void eb_hlv(eb_t r, const eb_t p) {
fb_t l, t;
fb_null(l);
fb_null(t);
TRY {
fb_new(l);
fb_new(t);
/* Solve l^2 + l = u + a. */
switch (eb_curve_opt_a()) {
case RLC_ZERO:
fb_copy(t, p->x);
break;
case RLC_ONE:
fb_add_dig(t, p->x, (dig_t)1);
break;
case RLC_TINY:
fb_add_dig(t, p->x, eb_curve_get_a()[0]);
break;
default:
fb_add(t, p->x, eb_curve_get_a());
break;
}
fb_slv(l, t);
if (p->norm == 1) {
/* Compute t = v + u * lambda. */
fb_mul(t, l, p->x);
fb_add(t, t, p->y);
} else {
/* Compute t = u * (u + lambda_P + lambda). */
fb_add(t, l, p->y);
fb_add(t, t, p->x);
fb_mul(t, t, p->x);
}
/* If Tr(t) = 0 then lambda_P = lambda, u = sqrt(t + u). */
if (fb_trc(t) == 0) {
fb_copy(r->y, l);
fb_add(t, t, p->x);
fb_srt(r->x, t);
} else {
/* Else lambda_P = lambda + 1, u = sqrt(t). */
fb_add_dig(r->y, l, 1);
fb_srt(r->x, t);
}
fb_set_dig(r->z, 1);
r->norm = 2;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(l);
fb_free(t);
}
}
void eb_rhs(fb_t rhs, const eb_t p) {
fb_t t0, t1;
fb_null(t0);
fb_null(t1);
TRY {
fb_new(t0);
fb_new(t1);
/* t0 = x1^2. */
fb_sqr(t0, p->x);
/* t1 = x1^3. */
fb_mul(t1, t0, p->x);
/* t1 = x1^3 + a * x1^2 + b. */
switch (eb_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add(t1, t1, t0);
break;
case OPT_DIGIT:
fb_mul_dig(t0, t0, eb_curve_get_a()[0]);
fb_add(t1, t1, t0);
break;
default:
fb_mul(t0, t0, eb_curve_get_a());
fb_add(t1, t1, t0);
break;
}
switch (eb_curve_opt_b()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add_dig(t1, t1, 1);
break;
case OPT_DIGIT:
fb_add_dig(t1, t1, eb_curve_get_b()[0]);
break;
default:
fb_add(t1, t1, eb_curve_get_b());
break;
}
fb_copy(rhs, t1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t0);
fb_free(t1);
}
}
/**
* Multiplies and adds two binary elliptic curve points simultaneously,
* optionally choosing the first point as the generator depending on an optional
* table of precomputed points.
*
* @param[out] r - the result.
* @param[in] p - the first point to multiply.
* @param[in] k - the first integer.
* @param[in] q - the second point to multiply.
* @param[in] m - the second integer.
* @param[in] t - the pointer to a precomputed table.
