_BYTES + 1];
ctx_t *ctx = core_get();
ep2_t g;
fp2_t a;
fp2_t b;
bn_t r;
ep2_null(g);
fp2_null(a);
fp2_null(b);
bn_null(r);
ctx->ep2_is_twist = 0;
if (type == EP_MTYPE || type == EP_DTYPE) {
ctx->ep2_is_twist = type;
} else {
return;
}
TRY {
ep2_new(g);
fp2_new(a);
fp2_new(b);
bn_new(r);
switch (ep_param_get()) {
#if FP_PRIME == 158
case BN_P158:
ASSIGN(BN_P158);
break;
#elif FP_PRIME == 254
case BN_P254:
ASSIGN(BN_P254);
break;
#elif FP_PRIME == 256
case BN_P256:
ASSIGN(BN_P256);
break;
#elif FP_PRIME == 638
case BN_P638:
ASSIGN(BN_P638);
break;
case B12_P638:
ASSIGN(B12_P638);
break;
#endif
default:
(void)str;
THROW(ERR_NO_VALID);
break;
}
fp2_zero(g->z);
fp_set_dig(g->z[0], 1);
g->norm = 1;
ep2_copy(&(ctx->ep2_g), g);
fp_copy(ctx->ep2_a[0], a[0]);
fp_copy(ctx->ep2_a[1], a[1]);
fp_copy(ctx->ep2_b[0], b[0]);
fp_copy(ctx->ep2_b[1], b[1]);
bn_copy(&(ctx->ep2_r), r);
/* I don't have a better place for this. */
fp_prime_calc();
#if defined(EP_PRECO)
ep2_mul_pre((ep2_t *)ep2_curve_get_tab(), &(ctx->ep2_g));
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(g);
fp2_free(a);
fp2_free(b);
bn_free(r);
}
}
static void ep2_mul_sim_plain(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l,
ep2_t *t) {
int len, l0, l1, i, n0, n1, w, gen;
int8_t naf0[2 * FP_BITS + 1], naf1[2 * FP_BITS + 1], *_k, *_m;
ep2_t t0[1 << (EP_WIDTH - 2)];
ep2_t t1[1 << (EP_WIDTH - 2)];
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_null(t0[i]);
ep2_null(t1[i]);
}
TRY {
gen = (t == NULL ? 0 : 1);
if (!gen) {
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(t0[i]);
}
ep2_tab(t0, p, EP_WIDTH);
t = (ep2_t *)t0;
}
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(t1[i]);
}
/* Compute the precomputation table. */
ep2_tab(t1, q, EP_WIDTH);
/* Compute the w-TNAF representation of k. */
if (gen) {
w = EP_DEPTH;
} else {
w = EP_WIDTH;
}
l0 = l1 = 2 * FP_BITS + 1;
bn_rec_naf(naf0, &l0, k, w);
bn_rec_naf(naf1, &l1, l, EP_WIDTH);
len = MAX(l0, l1);
_k = naf0 + len - 1;
_m = naf1 + len - 1;
for (i = l0; i < len; i++)
naf0[i] = 0;
for (i = l1; i < len; i++)
naf1[i] = 0;
ep2_set_infty(r);
for (i = len - 1; i >= 0; i--, _k--, _m--) {
ep2_dbl(r, r);
n0 = *_k;
n1 = *_m;
if (n0 > 0) {
ep2_add(r, r, t[n0 / 2]);
}
if (n0 < 0) {
ep2_sub(r, r, t[-n0 / 2]);
}
if (n1 > 0) {
ep2_add(r, r, t1[n1 / 2]);
}
if (n1 < 0) {
ep2_sub(r, r, t1[-n1 / 2]);
}
}
/* Convert r to affine coordinates. */
ep2_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
/* Free the precomputation tables. */
if (!gen) {
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_free(t0[i]);
}
}
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_free(t1[i]);
}
}
}
/**
* Compute the Miller loop for pairings of type G_2 x G_1 over the bits of a
* given parameter represented in sparse form.
*
* @param[out] r - the result.
* @param[out] t - the resulting point.
* @param[in] q - the vector of first arguments in affine coordinates.
* @param[in] p - the vector of second arguments in affine coordinates.
* @param[in] n - the number of pairings to evaluate.
* @param[in] s - the loop parameter in sparse form.
* @paramin] len - the length of the loop parameter.
