void fp_rdc_basic(fp_t c, dv_t a) {
dv_t t0, t1, t2, t3;
dv_null(t0);
dv_null(t1);
dv_null(t2);
dv_null(t3);
TRY {
dv_new(t0);
dv_new(t1);
dv_new(t2);
dv_new(t3);
dv_copy(t2, a, 2 * FP_DIGS);
dv_copy(t3, fp_prime_get(), FP_DIGS);
bn_divn_low(t0, t1, t2, 2 * FP_DIGS, t3, FP_DIGS);
fp_copy(c, t1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
dv_free(t0);
dv_free(t1);
dv_free(t2);
dv_free(t3);
}
}
void fp2_mul_basic(fp2_t c, fp2_t a, fp2_t b) {
dv_t t0, t1, t2, t3, t4;
dv_null(t0);
dv_null(t1);
dv_null(t2);
dv_null(t3);
dv_null(t4);
TRY {
dv_new(t0);
dv_new(t1);
dv_new(t2);
dv_new(t3);
dv_new(t4);
/* Karatsuba algorithm. */
/* t2 = a_0 + a_1, t1 = b0 + b1. */
fp_add(t2, a[0], a[1]);
fp_add(t1, b[0], b[1]);
/* t3 = (a_0 + a_1) * (b0 + b1). */
fp_muln_low(t3, t2, t1);
/* t0 = a_0 * b0, t4 = a_1 * b1. */
fp_muln_low(t0, a[0], b[0]);
fp_muln_low(t4, a[1], b[1]);
/* t2 = (a_0 * b0) + (a_1 * b1). */
fp_addc_low(t2, t0, t4);
/* t1 = (a_0 * b0) + u^2 * (a_1 * b1). */
fp_subc_low(t1, t0, t4);
/* t1 = u^2 * (a_1 * b1). */
for (int i = -1; i > fp_prime_get_qnr(); i--) {
fp_subc_low(t1, t1, t4);
}
/* c_0 = t1 mod p. */
fp_rdc(c[0], t1);
/* t4 = t3 - t2. */
fp_subc_low(t4, t3, t2);
/* c_1 = t4 mod p. */
fp_rdc(c[1], t4);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t0);
dv_free(t1);
dv_free(t2);
dv_free(t3);
dv_free(t4);
}
}
/**
* Multiplies two binary field elements using right-to-left comb multiplication.
*
* @param c - the result.
* @param a - the first binary field element.
* @param b - the second binary field element.
* @param size - the number of digits to multiply.
*/
static void fb_mul_rcomb_imp(dig_t *c, const dig_t *a, const dig_t *b, int size) {
dv_t _b;
dv_null(_b);
TRY {
dv_new(_b);
dv_zero(c, 2 * size);
for (int i = 0; i < size; i++)
_b[i] = b[i];
_b[size] = 0;
for (int i = 0; i < FB_DIGIT; i++) {
for (int j = 0; j < size; j++) {
if (a[j] & ((dig_t)1 << i)) {
fb_addd_low(c + j, c + j, _b, size + 1);
}
}
if (i != FB_DIGIT - 1) {
bn_lsh1_low(_b, _b, size + 1);
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(_b);
}
}
void fp_prime_back(bn_t c, const fp_t a) {
dv_t t;
int i;
dv_null(t);
TRY {
dv_new(t);
bn_grow(c, FP_DIGS);
for (i = 0; i < FP_DIGS; i++) {
c->dp[i] = a[i];
}
#if FP_RDC == MONTY
dv_zero(t, 2 * FP_DIGS + 1);
dv_copy(t, a, FP_DIGS);
fp_rdc(c->dp, t);
#endif
c->used = FP_DIGS;
c->sign = BN_POS;
bn_trim(c);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fp_prime_conv_dig(fp_t c, dig_t a) {
dv_t t;
ctx_t *ctx = core_get();
bn_null(t);
TRY {
dv_new(t);
#if FP_RDC == MONTY
if (a != 1) {
dv_zero(t, 2 * FP_DIGS + 1);
t[FP_DIGS] = fp_mul1_low(t, ctx->conv.dp, a);
fp_rdc(c, t);
} else {
dv_copy(c, ctx->one.dp, FP_DIGS);
}
#else
(void)ctx;
fp_zero(c);
c[0] = a;
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
/**
* Multiplies two binary field elements using shift-and-add multiplication.