*/
static void eb_mul_sim_kbltz(eb_t r, const eb_t p, const bn_t k, const eb_t q,
const bn_t m, const eb_t *t) {
int l0, l1, l, i, n0, n1, w, g;
int8_t u, tnaf0[FB_BITS + 8], tnaf1[FB_BITS + 8], *_k, *_m;
eb_t t0[1 << (EB_WIDTH - 2)];
eb_t t1[1 << (EB_WIDTH - 2)];
bn_t vm, s0, s1;
bn_null(vm);
bn_null(s0);
bn_null(s1);
for (i = 0; i < (1 << (EB_WIDTH - 2)); i++) {
eb_null(t0[i]);
eb_null(t1[i]);
}
TRY {
bn_new(vm);
bn_new(s0);
bn_new(s1);
/* Compute the w-TNAF representation of k. */
if (eb_curve_opt_a() == OPT_ZERO) {
u = -1;
} else {
u = 1;
}
g = (t == NULL ? 0 : 1);
if (!g) {
for (i = 0; i < (1 << (EB_WIDTH - 2)); i++) {
eb_new(t0[i]);
eb_set_infty(t0[i]);
fb_set_bit(t0[i]->z, 0, 1);
t0[i]->norm = 1;
}
eb_tab(t0, p, EB_WIDTH);
t = (const eb_t *)t0;
}
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (EB_WIDTH - 2)); i++) {
eb_new(t1[i]);
eb_set_infty(t1[i]);
fb_set_bit(t1[i]->z, 0, 1);
t1[i]->norm = 1;
}
/* Compute the precomputation table. */
eb_tab(t1, q, EB_WIDTH);
/* Compute the w-TNAF representation of k. */
if (g) {
w = EB_DEPTH;
} else {
w = EB_WIDTH;
}
eb_curve_get_vm(vm);
eb_curve_get_s0(s0);
eb_curve_get_s1(s1);
l0 = l1 = FB_BITS + 8;
bn_rec_tnaf(tnaf0, &l0, k, vm, s0, s1, u, FB_BITS, w);
bn_rec_tnaf(tnaf1, &l1, m, vm, s0, s1, u, FB_BITS, EB_WIDTH);
l = MAX(l0, l1);
_k = tnaf0 + l - 1;
_m = tnaf1 + l - 1;
for (i = l0; i < l; i++)
tnaf0[i] = 0;
for (i = l1; i < l; i++)
tnaf1[i] = 0;
_k = tnaf0 + l - 1;
_m = tnaf1 + l - 1;
eb_set_infty(r);
for (i = l - 1; i >= 0; i--, _k--, _m--) {
eb_frb(r, r);
n0 = *_k;
n1 = *_m;
if (n0 > 0) {
eb_add(r, r, t[n0 / 2]);
}
if (n0 < 0) {
eb_sub(r, r, t[-n0 / 2]);
}
if (n1 > 0) {
eb_add(r, r, t1[n1 / 2]);
}
if (n1 < 0) {
eb_sub(r, r, t1[-n1 / 2]);
}
}
/* Convert r to affine coordinates. */
eb_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
if (!g) {
for (i = 0; i < (1 << (EB_WIDTH - 2)); i++) {
eb_free(t0[i]);
}
}
for (i = 0; i < (1 << (EB_WIDTH - 2)); i++) {
eb_free(t1[i]);
}
bn_free(vm);
bn_free(s0);
bn_free(s1);
}
}
void eb_tab(eb_t *t, const eb_t p, int w) {
int u;
#if defined(EB_PLAIN)
if (!eb_curve_is_kbltz()) {
if (w > 2) {
eb_dbl(t[0], p);
#if defined(EB_MIXED)
eb_norm(t[0], t[0]);
#endif
eb_add(t[1], t[0], p);
for (int i = 2; i < (1 << (w - 2)); i++) {
eb_add(t[i], t[i - 1], t[0]);
}
#if defined(EB_MIXED)
eb_norm_sim(t + 1, (const eb_t *)t + 1, (1 << (w - 2)) - 1);
#endif
}
eb_copy(t[0], p);
}
#endif /* EB_PLAIN */
#if defined(EB_KBLTZ)
if (eb_curve_is_kbltz()) {
u = (eb_curve_opt_a() == OPT_ZERO ? -1 : 1);
/* Prepare the precomputation table. */
for (int i = 0; i < 1 << (w - 2); i++) {
eb_set_infty(t[i]);
fb_set_dig(t[i]->z, 1);
t[i]->norm = 1;
}
#if defined(EB_MIXED)
eb_norm(t[0], p);
