void fp2_norm_low(fp2_t c, fp2_t a) {
fp2_t t;
bn_t b;
fp2_null(t);
bn_null(b);
TRY {
fp2_new(t);
bn_new(b);
#if FP_PRIME == 158
fp_dbl(t[0], a[0]);
fp_dbl(t[0], t[0]);
fp_sub(t[0], t[0], a[1]);
fp_dbl(t[1], a[1]);
fp_dbl(t[1], t[1]);
fp_add(c[1], a[0], t[1]);
fp_copy(c[0], t[0]);
#elif defined(FP_QNRES)
/* If p = 3 mod 8, (1 + i) is a QNR/CNR. */
fp_neg(t[0], a[1]);
fp_add(c[1], a[0], a[1]);
fp_add(c[0], t[0], a[0]);
#else
switch (fp_prime_get_mod8()) {
case 3:
/* If p = 3 mod 8, (1 + u) is a QNR/CNR. */
fp_neg(t[0], a[1]);
fp_add(c[1], a[0], a[1]);
fp_add(c[0], t[0], a[0]);
break;
case 5:
/* If p = 5 mod 8, (u) is a QNR/CNR. */
fp2_mul_art(c, a);
break;
case 7:
/* If p = 7 mod 8, we choose (2^(lg_4(b-1)) + u) as QNR/CNR. */
fp2_mul_art(t, a);
fp2_dbl(c, a);
fp_prime_back(b, ep_curve_get_b());
for (int i = 1; i < bn_bits(b) / 2; i++) {
fp2_dbl(c, c);
}
fp2_add(c, c, t);
break;
default:
THROW(ERR_NO_VALID);
break;
}
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp2_free(t);
bn_free(b);
}
}
void fp2_nord_low(dv2_t c, dv2_t a) {
dv2_t t;
bn_t b;
dv2_null(t);
bn_null(b);
TRY {
dv2_new(t);
bn_new(b);
#ifdef FP_QNRES
/* If p = 3 mod 8, (1 + i) is a QNR/CNR. */
/* (a_0 + a_1 * i) * (1 + i) = (a_0 - a_1) + (a_0 + a_1) * u. */
dv_copy(t[0], a[1], 2 * FP_DIGS);
fp_addc_low(c[1], a[0], a[1]);
fp_subc_low(c[0], a[0], t[0]);
#else
switch (fp_prime_get_mod8()) {
case 3:
/* If p = 3 mod 8, (1 + u) is a QNR, u^2 = -1. */
/* (a_0 + a_1 * u) * (1 + u) = (a_0 - a_1) + (a_0 + a_1) * u. */
dv_copy(t[0], a[1], 2 * FP_DIGS);
fp_addc_low(c[1], a[0], a[1]);
fp_subc_low(c[0], a[0], t[0]);
break;
case 1:
case 5:
/* If p = 1,5 mod 8, (u) is a QNR. */
dv_copy(t[0], a[0], 2 * FP_DIGS);
dv_zero(t[1], FP_DIGS);
dv_copy(t[1] + FP_DIGS, fp_prime_get(), FP_DIGS);
fp_subc_low(c[0], t[1], a[1]);
for (int i = -1; i > fp_prime_get_qnr(); i--) {
fp_subc_low(c[0], c[0], a[1]);
}
dv_copy(c[1], t[0], 2 * FP_DIGS);
break;
case 7:
/* If p = 7 mod 8, (2 + u) is a QNR/CNR. */
fp2_addc_low(t, a, a);
fp_subc_low(c[0], t[0], a[1]);
fp_addc_low(c[1], t[1], a[0]);
break;
default:
THROW(ERR_NO_VALID);
break;
}
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv2_free(t);
bn_free(b);
}
}
void fp2_mul_nor_basic(fp2_t c, fp2_t a) {
fp2_t t;
bn_t b;
fp2_null(t);
bn_null(b);
TRY {
fp2_new(t);
bn_new(b);
#ifdef FP_QNRES
/* If p = 3 mod 8, (1 + i) is a QNR/CNR. */
fp_neg(t[0], a[1]);
fp_add(c[1], a[0], a[1]);
fp_add(c[0], t[0], a[0]);
#else
switch (fp_prime_get_mod8()) {
case 3:
/* If p = 3 mod 8, (1 + u) is a QNR/CNR. */
fp_neg(t[0], a[1]);
fp_add(c[1], a[0], a[1]);
fp_add(c[0], t[0], a[0]);
break;
case 1:
case 5:
/* If p = 5 mod 8, (u) is a QNR/CNR. */
fp2_mul_art(c, a);
break;
case 7:
/* If p = 7 mod 8, we choose (4 + u) is a QNR/CNR. */
fp2_mul_art(t, a);
fp2_dbl(c, a);
fp2_dbl(c, c);
fp2_add(c, c, t);
break;
default:
THROW(ERR_NO_VALID);
}
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp2_free(t);
bn_free(b);
}
}
int fp_param_set_any_tower() {
#if FP_PRIME == 158
fp_param_set(BN_158);
#elif FP_PRIME == 254
fp_param_set(BN_254);
#elif FP_PRIME == 256
fp_param_set(BN_256);
#elif FP_PRIME == 477
fp_param_set(B24_477);
#elif FP_PRIME == 508
fp_param_set(KSS_508);
#elif FP_PRIME == 638
fp_param_set(B12_638);
#elif FP_PRIME == 1536
fp_param_set(SS_1536);
#else
do {
/* Since we have to generate a prime number, pick a nice towering. */