*
* @param c - the result.
* @param a - the first binary field element.
* @param b - the second binary field element.
* @param size - the number of digits to multiply.
*/
static void fb_mul_basic_imp(dig_t *c, const dig_t *a, const dig_t *b, int size) {
int i;
dv_t s;
dv_null(s);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(s);
dv_zero(s, 2 * FB_DIGS);
dv_copy(s, b, size);
dv_zero(c, 2 * size);
if (a[0] & 1) {
dv_copy(c, b, size);
}
for (i = 1; i <= (FB_DIGIT * size) - 1; i++) {
fb_lsh1_low(s, s);
fb_rdc(s, s);
if (fb_get_bit(a, i)) {
fb_add(c, c, s);
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(s);
}
}
void fp_mul_karat(fp_t c, const fp_t a, const fp_t b) {
dv_t t;
dv_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(t);
dv_zero(t, 2 * FP_DIGS);
if (FP_DIGS > 1) {
fp_mul_karat_imp(t, a, b, FP_DIGS, FP_KARAT);
} else {
fp_muln_low(t, a, b);
}
fp_rdc(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fp_mul_basic(fp_t c, const fp_t a, const fp_t b) {
int i;
dv_t t;
dig_t carry;
dv_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(t);
dv_zero(t, 2 * FP_DIGS);
for (i = 0; i < FP_DIGS; i++) {
carry = fp_mula_low(t + i, b, *(a + i));
*(t + i + FP_DIGS) = carry;
}
fp_rdc(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fb_mul_lcomb(fb_t c, const fb_t a, const fb_t b) {
dv_t t;
dig_t carry;
dv_null(t);
TRY {
dv_new(t);
dv_zero(t, 2 * FB_DIGS);
for (int i = FB_DIGIT - 1; i >= 0; i--) {
for (int j = 0; j < FB_DIGS; j++) {
if (a[j] & ((dig_t)1 << i)) {
/* This cannot use fb_addn_low() because there is no
* guarantee that operands will be aligned. */
fb_addd_low(t + j, t + j, b, FB_DIGS);
}
}
if (i != 0) {
carry = fb_lsh1_low(t, t);
fb_lsh1_low(t + FB_DIGS, t + FB_DIGS);
t[FB_DIGS] |= carry;
}
}
fb_rdc(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fb_mul_rcomb(fb_t c, const fb_t a, const fb_t b) {
dv_t t, _b;
dig_t carry;
dv_null(t);
dv_null(_b);
TRY {
dv_new(t);
dv_new(_b);
dv_zero(t, 2 * FB_DIGS);
dv_zero(_b, FB_DIGS + 1);
fb_copy(_b, b);
for (int i = 0; i < FB_DIGIT; i++) {
for (int j = 0; j < FB_DIGS; j++) {
if (a[j] & ((dig_t)1 << i)) {
fb_addd_low(t + j, t + j, _b, FB_DIGS + 1);
}
}
if (i != FB_DIGIT - 1) {
carry = fb_lsh1_low(_b, _b);
_b[FB_DIGS] = (_b[FB_DIGS] << 1) | carry;
}
}
fb_rdc(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
dv_free(_b);
}
}
void fp_mul_dig(fp_t c, const fp_t a, dig_t b) {
dv_t t;
dv_null(t);
TRY {
dv_new(t);
fp_prime_conv_dig(t, b);
fp_mul(c, a, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fb_sqr_table(fb_t c, const fb_t a) {
dv_t t;
dv_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(t);
fb_sqrl_low(t, a);
fb_rdc(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fb_rdc_basic(fb_t c, dv_t a) {
int j, k;
dig_t *tmpa;
dv_t r;
dv_null(r);
TRY {
dv_new(r);
tmpa = a + FB_DIGS;
/* First reduce the high part. */
for (int i = fb_bits(tmpa) - 1; i >= 0; i--) {
if (fb_get_bit(tmpa, i)) {
SPLIT(k, j, i - FB_BITS, FB_DIG_LOG);