#else
eb_copy(t[0], p);
#endif
switch (w) {
#if EB_DEPTH == 3 || EB_WIDTH == 3
case 3:
eb_frb(t[1], t[0]);
if (u == 1) {
eb_sub(t[1], t[0], t[1]);
} else {
eb_add(t[1], t[0], t[1]);
}
break;
#endif
#if EB_DEPTH == 4 || EB_WIDTH == 4
case 4:
eb_frb(t[3], t[0]);
eb_frb(t[3], t[3]);
eb_sub(t[1], t[3], p);
eb_add(t[2], t[3], p);
eb_frb(t[3], t[3]);
if (u == 1) {
eb_neg(t[3], t[3]);
}
eb_sub(t[3], t[3], p);
break;
#endif
#if EB_DEPTH == 5 || EB_WIDTH == 5
case 5:
eb_frb(t[3], t[0]);
eb_frb(t[3], t[3]);
eb_sub(t[1], t[3], p);
eb_add(t[2], t[3], p);
eb_frb(t[3], t[3]);
eb_frb(t[7], t[3]);
eb_sub(t[7], t[7], p);
if (u == 1) {
eb_neg(t[3], t[3]);
}
eb_sub(t[3], t[3], p);
eb_frb(t[4], t[2]);
eb_frb(t[4], t[4]);
eb_neg(t[4], t[4]);
eb_sub(t[5], t[4], p);
eb_add(t[6], t[4], p);
eb_frb(t[4], t[4]);
if (u == -1) {
eb_neg(t[4], t[4]);
}
eb_add(t[4], t[4], p);
break;
#endif
#if EB_DEPTH == 6 || EB_WIDTH == 6
case 6:
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
eb_neg(t[14], t[0]);
eb_sub(t[13], t[14], p);
eb_add(t[14], t[14], p);
eb_frb(t[0], t[0]);
eb_frb(t[8], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[11], t[0], p);
eb_add(t[12], t[0], p);
eb_frb(t[0], t[12]);
eb_frb(t[0], t[0]);
eb_sub(t[1], t[0], p);
eb_add(t[2], t[0], p);
eb_frb(t[15], t[8]);
if (u == -1) {
eb_neg(t[15], t[15]);
}
eb_sub(t[15], t[15], p);
eb_frb(t[0], t[13]);
eb_frb(t[0], t[0]);
eb_sub(t[5], t[0], p);
eb_add(t[6], t[0], p);
eb_sub(t[7], t[8], p);
eb_add(t[8], t[8], p);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[3], t[0], p);
eb_add(t[4], t[0], p);
eb_frb(t[0], t[1]);
eb_frb(t[0], t[0]);
eb_neg(t[9], t[0]);
eb_sub(t[9], t[9], p);
eb_frb(t[0], t[14]);
eb_frb(t[0], t[0]);
eb_add(t[10], t[0], p);
eb_copy(t[0], p);
break;
#endif
#if EB_DEPTH == 7 || EB_WIDTH == 7
/**
* Formulas from http://eprint.iacr.org/2012/519
*/
case 7:
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
eb_sub(t[17], t[0], p);
eb_add(t[18], t[0], p);
eb_frb(t[0], t[0]);
if (u == 1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[19], t[0], p);
eb_add(t[20], t[0], p);
eb_frb(t[0], t[19]);
eb_frb(t[0], t[0]);
eb_frb(t[11], t[0]);
if (u == 1) {
eb_neg(t[11], t[11]);
}
eb_add(t[12], t[11], p);
eb_sub(t[11], t[11], p);
eb_neg(t[0], t[0]);
eb_sub(t[1], t[0], p);
eb_add(t[2], t[0], p);
eb_frb(t[0], t[17]);
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[3], t[0], p);
eb_frb(t[0], t[1]);
eb_frb(t[0], t[0]);
eb_add(t[9], t[0], p);
eb_neg(t[9], t[9]);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_add(t[4], t[0], p);
eb_frb(t[0], t[18]);
eb_frb(t[0], t[0]);
eb_sub(t[7], t[0], t[18]);
eb_sub(t[25], t[0], p);
eb_add(t[26], t[0], p);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[27], t[0], p);