fp_param_set_any_dense();
} while (fp_prime_get_mod8() == 1 || fp_prime_get_mod8() == 5);
#endif
return STS_OK;
}
void fp2_nord_low(dv2_t c, dv2_t a) {
dv2_t t;
bn_t b;
dv2_null(t);
bn_null(b);
TRY {
dv2_new(t);
bn_new(b);
#if FP_PRIME == 158
fp_addc_low(t[0], a[0], a[0]);
fp_addc_low(t[0], t[0], t[0]);
fp_subc_low(t[0], t[0], a[1]);
fp_addc_low(t[1], a[1], a[1]);
fp_addc_low(t[1], t[1], t[1]);
fp_addc_low(c[1], a[0], t[1]);
dv_copy(c[0], t[0], 2 * FP_DIGS);
#elif defined(FP_QNRES)
/* If p = 3 mod 8, (1 + i) is a QNR/CNR. */
/* (a_0 + a_1 * i) * (1 + i) = (a_0 - a_1) + (a_0 + a_1) * u. */
dv_copy(t[0], a[1], 2 * FP_DIGS);
fp_addc_low(c[1], a[0], a[1]);
fp_subc_low(c[0], a[0], t[0]);
#else
switch (fp_prime_get_mod8()) {
case 3:
/* If p = 3 mod 8, (1 + u) is a QNR, u^2 = -1. */
/* (a_0 + a_1 * u) * (1 + u) = (a_0 - a_1) + (a_0 + a_1) * u. */
dv_copy(t[0], a[1], 2 * FP_DIGS);
fp_addc_low(c[1], a[0], a[1]);
fp_subc_low(c[0], a[0], t[0]);
break;
case 5:
/* If p = 5 mod 8, (u) is a QNR. */
dv_copy(t[0], a[0], 2 * FP_DIGS);
dv_zero(t[1], FP_DIGS);
dv_copy(t[1] + FP_DIGS, fp_prime_get(), FP_DIGS);
fp_subc_low(c[0], t[1], a[1]);
for (int i = -1; i > fp_prime_get_qnr(); i--) {
fp_subc_low(c[0], c[0], a[1]);
}
dv_copy(c[1], t[0], 2 * FP_DIGS);
break;
case 7:
/* If p = 7 mod 8, (2^lg_4(b-1) + u) is a QNR/CNR. */
/* (a_0 + a_1 * u)(2^lg_4(b-1) + u) =
* (2^lg_4(b-1)a_0 - a_1) + (a_0 + 2^lg_4(b-1)a_1 * u. */
fp2_addc_low(t, a, a);
fp_prime_back(b, ep_curve_get_b());
for (int i = 1; i < bn_bits(b) / 2; i++) {
fp2_addc_low(t, t, t);
}
fp_subc_low(c[0], t[0], a[1]);
fp_addc_low(c[1], t[1], a[0]);
break;
default:
THROW(ERR_NO_VALID);
break;
}
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv2_free(t);
bn_free(b);
}
}
int fp_srt(fp_t c, const fp_t a) {
bn_t e;
fp_t t0;
fp_t t1;
int r = 0;
bn_null(e);
fp_null(t0);
fp_null(t1);
TRY {
bn_new(e);
fp_new(t0);
fp_new(t1);
/* Make e = p. */
e->used = FP_DIGS;
dv_copy(e->dp, fp_prime_get(), FP_DIGS);
if (fp_prime_get_mod8() == 3 || fp_prime_get_mod8() == 7) {
/* Easy case, compute a^((p + 1)/4). */
bn_add_dig(e, e, 1);
bn_rsh(e, e, 2);
fp_exp(t0, a, e);
fp_sqr(t1, t0);
r = (fp_cmp(t1, a) == CMP_EQ);
fp_copy(c, t0);
} else {
int f = 0, m = 0;
/* First, check if there is a root. Compute t1 = a^((p - 1)/2). */
bn_rsh(e, e, 1);
fp_exp(t0, a, e);
if (fp_cmp_dig(t0, 1) != CMP_EQ) {
/* Nope, there is no square root. */
r = 0;
} else {
r = 1;
/* Find a quadratic non-residue modulo p, that is a number t2
* such that (t2 | p) = t2^((p - 1)/2)!= 1. */
do {
fp_rand(t1);
fp_exp(t0, t1, e);
} while (fp_cmp_dig(t0, 1) == CMP_EQ);
/* Write p - 1 as (e * 2^f), odd e. */
bn_lsh(e, e, 1);
while (bn_is_even(e)) {
bn_rsh(e, e, 1);
f++;
}
/* Compute t2 = t2^e. */
fp_exp(t1, t1, e);
/* Compute t1 = a^e, c = a^((e + 1)/2) = a^(e/2 + 1), odd e. */
bn_rsh(e, e, 1);
fp_exp(t0, a, e);
fp_mul(e->dp, t0, a);
fp_sqr(t0, t0);
fp_mul(t0, t0, a);
fp_copy(c, e->dp);
while (1) {
if (fp_cmp_dig(t0, 1) == CMP_EQ) {
break;
}
fp_copy(e->dp, t0);
for (m = 0; (m < f) && (fp_cmp_dig(t0, 1) != CMP_EQ); m++) {
fp_sqr(t0, t0);
}
fp_copy(t0, e->dp);
for (int i = 0; i < f - m - 1; i++) {
fp_sqr(t1, t1);
}
fp_mul(c, c, t1);
fp_sqr(t1, t1);
fp_mul(t0, t0, t1);
f = m;
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(e);
fp_free(t0);
fp_free(t1);
}
return r;
}