if (k <= 0) {
fb_addd_low(tmpa + j, tmpa + j, fb_poly_get(), FB_DIGS);
} else {
r[FB_DIGS] = fb_lshb_low(r, fb_poly_get(), k);
fb_addd_low(tmpa + j, tmpa + j, r, FB_DIGS + 1);
}
}
}
for (int i = fb_bits(a) - 1; i >= FB_BITS; i--) {
if (fb_get_bit(a, i)) {
SPLIT(k, j, i - FB_BITS, FB_DIG_LOG);
if (k == 0) {
fb_addd_low(a + j, a + j, fb_poly_get(), FB_DIGS);
} else {
r[FB_DIGS] = fb_lshb_low(r, fb_poly_get(), k);
fb_addd_low(a + j, a + j, r, FB_DIGS + 1);
}
}
}
fb_copy(c, a);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(r);
}
}
void fb_mul_lodah(fb_t c, const fb_t a, const fb_t b) {
dv_t t;
dv_null(t);
TRY {
dv_new(t);
fb_muln_low(t, a, b);
fb_rdc(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fp_sqr_comba(fp_t c, const fp_t a) {
dv_t t;
dv_null(t);
TRY {
dv_new(t);
fp_sqrn_low(t, a);
fp_rdc(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t);
}
}
void fb_mul_basic(fb_t c, const fb_t a, const fb_t b) {
int i;
dv_t s;
fb_t t;
dv_null(s);
fb_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
fb_new(t);
dv_new(s);
fb_zero(t);
dv_zero(s + FB_DIGS, FB_DIGS);
fb_copy(s, b);
if (a[0] & 1) {
fb_copy(t, b);
}
for (i = 1; i < FB_BITS; i++) {
/* We are already shifting a temporary value, so this is more efficient
* than calling fb_lsh(). */
s[FB_DIGS] = fb_lsh1_low(s, s);
fb_rdc(s, s);
if (fb_get_bit(a, i)) {
fb_add(t, t, s);
}
}
if (fb_bits(t) > FB_BITS) {
fb_poly_add(c, t);
} else {
fb_copy(c, t);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t);
fb_free(s);
}
}
void fb_mul_dig(fb_t c, fb_t a, dig_t b) {
dv_t t;
dv_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(t);
fb_mul1_low(t, a, b);
fb_rdc1_low(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fb_mul_karat(fb_t c, const fb_t a, const fb_t b) {
dv_t t;
dv_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(t);
dv_zero(t, 2 * FB_DIGS);
fb_mul_karat_imp(t, a, b, FB_DIGS, FB_KARAT);
fb_rdc(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fp_mul_comba(fp_t c, const fp_t a, const fp_t b) {
dv_t t;
dv_null(t);
TRY {
/* We need a temporary variable so that c can be a or b. */
dv_new(t);
fp_muln_low(t, a, b);
fp_rdc(c, t);
dv_free(t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fp_sqr_basic(fp_t c, const fp_t a) {
int i;
dv_t t;
dv_null(t);
TRY {
dv_new(t);
dv_zero(t, 2 * RLC_FP_DIGS);
for (i = 0; i < RLC_FP_DIGS; i++) {
bn_sqra_low(t + (2 * i), a + i, RLC_FP_DIGS - i);
}
fp_rdc(c, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t);
}
}
void fp_sqr_karat(fp_t c, const fp_t a) {
dv_t t;
dv_null(t);
TRY {
dv_new(t);
dv_zero(t, 2 * RLC_FP_DIGS);
if (RLC_FP_DIGS > 1) {
fp_sqr_karat_imp(t, a, RLC_FP_DIGS, FP_KARAT);
} else {
fp_sqrn_low(t, a);
}
fp_rdc(c, t);
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
}
}
void fp3_mul_basic(fp3_t c, fp3_t a, fp3_t b) {
dv_t t, t0, t1, t2, t3, t4, t5, t6;
dv_null(t);
dv_null(t0);
dv_null(t1);
dv_null(t2);
dv_null(t3);
dv_null(t4);
dv_null(t5);
dv_null(t6);
TRY {
