void ep_rhs(fp_t rhs, const ep_t p) {
fp_t t0;
fp_t t1;
fp_null(t0);
fp_null(t1);
TRY {
fp_new(t0);
fp_new(t1);
/* t0 = x1^2. */
fp_sqr(t0, p->x);
/* t1 = x1^3. */
fp_mul(t1, t0, p->x);
/* t1 = x1^3 + a * x1 + b. */
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add(t1, t1, p->x);
break;
#if FP_RDC != MONTY
case OPT_DIGIT:
fp_mul_dig(t0, p->x, ep_curve_get_a()[0]);
fp_add(t1, t1, t0);
break;
#endif
default:
fp_mul(t0, p->x, ep_curve_get_a());
fp_add(t1, t1, t0);
break;
}
switch (ep_curve_opt_b()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add_dig(t1, t1, 1);
break;
#if FP_RDC != MONTY
case OPT_DIGIT:
fp_add_dig(t1, t1, ep_curve_get_b()[0]);
break;
#endif
default:
fp_add(t1, t1, ep_curve_get_b());
break;
}
fp_copy(rhs, t1);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
fp_free(t0);
fp_free(t1);
}
}
void ep2_map(ep2_t p, uint8_t *msg, int len) {
bn_t x;
fp2_t t0;
uint8_t digest[MD_LEN];
bn_null(x);
fp2_null(t0);
TRY {
bn_new(x);
fp2_new(t0);
md_map(digest, msg, len);
bn_read_bin(x, digest, MIN(FP_BYTES, MD_LEN));
fp_prime_conv(p->x[0], x);
fp_zero(p->x[1]);
fp_set_dig(p->z[0], 1);
fp_zero(p->z[1]);
while (1) {
ep2_rhs(t0, p);
if (fp2_srt(p->y, t0)) {
p->norm = 1;
break;
}
fp_add_dig(p->x[0], p->x[0], 1);
}
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
ep2_mul_cof_bn(p, p);
break;
case B12_P638:
ep2_mul_cof_b12(p, p);
break;
default:
/* Now, multiply by cofactor to get the correct group. */
ep2_curve_get_cof(x);
if (bn_bits(x) < BN_DIGIT) {
ep2_mul_dig(p, p, x->dp[0]);
} else {
ep2_mul(p, p, x);
}
break;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(x);
fp2_free(t0);
}
}
void fp8_sqr_uni(fp8_t c, fp8_t a) {
fp4_t t0, t1, t2;
fp4_null(t0);
fp4_null(t1);
fp4_null(t2);
TRY {
fp4_new(t0);
fp4_new(t1);
fp4_new(t2);
fp4_sqr(t0, a[1]);
fp4_add(t1, a[0], a[1]);
fp4_sqr(t2, t1);
fp4_sub(t2, t2, t0);
fp4_mul_art(c[0], t0);
fp4_sub(c[1], t2, c[0]);
fp4_dbl(c[0], c[0]);
fp_add_dig(c[0][0][0], c[0][0][0], 1);
fp_sub_dig(c[1][0][0], c[1][0][0], 1);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
fp4_free(t0);
fp4_free(t1);
fp4_free(t2);
}
}
/**
* Doubles a point represented in affine coordinates on an ordinary prime
* elliptic curve.
*
* @param[out] r - the result.
* @param[out] s - the slope.
* @param[in] p - the point to double.
*/
static void ep_dbl_basic_imp(ep_t r, fp_t s, const ep_t p) {
fp_t t0, t1, t2;
fp_null(t0);
fp_null(t1);
fp_null(t2);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
/* t0 = 1/2 * y1. */
fp_dbl(t0, p->y);
fp_inv(t0, t0);
/* t1 = 3 * x1^2 + a. */
fp_sqr(t1, p->x);
fp_copy(t2, t1);
fp_dbl(t1, t1);
fp_add(t1, t1, t2);
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add_dig(t1, t1, (dig_t)1);
break;
#if FP_RDC != MONTY
case OPT_DIGIT:
fp_add_dig(t1, t1, ep_curve_get_a()[0]);
break;
#endif
default:
fp_add(t1, t1, ep_curve_get_a());
break;
}
/* t1 = (3 * x1^2 + a)/(2 * y1). */
fp_mul(t1, t1, t0);
if (s != NULL) {
fp_copy(s, t1);
}
/* t2 = t1^2. */
fp_sqr(t2, t1);
/* x3 = t1^2 - 2 * x1. */
fp_dbl(t0, p->x);
fp_sub(t0, t2, t0);
/* y3 = t1 * (x1 - x3) - y1. */
fp_sub(t2, p->x, t0);
fp_mul(t1, t1, t2);
fp_sub(r->y, t1, p->y);
fp_copy(r->x, t0);
fp_copy(r->z, p->z);
r->norm = 1;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
}
}
/**
* Doubles a point represented in projective coordinates on an ordinary prime
* elliptic curve.