eb_add(t[28], t[0], p);
eb_frb(t[0], t[17]);
eb_frb(t[0], t[0]);
eb_add(t[8], t[0], t[18]);
eb_neg(t[0], t[0]);
eb_add(t[10], t[0], p);
eb_frb(t[0], t[7]);
eb_frb(t[0], t[0]);
eb_sub(t[13], t[0], p);
eb_frb(t[0], t[8]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_add(t[14], t[0], p);
eb_frb(t[0], t[19]);
eb_frb(t[0], t[0]);
eb_add(t[15], t[0], t[17]);
eb_add(t[16], t[0], t[18]);
eb_frb(t[0], t[26]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[5], t[0], p);
eb_add(t[6], t[0], p);
eb_add(t[23], t[0], t[17]);
eb_add(t[24], t[0], t[18]);
eb_frb(t[0], t[25]);
eb_frb(t[0], t[0]);
eb_sub(t[21], t[0], p);
eb_add(t[22], t[0], p);
eb_frb(t[0], t[20]);
eb_frb(t[0], t[0]);
eb_add(t[29], t[0], p);
eb_neg(t[29], t[29]);
eb_frb(t[0], t[27]);
eb_frb(t[0], t[0]);
eb_add(t[30], t[0], p);
eb_frb(t[0], t[7]);
eb_frb(t[0], t[0]);
eb_add(t[31], t[0], t[17])
eb_copy(t[0], p);
break;
#endif
#if EB_DEPTH == 8 || EB_WIDTH == 8
/**
* Formulas from http://eprint.iacr.org/2012/519
*/
case 8:
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[45], t[0], p);
eb_add(t[46], t[0], p);
eb_frb(t[0], t[0]);
if (u == 1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[43], t[0], p);
eb_add(t[44], t[0], p);
eb_frb(t[0], t[44]);
eb_frb(t[0], t[0]);
eb_sub(t[1], t[0], p);
eb_add(t[2], t[0], p);
eb_add(t[47], t[0], t[45]);
eb_add(t[48], t[0], t[46]);
eb_frb(t[0], t[46]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[7], t[0], t[46]);
eb_sub(t[8], t[0], t[45]);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[3], t[0], p);
eb_frb(t[0], t[1]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_add(t[55], t[0], t[45]);
eb_add(t[56], t[0], t[46]);
eb_sub(t[9], t[0], p);
eb_add(t[10], t[0], p);
eb_frb(t[0], t[0]);
if (u == 1) {
eb_neg(t[0], t[0]);
}
eb_add(t[4], t[0], p);
eb_frb(t[0], t[47]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[17], t[0], p);
eb_add(t[18], t[0], p);
eb_frb(t[0], t[8]);
eb_frb(t[0], t[0]);
eb_add(t[31], t[0], t[45]);
eb_add(t[32], t[0], t[46]);
eb_neg(t[0], t[0]);
eb_sub(t[13], t[0], p);
eb_add(t[14], t[0], p);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[19], t[0], p);
eb_frb(t[0], t[7]);
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_add(t[20], t[0], p);
eb_frb(t[0], t[9]);
eb_frb(t[0], t[0]);
eb_sub(t[21], t[0], p);
eb_add(t[22], t[0], p);
eb_frb(t[0], t[2]);
eb_frb(t[0], t[0]);
eb_sub(t[25], t[0], p);
eb_add(t[26], t[0], p);
eb_frb(t[0], t[43]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[33], t[0], p);
eb_add(t[34], t[0], p);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_add(t[12], t[0], p);
eb_frb(t[0], t[45]);
eb_frb(t[0], t[0]);
eb_sub(t[37], t[0], p);