dv_new(t);
dv_new(t0);
dv_new(t1);
dv_new(t2);
dv_new(t3);
dv_new(t4);
dv_new(t5);
dv_new(t6);
/* Karatsuba algorithm. */
/* t0 = a_0 * b_0, t1 = a_1 * b_1, t2 = a_2 * b_2. */
fp_muln_low(t0, a[0], b[0]);
fp_muln_low(t1, a[1], b[1]);
fp_muln_low(t2, a[2], b[2]);
/* t3 = (a_1 + a_2) * (b_1 + b_2). */
fp_add(t3, a[1], a[2]);
fp_add(t4, b[1], b[2]);
fp_muln_low(t, t3, t4);
fp_addd_low(t6, t1, t2);
fp_subc_low(t4, t, t6);
fp_subc_low(t3, t0, t4);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_subc_low(t3, t3, t4);
}
fp_add(t4, a[0], a[1]);
fp_add(t5, b[0], b[1]);
fp_muln_low(t, t4, t5);
fp_addd_low(t4, t0, t1);
fp_subc_low(t4, t, t4);
fp_subc_low(t4, t4, t2);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_subc_low(t4, t4, t2);
}
fp_add(t5, a[0], a[2]);
fp_add(t6, b[0], b[2]);
fp_muln_low(t, t5, t6);
fp_addd_low(t6, t0, t2);
fp_subc_low(t5, t, t6);
fp_addc_low(t5, t5, t1);
/* c_0 = t3 mod p. */
fp_rdc(c[0], t3);
/* c_1 = t4 mod p. */
fp_rdc(c[1], t4);
/* c_2 = t5 mod p. */
fp_rdc(c[2], t5);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t);
dv_free(t0);
dv_free(t1);
dv_free(t2);
dv_free(t3);
dv_free(t4);
dv_free(t5);
dv_free(t6);
}
}
/**
* Multiplies two prime field elements using recursive Karatsuba
* multiplication.
*
* @param[out] c - the result.
* @param[in] a - the first prime field element.
* @param[in] b - the second prime field element.
* @param[in] size - the number of digits to multiply.
* @param[in] level - the number of Karatsuba steps to apply.
*/
static void fp_mul_karat_imp(dv_t c, const fp_t a, const fp_t b, int size,
int level) {
int i, h, h1;
dv_t a1, b1, a0b0, a1b1, t;
dig_t carry;
/* Compute half the digits of a or b. */
h = size >> 1;
h1 = size - h;
dv_null(a1);
dv_null(b1);
dv_null(a0b0);
dv_null(a1b1);
TRY {
/* Allocate the temp variables. */
dv_new(a1);
dv_new(b1);
dv_new(a0b0);
dv_new(a1b1);
dv_new(t);
dv_zero(a1, h1 + 1);
dv_zero(b1, h1 + 1);
dv_zero(a0b0, 2 * h);
dv_zero(a1b1, 2 * h1);
dv_zero(t, 2 * h1 + 1);
/* a0b0 = a0 * b0 and a1b1 = a1 * b1 */
if (level <= 1) {
#if FP_MUL == BASIC
for (i = 0; i < h; i++) {
carry = bn_mula_low(a0b0 + i, a, *(b + i), h);
*(a0b0 + i + h) = carry;
}
for (i = 0; i < h1; i++) {
carry = bn_mula_low(a1b1 + i, a + h, *(b + h + i), h1);
*(a1b1 + i + h1) = carry;
}
#elif FP_MUL == COMBA || FP_MUL == INTEG
bn_muln_low(a0b0, a, b, h);
bn_muln_low(a1b1, a + h, b + h, h1);
#endif
} else {
fp_mul_karat_imp(a0b0, a, b, h, level - 1);
fp_mul_karat_imp(a1b1, a + h, b + h, h1, level - 1);
}
for (i = 0; i < 2 * h; i++) {
c[i] = a0b0[i];
}
for (i = 0; i < 2 * h1 + 1; i++) {
c[2 * h + i] = a1b1[i];
}
/* a1 = (a1 + a0) */
carry = bn_addn_low(a1, a, a + h, h);
bn_add1_low(a1 + h, a1 + h, carry, 2);
if (h1 > h) {
bn_add1_low(a1 + h, a1 + h, *(a + 2 * h), 2);
}
/* b1 = (b1 + b0) */
carry = bn_addn_low(b1, b, b + h, h);
bn_add1_low(b1 + h, b1 + h, carry, 2);
if (h1 > h) {
bn_add1_low(b1 + h, b1 + h, *(b + 2 * h), 2);
}
if (level <= 1) {