*/
static void pp_mil_sps_k12(fp12_t r, ep2_t *t, ep2_t *q, ep_t *p, int m, int *s,
int len) {
fp12_t l;
ep_t _p[m];
ep2_t _q[m];
int i, j;
if (m == 0) {
return;
}
fp12_null(l);
TRY {
fp12_new(l);
fp12_zero(l);
for (j = 0; j < m; j++) {
ep_null(_p[j]);
ep2_null(_q[j]);
ep_new(_p[j]);
ep2_new(_q[j]);
ep2_copy(t[j], q[j]);
ep2_neg(_q[j], q[j]);
#if EP_ADD == BASIC
ep_neg(_p[j], p[j]);
#else
fp_add(_p[j]->x, p[j]->x, p[j]->x);
fp_add(_p[j]->x, _p[j]->x, p[j]->x);
fp_neg(_p[j]->y, p[j]->y);
#endif
}
pp_dbl_k12(r, t[0], t[0], _p[0]);
for (j = 1; j < m; j++) {
pp_dbl_k12(l, t[j], t[j], _p[j]);
fp12_mul_dxs(r, r, l);
}
if (s[len - 2] > 0) {
for (j = 0; j < m; j++) {
pp_add_k12(l, t[j], q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
if (s[len - 2] < 0) {
for (j = 0; j < m; j++) {
pp_add_k12(l, t[j], _q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
for (i = len - 3; i >= 0; i--) {
fp12_sqr(r, r);
for (j = 0; j < m; j++) {
pp_dbl_k12(l, t[j], t[j], _p[j]);
fp12_mul_dxs(r, r, l);
if (s[i] > 0) {
pp_add_k12(l, t[j], q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
if (s[i] < 0) {
pp_add_k12(l, t[j], _q[j], p[j]);
fp12_mul_dxs(r, r, l);
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(l);
for (j = 0; j < m; j++) {
ep_free(_p[j]);
ep2_free(_q[j]);
}
}
}
static void ep2_mul_sim_ordin(ep2_t r, ep2_t p, bn_t k, ep2_t q, bn_t l, int gen) {
int len, l0, l1, i, n0, n1, w;
signed char naf0[FP_BITS + 1], naf1[FP_BITS + 1], *t0, *t1;
ep2_t table0[1 << (EP_WIDTH - 2)];
ep2_t table1[1 << (EP_WIDTH - 2)];
ep2_t *t = NULL;
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_null(table0[i]);
ep2_null(table1[i]);
}
if (gen) {
#if defined(EP_PRECO)
t = ep2_curve_get_tab();
#endif
} else {
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(table0[i]);
}
ep2_tab(table0, p, EP_WIDTH);
t = table0;
}
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (EP_WIDTH - 2)); i++) {
ep2_new(table1[i]);
}
/* Compute the precomputation table. */
ep2_tab(table1, q, EP_WIDTH);
/* Compute the w-TNAF representation of k. */
if (gen) {
w = EP_DEPTH;
} else {
w = EP_WIDTH;
}
l0 = l1 = FP_BITS + 1;
bn_rec_naf(naf0, &l0, k, w);
bn_rec_naf(naf1, &l1, l, EP_WIDTH);
len = MAX(l0, l1);
t0 = naf0 + len - 1;
t1 = naf1 + len - 1;
for (i = l0; i < len; i++)
naf0[i] = 0;
for (i = l1; i < len; i++)
naf1[i] = 0;
ep2_set_infty(r);
for (i = len - 1; i >= 0; i--, t0--, t1--) {
ep2_dbl(r, r);
n0 = *t0;
n1 = *t1;
if (n0 > 0) {
ep2_add(r, r, t[n0 / 2]);
}
if (n0 < 0) {
ep2_sub(r, r, t[-n0 / 2]);
}
if (n1 > 0) {
ep2_add(r, r, table1[n1 / 2]);
}
if (n1 < 0) {
ep2_sub(r, r, table1[-n1 / 2]);
}
}
/* Convert r to affine coordinates. */
ep2_norm(r, r);
/* Free the precomputation table. */
for (i = 0; i < 1 << (EP_WIDTH - 2); i++) {
ep2_free(table0[i]);
ep2_free(table1[i]);
}
}
void pp_map_sim_oatep_k12(fp12_t r, ep_t *p, ep2_t *q, int m) {
ep_t _p[m];
ep2_t t[m], _q[m];
bn_t a;
int i, j, len = FP_BITS, s[FP_BITS];
TRY {
bn_null(a);
bn_new(a);
for (i = 0; i < m; i++) {
ep_null(_p[i]);
ep2_null(_q[i]);
ep2_null(t[i]);
ep_new(_p[i]);
ep2_new(_q[i]);
ep2_new(t[i]);
}
j = 0;
for (i = 0; i < m; i++) {
if (!ep_is_infty(p[i]) && !ep2_is_infty(q[i])) {
ep_norm(_p[j], p[i]);
ep2_norm(_q[j++], q[i]);
}
}
fp12_set_dig(r, 1);
fp_param_get_var(a);
bn_mul_dig(a, a, 6);
bn_add_dig(a, a, 2);
fp_param_get_map(s, &len);
if (j > 0) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, j, s, len);
if (bn_sign(a) == BN_NEG) {
/* f_{-a,Q}(P) = 1/f_{a,Q}(P). */
fp12_inv_uni(r, r);
}
for (i = 0; i < j; i++) {
if (bn_sign(a) == BN_NEG) {
ep2_neg(t[i], t[i]);
}
pp_fin_k12_oatep(r, t[i], _q[i], _p[i]);
}
pp_exp_k12(r, r);
break;
case B12_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, j, s, len);
if (bn_sign(a) == BN_NEG) {
fp12_inv_uni(r, r);
}
pp_exp_k12(r, r);
break;
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(a);
for (i = 0; i < m; i++) {
ep_free(_p[i]);
ep2_free(_q[i]);
ep2_free(t[i]);
}
}
}