eb_add(t[38], t[0], p);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[35], t[0], p);
eb_add(t[36], t[0], p);
eb_frb(t[0], t[38]);
eb_frb(t[0], t[0]);
eb_sub(t[41], t[0], p);
eb_add(t[42], t[0], p);
eb_neg(t[0], t[0]);
eb_sub(t[39], t[0], t[46]);
eb_sub(t[40], t[0], t[45]);
eb_frb(t[0], t[37]);
eb_frb(t[0], t[0]);
eb_sub(t[5], t[0], p);
eb_add(t[6], t[0], p);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_add(t[15], t[0], t[43]);
eb_add(t[16], t[0], t[44]);
eb_neg(t[0], t[0]);
eb_sub(t[27], t[0], p);
eb_add(t[28], t[0], p);
eb_frb(t[0], t[36]);
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[11], t[0], p);
eb_frb(t[0], t[39]);
eb_frb(t[0], t[0]);
eb_add(t[0], t[0], p);
eb_neg(t[49], t[0]);
eb_frb(t[0], t[7]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_add(t[50], t[0], p);
eb_frb(t[0], t[44]);
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
if (u == 1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[51], t[0], p);
eb_add(t[52], t[0], p);
eb_frb(t[0], t[46]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[53], t[0], p);
eb_add(t[54], t[0], p);
eb_frb(t[0], t[54]);
eb_frb(t[0], t[0]);
eb_add(t[23], t[0], t[45]);
eb_add(t[24], t[0], t[46]);
eb_frb(t[0], t[42]);
eb_frb(t[0], t[0]);
eb_sub(t[57], t[0], p);
eb_frb(t[0], t[53]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_add(t[58], t[0], p);
eb_frb(t[0], t[38]);
eb_frb(t[0], t[0]);
eb_frb(t[0], t[0]);
if (u == -1) {
eb_neg(t[0], t[0]);
}
eb_sub(t[59], t[0], p);
eb_add(t[60], t[0], p);
eb_frb(t[0], t[35]);
eb_frb(t[0], t[0]);
eb_sub(t[61], t[0], p);
eb_add(t[62], t[0], p);
eb_frb(t[0], t[47]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_add(t[63], t[0], t[45]);
eb_frb(t[0], t[36]);
eb_frb(t[0], t[0]);
eb_neg(t[0], t[0]);
eb_sub(t[29], t[0], p);
eb_add(t[30], t[0], p);
eb_copy(t[0], p);
break;
#endif
}
#if defined(EB_MIXED)
if (w > 2) {
eb_norm_sim(t + 1, (const eb_t *)t + 1, (1 << (w - 2)) - 1);
}
#endif
}
#endif /* EB_KBLTZ */
}
/**
* Adds a point represented in affine coordinates to a point represented in
* projective coordinates.
*
* @param r - the result.
* @param p - the affine point.
* @param q - the projective point.
*/
static void eb_add_projc_ordin_mix(eb_t r, eb_t p, eb_t q) {
fb_t t0, t1, t2, t3, t4, t5;
fb_null(t0);
fb_null(t1);
fb_null(t2);
fb_null(t3);
fb_null(t4);
fb_null(t5);
TRY {
fb_new(t0);
fb_new(t1);
fb_new(t2);
fb_new(t3);
fb_new(t4);
fb_new(t5);
if (!p->norm) {
/* A = y1 + y2 * z1^2. */
fb_sqr(t0, p->z);
fb_mul(t0, t0, q->y);
fb_add(t0, t0, p->y);
/* B = x1 + x2 * z1. */
fb_mul(t1, p->z, q->x);
fb_add(t1, t1, p->x);
} else {
/* t0 = A = y1 + y2. */
fb_add(t0, p->y, q->y);
/* t1 = B = x1 + x2. */
fb_add(t1, p->x, q->x);
}
if (fb_is_zero(t1)) {