/* t = (a1 + a0)*(b1 + b0) */
#if FP_MUL == BASIC
for (i = 0; i < h1 + 1; i++) {
carry = bn_mula_low(t + i, a1, *(b1 + i), h1 + 1);
*(t + i + h1 + 1) = carry;
}
#elif FP_MUL == COMBA || FP_MUL == INTEG
bn_muln_low(t, a1, b1, h1 + 1);
#endif
} else {
fp_mul_karat_imp(t, a1, b1, h1 + 1, level - 1);
}
/* t = t - (a0*b0 << h digits) */
carry = bn_subn_low(t, t, a0b0, 2 * h);
bn_sub1_low(t + 2 * h, t + 2 * h, carry, 2 * (h1 + 1) - 2 * h);
/* t = t - (a1*b1 << h digits) */
carry = bn_subn_low(t, t, a1b1, 2 * h1);
bn_sub1_low(t + 2 * h1, t + 2 * h1, carry, 2 * (h1 + 1) - 2 * h1);
/* c = c + [(a1 + a0)*(b1 + b0) << digits] */
c += h;
carry = bn_addn_low(c, c, t, 2 * (h1 + 1));
c += 2 * (h1 + 1);
bn_add1_low(c, c, carry, 2 * size - h - 2 * (h1 + 1));
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(a1);
dv_free(b1);
dv_free(a0b0);
dv_free(a1b1);
dv_free(t);
}
}
/**
* Computes the square of a multiple precision integer using recursive Karatsuba
* squaring.
*
* @param[out] c - the result.
* @param[in] a - the prime field element to square.
* @param[in] size - the number of digits to square.
* @param[in] level - the number of Karatsuba steps to apply.
*/
static void fp_sqr_karat_imp(dv_t c, const fp_t a, int size, int level) {
int i, h, h1;
dv_t t0, t1, a0a0, a1a1;
dig_t carry;
/* Compute half the digits of a or b. */
h = size >> 1;
h1 = size - h;
dv_null(t0);
dv_null(t1);
dv_null(a0a0);
dv_null(a1a1);
TRY {
/* Allocate the temp variables. */
dv_new(t0);
dv_new(t1);
dv_new(a0a0);
dv_new(a1a1);
dv_zero(t0, 2 * h1);
dv_zero(t1, 2 * (h1 + 1));
dv_zero(a0a0, 2 * h);
dv_zero(a1a1, 2 * h1);
if (level <= 1) {
/* a0a0 = a0 * a0 and a1a1 = a1 * a1 */
#if FP_SQR == BASIC
for (i = 0; i < h; i++) {
bn_sqra_low(a0a0 + (2 * i), a + i, h - i);
}
for (i = 0; i < h1; i++) {
bn_sqra_low(a1a1 + (2 * i), a + h + i, h1 - i);
}
#elif FP_SQR == COMBA || FP_SQR == INTEG
bn_sqrn_low(a0a0, a, h);
bn_sqrn_low(a1a1, a + h, h1);
#elif FP_SQR == MULTP
bn_muln_low(a0a0, a, a, h);
bn_muln_low(a1a1, a + h, a + h, h1);
#endif
} else {
fp_sqr_karat_imp(a0a0, a, h, level - 1);
fp_sqr_karat_imp(a1a1, a + h, h1, level - 1);
}
/* t2 = a1 * a1 << 2*h digits + a0 * a0. */
for (i = 0; i < 2 * h; i++) {
c[i] = a0a0[i];
}
for (i = 0; i < 2 * h1; i++) {
c[2 * h + i] = a1a1[i];
}
/* t = (a1 + a0) */
carry = bn_addn_low(t0, a, a + h, h);
carry = bn_add1_low(t0 + h, t0 + h, carry, 2);
if (h1 > h) {
carry = bn_add1_low(t0 + h, t0 + h, *(a + 2 * h), 2);
}
if (level <= 1) {
/* a1a1 = (a1 + a0)*(a1 + a0) */
#if FP_SQR == BASIC
for (i = 0; i < h1 + 1; i++) {
bn_sqra_low(t1 + (2 * i), t0 + i, h1 + 1 - i);
}
#elif FP_SQR == COMBA || FP_SQR == INTEG
bn_sqrn_low(t1, t0, h1 + 1);
#elif FP_SQR == MULTP
bn_muln_low(t1, t0, t0, h1 + 1);
#endif
} else {
fp_sqr_karat_imp(t1, t0, h1 + 1, level - 1);
}
/* t = t - (a0*a0 << h digits) */
carry = bn_subn_low(t1, t1, a0a0, 2 * h);
bn_sub1_low(t1 + 2 * h, t1 + 2 * h, carry, 2 * (h1 + 1) - 2 * h);
/* t = t - (a1*a1 << h digits) */