if (fb_is_zero(t0)) {
/* If t0 = 0 and t1 = 0, p = q, should have doubled! */
eb_dbl_projc(r, p);
} else {
/* If t0 = 0, r is infinity. */
eb_set_infty(r);
}
} else {
if (!p->norm) {
/* t2 = C = B * z1. */
fb_mul(t2, p->z, t1);
/* z3 = C^2. */
fb_sqr(r->z, t2);
/* t1 = B^2. */
fb_sqr(t1, t1);
/* t1 = A + B^2. */
fb_add(t1, t0, t1);
} else {
/* If z1 = 0, t2 = C = B. */
fb_copy(t2, t1);
/* z3 = B^2. */
fb_sqr(r->z, t1);
/* t1 = A + z3. */
fb_add(t1, t0, r->z);
}
/* t3 = D = x2 * z3. */
fb_mul(t3, r->z, q->x);
/* t4 = (y2 + x2). */
fb_add(t4, q->x, q->y);
/* z3 = A^2. */
fb_sqr(r->x, t0);
/* t1 = A + B^2 + a2 * C. */
switch (eb_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add(t1, t1, t2);
break;
case OPT_DIGIT:
/* t5 = a2 * C. */
fb_mul_dig(t5, t2, eb_curve_get_a()[0]);
fb_add(t1, t1, t5);
break;
default:
/* t5 = a2 * C. */
fb_mul(t5, eb_curve_get_a(), t2);
fb_add(t1, t1, t5);
break;
}
/* t1 = C * (A + B^2 + a2 * C). */
fb_mul(t1, t1, t2);
/* x3 = A^2 + C * (A + B^2 + a2 * C). */
fb_add(r->x, r->x, t1);
/* t3 = D + x3. */
fb_add(t3, t3, r->x);
/* t2 = A * B. */
fb_mul(t2, t0, t2);
/* y3 = (D + x3) * (A * B + z3). */
fb_add(r->y, t2, r->z);
fb_mul(r->y, r->y, t3);
/* t0 = z3^2. */
fb_sqr(t0, r->z);
/* t0 = (y2 + x2) * z3^2. */
fb_mul(t0, t0, t4);
/* y3 = (D + x3) * (A * B + z3) + (y2 + x2) * z3^2. */
fb_add(r->y, r->y, t0);
}
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t0);
fb_free(t1);
fb_free(t2);
fb_free(t3);
fb_free(t4);
fb_free(t5);
}
}
/**
* Doubles a point represented in affine coordinates on an ordinary binary
* elliptic curve.
*
* @param[out] r - the result.
* @param[in] p - the point to double.
*/
static void eb_dbl_basic_imp(eb_t r, const eb_t p) {
fb_t t0, t1, t2;
fb_null(t0);
fb_null(t1);
fb_null(t2);
TRY {
fb_new(t0);
fb_new(t1);
fb_new(t2);
/* t0 = 1/x1. */
fb_inv(t0, p->x);
/* t0 = y1/x1. */
fb_mul(t0, t0, p->y);
/* t0 = lambda = x1 + y1/x1. */
fb_add(t0, t0, p->x);
/* t1 = lambda^2. */
fb_sqr(t1, t0);
/* t2 = lambda^2 + lambda. */
fb_add(t2, t1, t0);
/* t2 = lambda^2 + lambda + a2. */
switch (eb_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add_dig(t2, t2, (dig_t)1);
break;
case OPT_DIGIT:
fb_add_dig(t2, t2, eb_curve_get_a()[0]);
break;
default:
fb_add(t2, t2, eb_curve_get_a());
break;
}
/* t1 = x1 + x3. */
fb_add(t1, t2, p->x);
/* t1 = lambda * (x1 + x3). */
fb_mul(t1, t0, t1);
fb_copy(r->x, t2);
/* y3 = lambda * (x1 + x3) + x3 + y1. */
fb_add(t1, t1, r->x);
fb_add(r->y, t1, p->y);
fb_copy(r->z, p->z);
r->norm = 1;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t0);
fb_free(t1);
fb_free(t2);
}
}
/**
* Doubles a point represented in projective coordinates on an ordinary binary
* elliptic curve.