carry = bn_subn_low(t1, t1, a1a1, 2 * h1);
bn_sub1_low(t1 + 2 * h, t1 + 2 * h, carry, 2 * (h1 + 1) - 2 * h);
/* c = c + [(a1 + a0)*(a1 + a0) << digits] */
c += h;
carry = bn_addn_low(c, c, t1, 2 * (h1 + 1));
c += 2 * (h1 + 1);
carry = bn_add1_low(c, c, carry, 2 * size - h - 2 * (h1 + 1));
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t0);
dv_free(t1);
dv_free(a0a0);
dv_free(a1a1);
}
}
void
test_mult(void) {
bsc_hist_t *H;
csc_mat_t *M;
dv_t *x, *x2, *y;
int i;
printf("Testing matrix-vector multiplication...");
fflush(stdout);
x= dv_new(RC_NCOLS);
x2= dv_new(RC_NCOLS);
y= dv_new(RC_NROWS);
if(!x || !x2 || !y) { perror("dv_new"); abort(); }
dv_uniform(y, 1.0);
H= bsc_random(RC_NROWS, RC_NCOLS, RC_NENT, 1);
M= bsc_normalise(H);
bsc_hist_destroy(H);
if(!csc_check(M, 1)) abort();
mult_csc_dv(x, y, M);
for(i= 0; i < RC_NCOLS; i++) {
int j;
float s= 0.0;
for(j= M->ci[i]; j < M->ci[i+1]; j++)
s+= M->entries[j];
assert(abs(s - x->entries[i]) - PROB_DELTA);
}
printf(" done.\n");
#if 0
printf("Testing strided (%d) matrix-vector multiplication...",
RC_STRIDE);
fflush(stdout);
csc_stride(M, RC_STRIDE);
if(!csc_check(M, 1)) abort();
csc_str_mult_nv(x2, y, M);
for(i= 0; i < x->length; i++)
assert(x->entries[i] == x2->entries[i]);
printf(" done.\n");
printf("Testing strided (%d) collision-free multiplication...",
RC_STRIDE);
fflush(stdout);
csc_make_cfree(M, RC_CFSPAN);
if(!csc_check(M, 1)) abort();
csc_mult_cf(x2, y, M);
for(i= 0; i < x->length; i++)
assert(x->entries[i] == x2->entries[i]);
printf(" done.\n");
#endif
csc_mat_destroy(M);
dv_destroy(x);
dv_destroy(x2);
dv_destroy(y);
}
void fp3_sqr_basic(fp3_t c, fp3_t a) {
dv_t t0, t1, t2, t3, t4, t5;
dv_null(t0);
dv_null(t1);
dv_null(t2);
dv_null(t3);
dv_null(t4);
dv_null(t5);
TRY {
dv_new(t0);
dv_new(t1);
dv_new(t2);
dv_new(t3);
dv_new(t4);
dv_new(t5);
/* t0 = a_0^2. */
fp_sqrn_low(t0, a[0]);
/* t1 = 2 * a_1 * a_2. */
fp_dbl(t2, a[1]);
fp_muln_low(t1, t2, a[2]);
/* t2 = a_2^2. */
fp_sqrn_low(t2, a[2]);
/* t3 = (a_0 + a_2 + a_1)^2, t4 = (a_0 + a_2 - a_1)^2. */
fp_add(t3, a[0], a[2]);
fp_add(t4, t3, a[1]);
fp_sub(t5, t3, a[1]);
fp_sqrn_low(t3, t4);
fp_sqrn_low(t4, t5);
/* t4 = (t4 + t3)/2. */
fp_addd_low(t4, t4, t3);
fp_hlvd_low(t4, t4);
/* t3 = t3 - t4 - t1. */
fp_addc_low(t5, t1, t4);
fp_subc_low(t3, t3, t5);
/* c_2 = t4 - t0 - t2. */
fp_addc_low(t5, t0, t2);
fp_subc_low(t4, t4, t5);
fp_rdc(c[2], t4);
/* c_0 = t0 + t1 * B. */
fp_subc_low(t0, t0, t1);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_subc_low(t0, t0, t1);
}
fp_rdc(c[0], t0);
/* c_1 = t3 + t2 * B. */
fp_subc_low(t3, t3, t2);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_subc_low(t3, t3, t2);
}
fp_rdc(c[1], t3);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(t0);
dv_free(t1);
dv_free(t2);
dv_free(t3);
dv_free(t4);
dv_free(t5);
}
}
void fb_sqrm_low(dig_t *c, const dig_t *a) {
dv_t t;
dv_new(t);
fb_sqri_low(c, t, a);
}
/**
* Assigns the prime field modulus.