*
* @param[out] r - the result.
* @param[in] p - the point to double.
*/
static void eb_dbl_projc_imp(eb_t r, const eb_t p) {
fb_t t0, t1;
fb_null(t0);
fb_null(t1);
TRY {
fb_new(t0);
fb_new(t1);
/* t0 = B = x1^2. */
fb_sqr(t0, p->x);
/* C = B + y1. */
fb_add(r->y, t0, p->y);
if (!p->norm) {
/* A = x1 * z1. */
fb_mul(t1, p->x, p->z);
/* z3 = A^2. */
fb_sqr(r->z, t1);
} else {
/* if z1 = 1, A = x1. */
fb_copy(t1, p->x);
/* if z1 = 1, z3 = x1^2. */
fb_copy(r->z, t0);
}
/* t1 = D = A * C. */
fb_mul(t1, t1, r->y);
/* C^2 + D. */
fb_sqr(r->y, r->y);
fb_add(r->x, t1, r->y);
/* C^2 + D + a2 * z3. */
switch (eb_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add(r->x, r->z, r->x);
break;
case OPT_DIGIT:
fb_mul_dig(r->y, r->z, eb_curve_get_a()[0]);
fb_add(r->x, r->y, r->x);
break;
default:
fb_mul(r->y, r->z, eb_curve_get_a());
fb_add(r->x, r->y, r->x);
break;
}
/* t1 = (D + z3). */
fb_add(t1, t1, r->z);
/* t0 = B^2. */
fb_sqr(t0, t0);
/* t0 = B^2 * z3. */
fb_mul(t0, t0, r->z);
/* y3 = (D + z3) * r3 + B^2 * z3. */
fb_mul(r->y, t1, r->x);
fb_add(r->y, r->y, t0);
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t0);
fb_free(t1);
}
}
/**
* Adds two points represented in affine coordinates on an ordinary binary
* elliptic curve.
*
* @param[out] r - the result.
* @param[in] p - the first point to add.
* @param[in] q - the second point to add.
*/
static void eb_add_basic_imp(eb_t r, const eb_t p, const eb_t q) {
fb_t t0, t1, t2;
fb_null(t0);
fb_null(t1);
fb_null(t2);
TRY {
fb_new(t0);
fb_new(t1);
fb_new(t2);
/* t0 = (y1 + y2). */
fb_add(t0, p->y, q->y);
/* t1 = (x1 + x2). */
fb_add(t1, p->x, q->x);
if (fb_is_zero(t1)) {
if (fb_is_zero(t0)) {
/* If t1 is zero and t0 is zero, p = q, should have doubled. */
eb_dbl_basic(r, p);
} else {
/* If t0 is not zero and t1 is zero, q = -p and r = infinity. */
eb_set_infty(r);
}
} else {
/* t2 = 1/(x1 + x2). */
fb_inv(t2, t1);
/* t0 = lambda = (y1 + y2)/(x1 + x2). */
fb_mul(t0, t0, t2);
/* t2 = lambda^2. */
fb_sqr(t2, t0);
/* t2 = lambda^2 + lambda + x1 + x2 + a. */
fb_add(t2, t2, t0);
fb_add(t2, t2, t1);
switch (eb_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add_dig(t2, t2, (dig_t)1);
break;
case OPT_DIGIT:
fb_add_dig(t2, t2, eb_curve_get_a()[0]);
break;
default:
fb_add(t2, t2, eb_curve_get_a());
break;
}
/* y3 = lambda*(x3 + x1) + x3 + y1. */
fb_add(t1, t2, p->x);
fb_mul(t1, t1, t0);
fb_add(t1, t1, t2);
fb_add(r->y, p->y, t1);
/* x3 = lambda^2 + lambda + x1 + x2 + a. */
fb_copy(r->x, t2);
fb_copy(r->z, p->z);
r->norm = 1;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t0);
fb_free(t1);
fb_free(t2);
}
}
/**
* Adds a point represented in affine coordinates to a point represented in
* projective coordinates.