*
* @param[in] p - the new prime field modulus.
*/
static void fp_prime_set(const bn_t p) {
dv_t s, q;
bn_t t;
ctx_t *ctx = core_get();
if (p->used != FP_DIGS) {
THROW(ERR_NO_VALID);
}
dv_null(s);
bn_null(t);
dv_null(q);
TRY {
dv_new(s);
bn_new(t);
dv_new(q);
bn_copy(&(ctx->prime), p);
bn_mod_dig(&(ctx->mod8), &(ctx->prime), 8);
switch (ctx->mod8) {
case 3:
case 7:
ctx->qnr = -1;
/* The current code for extensions of Fp^3 relies on qnr being
* also a cubic non-residue. */
ctx->cnr = 0;
break;
case 1:
case 5:
ctx->qnr = ctx->cnr = -2;
break;
default:
ctx->qnr = ctx->cnr = 0;
THROW(ERR_NO_VALID);
break;
}
#ifdef FP_QNRES
if (ctx->mod8 != 3) {
THROW(ERR_NO_VALID);
}
#endif
#if FP_RDC == MONTY || !defined(STRIP)
bn_mod_pre_monty(t, &(ctx->prime));
ctx->u = t->dp[0];
dv_zero(s, 2 * FP_DIGS);
s[2 * FP_DIGS] = 1;
dv_zero(q, 2 * FP_DIGS + 1);
dv_copy(q, ctx->prime.dp, FP_DIGS);
bn_divn_low(t->dp, ctx->conv.dp, s, 2 * FP_DIGS + 1, q, FP_DIGS);
ctx->conv.used = FP_DIGS;
bn_trim(&(ctx->conv));
bn_set_dig(&(ctx->one), 1);
bn_lsh(&(ctx->one), &(ctx->one), ctx->prime.used * BN_DIGIT);
bn_mod(&(ctx->one), &(ctx->one), &(ctx->prime));
#endif
fp_prime_calc();
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(t);
dv_free(s);
dv_free(q);
}
}
/**
* Multiplies two binary field elements using recursive Karatsuba
* multiplication.
*
* @param[out] c - the result.
* @param[in] a - the first binary field element.
* @param[in] b - the second binary field element.
* @param[in] size - the number of digits to multiply.
* @param[in] level - the number of Karatsuba steps to apply.
*/
static void fb_mul_karat_imp(dv_t c, const fb_t a, const fb_t b, int size,
int level) {
int i, h, h1;
dv_t a1, b1, ab;
dig_t *a0b0, *a1b1;
dv_null(a1);
dv_null(b1);
dv_null(ab);
/* Compute half the digits of a or b. */
h = size >> 1;
h1 = size - h;
TRY {
/* Allocate the temp variables. */
dv_new(a1);
dv_new(b1);
dv_new(ab);
a0b0 = ab;
a1b1 = ab + 2 * h;
/* a0b0 = a0 * b0 and a1b1 = a1 * b1 */
if (level <= 1) {
#if FB_MUL == BASIC
fb_mul_basic_imp(a0b0, a, b, h);
fb_mul_basic_imp(a1b1, a + h, b + h, h1);
#elif FB_MUL == LCOMB
fb_mul_lcomb_imp(a0b0, a, b, h);
fb_mul_lcomb_imp(a1b1, a + h, b + h, h1);
#elif FB_MUL == RCOMB
fb_mul_rcomb_imp(a0b0, a, b, h);
fb_mul_rcomb_imp(a1b1, a + h, b + h, h1);
#elif FB_MUL == INTEG || FB_MUL == LODAH
fb_muld_low(a0b0, a, b, h);
fb_muld_low(a1b1, a + h, b + h, h1);
#endif
} else {
fb_mul_karat_imp(a0b0, a, b, h, level - 1);
fb_mul_karat_imp(a1b1, a + h, b + h, h1, level - 1);
}