*
* @param[out] r - the result.
* @param[in] p - the affine point.
* @param[in] q - the projective point.
*/
static void eb_add_projc_mix(eb_t r, const eb_t p, const eb_t q) {
fb_t t0, t1, t2, t3, t4, t5;
fb_null(t0);
fb_null(t1);
fb_null(t2);
fb_null(t3);
fb_null(t4);
fb_null(t5);
TRY {
fb_new(t0);
fb_new(t1);
fb_new(t2);
fb_new(t3);
fb_new(t4);
fb_new(t5);
/* madd-2005-dl formulas: 7M + 4S + 9add + 1*4 + 3*2. */
/* http://www.hyperelliptic.org/EFD/g12o/auto-shortw-lopezdahab-1.html#addition-madd-2005-dl */
if (!p->norm) {
/* A = y1 + y2 * z1^2. */
fb_sqr(t0, p->z);
fb_mul(t0, t0, q->y);
fb_add(t0, t0, p->y);
/* B = x1 + x2 * z1. */
fb_mul(t1, p->z, q->x);
fb_add(t1, t1, p->x);
} else {
/* t0 = A = y1 + y2. */
fb_add(t0, p->y, q->y);
/* t1 = B = x1 + x2. */
fb_add(t1, p->x, q->x);
}
if (fb_is_zero(t1)) {
if (fb_is_zero(t0)) {
/* If t0 = 0 and t1 = 0, p = q, should have doubled! */
eb_dbl_projc(r, p);
} else {
/* If t0 = 0, r is infinity. */
eb_set_infty(r);
}
} else {
if (!p->norm) {
/* t2 = C = B * z1. */
fb_mul(t2, p->z, t1);
/* z3 = C^2. */
fb_sqr(r->z, t2);
/* t1 = B^2. */
fb_sqr(t1, t1);
/* t1 = A + B^2. */
fb_add(t1, t0, t1);
} else {
/* If z1 = 0, t2 = C = B. */
fb_copy(t2, t1);
/* z3 = B^2. */
fb_sqr(r->z, t1);
/* t1 = A + z3. */
fb_add(t1, t0, r->z);
}
/* t3 = D = x2 * z3. */
fb_mul(t3, r->z, q->x);
/* t4 = (y2 + x2). */
fb_add(t4, q->x, q->y);
/* z3 = A^2. */
fb_sqr(r->x, t0);
/* t1 = A + B^2 + a2 * C. */
switch (eb_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fb_add(t1, t1, t2);
break;
case OPT_DIGIT:
/* t5 = a2 * C. */
fb_mul_dig(t5, t2, eb_curve_get_a()[0]);
fb_add(t1, t1, t5);
break;
default:
/* t5 = a2 * C. */
fb_mul(t5, eb_curve_get_a(), t2);
fb_add(t1, t1, t5);
break;
}
/* t1 = C * (A + B^2 + a2 * C). */
fb_mul(t1, t1, t2);
/* x3 = A^2 + C * (A + B^2 + a2 * C). */
fb_add(r->x, r->x, t1);
/* t3 = D + x3. */
fb_add(t3, t3, r->x);
/* t2 = A * B. */
fb_mul(t2, t0, t2);
/* y3 = (D + x3) * (A * B + z3). */
fb_add(r->y, t2, r->z);
fb_mul(r->y, r->y, t3);
/* t0 = z3^2. */
fb_sqr(t0, r->z);
/* t0 = (y2 + x2) * z3^2. */
fb_mul(t0, t0, t4);
/* y3 = (D + x3) * (A * B + z3) + (y2 + x2) * z3^2. */
fb_add(r->y, r->y, t0);
}
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fb_free(t0);
fb_free(t1);
fb_free(t2);
fb_free(t3);
fb_free(t4);
fb_free(t5);
}
}