for (i = 0; i < 2 * size; i++) {
c[i] = ab[i];
}
/* c = c - (a0*b0 << h digits) */
fb_addd_low(c + h, c + h, a0b0, 2 * h);
/* c = c - (a1*b1 << h digits) */
fb_addd_low(c + h, c + h, a1b1, 2 * h1);
/* a1 = (a1 + a0) */
fb_addd_low(a1, a, a + h, h);
/* b1 = (b1 + b0) */
fb_addd_low(b1, b, b + h, h);
if (h1 > h) {
a1[h1 - 1] = a[h + h1 - 1];
b1[h1 - 1] = b[h + h1 - 1];
}
if (level <= 1) {
/* a1b1 = (a1 + a0)*(b1 + b0) */
#if FB_MUL == BASIC
fb_mul_basic_imp(a1b1, a1, b1, h1);
#elif FB_MUL == LCOMB
fb_mul_lcomb_imp(a1b1, a1, b1, h1);
#elif FB_MUL == RCOMB
fb_mul_rcomb_imp(a1b1, a1, b1, h1);
#elif FB_MUL == INTEG || FB_MUL == LODAH
fb_muld_low(a1b1, a1, b1, h1);
#endif
} else {
fb_mul_karat_imp(a1b1, a1, b1, h1, level - 1);
}
/* c = c + [(a1 + a0)*(b1 + b0) << digits] */
fb_addd_low(c + h, c + h, a1b1, 2 * h1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
dv_free(a1);
dv_free(b1);
dv_free(ab);
}
}
void pp_dbl_k2_projc_lazyr(fp2_t l, ep_t r, ep_t p, ep_t q) {
fp_t t0, t1, t2, t3, t4, t5;
dv_t u0, u1;
fp_null(t0);
fp_null(t1);
fp_null(t2);
fp_null(t3);
fp_null(t4);
fp_null(t5);
dv_null(u0);
dv_null(u1);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
fp_new(t3);
fp_new(t4);
fp_new(t5);
dv_new(u0);
dv_new(u1);
/* For these curves, we always can choose a = -3. */
/* dbl-2001-b formulas: 3M + 5S + 8add + 1*4 + 2*8 + 1*3 */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b */
/* t0 = delta = z1^2. */
fp_sqr(t0, p->z);
/* t1 = gamma = y1^2. */
fp_sqr(t1, p->y);
/* t2 = beta = x1 * y1^2. */
fp_mul(t2, p->x, t1);
/* t3 = alpha = 3 * (x1 - z1^2) * (x1 + z1^2). */
fp_sub(t3, p->x, t0);
fp_add(t4, p->x, t0);
fp_mul(t4, t3, t4);
fp_dbl(t3, t4);
fp_add(t3, t3, t4);
/* t2 = 4 * beta. */
fp_dbl(t2, t2);
fp_dbl(t2, t2);
/* z3 = (y1 + z1)^2 - gamma - delta. */
fp_add(r->z, p->y, p->z);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t1);
fp_sub(r->z, r->z, t0);
/* l0 = 2 * gamma - alpha * (delta * xq + x1). */
fp_dbl(t1, t1);
fp_mul(t5, t0, q->x);
fp_add(t5, t5, p->x);
fp_mul(t5, t5, t3);
fp_sub(l[0], t1, t5);
/* x3 = alpha^2 - 8 * beta. */
fp_dbl(t5, t2);
fp_sqr(r->x, t3);
fp_sub(r->x, r->x, t5);
/* y3 = alpha * (4 * beta - x3) - 8 * gamma^2. */
fp_sqrn_low(u0, t1);
fp_addc_low(u0, u0, u0);
fp_subm_low(r->y, t2, r->x);
fp_muln_low(u1, r->y, t3);
fp_subc_low(u1, u1, u0);
fp_rdcn_low(r->y, u1);
/* l1 = - z3 * delta * yq. */
fp_mul(l[1], r->z, t0);
fp_mul(l[1], l[1], q->y);
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
fp_free(t3);
fp_free(t4);
fp_free(t5);
dv_free(u0);
dv_free(u1);
}
}