*
* @param r - the result.
* @param p - the point to double.
*/
static void ep_dbl_projc_imp(ep_t r, const ep_t p) {
fp_t t0, t1, t2, t3, t4, t5;
fp_null(t1);
fp_null(t2);
fp_null(t3);
fp_null(t4);
fp_null(t5);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
fp_new(t3);
fp_new(t4);
fp_new(t5);
if (!p->norm && ep_curve_opt_a() == OPT_MINUS3) {
/* dbl-2001-b formulas: 3M + 5S + 8add + 1*4 + 2*8 + 1*3 */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b */
/* t0 = delta = z1^2. */
fp_sqr(t0, p->z);
/* t1 = gamma = y1^2. */
fp_sqr(t1, p->y);
/* t2 = beta = x1 * y1^2. */
fp_mul(t2, p->x, t1);
/* t3 = alpha = 3 * (x1 - z1^2) * (x1 + z1^2). */
fp_sub(t3, p->x, t0);
fp_add(t4, p->x, t0);
fp_mul(t4, t3, t4);
fp_dbl(t3, t4);
fp_add(t3, t3, t4);
/* x3 = alpha^2 - 8 * beta. */
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_dbl(t5, t2);
fp_sqr(r->x, t3);
fp_sub(r->x, r->x, t5);
/* z3 = (y1 + z1)^2 - gamma - delta. */
fp_add(r->z, p->y, p->z);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t1);
fp_sub(r->z, r->z, t0);
/* y3 = alpha * (4 * beta - x3) - 8 * gamma^2. */
fp_dbl(t1, t1);
fp_sqr(t1, t1);
fp_dbl(t1, t1);
fp_sub(r->y, t2, r->x);
fp_mul(r->y, r->y, t3);
fp_sub(r->y, r->y, t1);
} else if (ep_curve_opt_a() == OPT_ZERO) {
/* dbl-2009-l formulas: 2M + 5S + 6add + 1*8 + 3*2 + 1*3. */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l */
/* A = X1^2 */
fp_sqr(t0, p->x);
/* B = Y1^2 */
fp_sqr(t1, p->y);
/* C = B^2 */
fp_sqr(t2, t1);
/* D = 2*((X1+B)^2-A-C) */
fp_add(t1, t1, p->x);
fp_sqr(t1, t1);
fp_sub(t1, t1, t0);
fp_sub(t1, t1, t2);
fp_dbl(t1, t1);
/* E = 3*A */
fp_dbl(t3, t0);
fp_add(t0, t3, t0);
/* F = E^2 */
fp_sqr(t3, t0);
/* Z3 = 2*Y1*Z1 */
fp_mul(r->z, p->y, p->z);
fp_dbl(r->z, r->z);
/* X3 = F-2*D */
fp_sub(r->x, t3, t1);
fp_sub(r->x, r->x, t1);
/* Y3 = E*(D-X3)-8*C */
fp_sub(r->y, t1, r->x);
fp_mul(r->y, r->y, t0);
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_sub(r->y, r->y, t2);
} else {
/* dbl-2007-bl formulas: 1M + 8S + 1*a + 10add + 1*8 + 2*2 + 1*3 */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl */
/* t0 = x1^2, t1 = y1^2, t2 = y1^4. */
fp_sqr(t0, p->x);
fp_sqr(t1, p->y);
fp_sqr(t2, t1);
if (!p->norm) {
/* t3 = z1^2. */
fp_sqr(t3, p->z);
if (ep_curve_get_a() == OPT_ZERO) {
/* z3 = 2 * y1 * z1. */
fp_mul(r->z, p->y, p->z);
fp_dbl(r->z, r->z);
} else {
/* z3 = (y1 + z1)^2 - y1^2 - z1^2. */
fp_add(r->z, p->y, p->z);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t1);
fp_sub(r->z, r->z, t3);
}
} else {
/* z3 = 2 * y1. */
fp_dbl(r->z, p->y);
}
/* t4 = S = 2*((x1 + y1^2)^2 - x1^2 - y1^4). */
fp_add(t4, p->x, t1);
fp_sqr(t4, t4);
fp_sub(t4, t4, t0);
fp_sub(t4, t4, t2);
fp_dbl(t4, t4);
/* t5 = M = 3 * x1^2 + a * z1^4. */
fp_dbl(t5, t0);
fp_add(t5, t5, t0);
if (!p->norm) {
fp_sqr(t3, t3);
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add(t5, t5, ep_curve_get_a());
break;
case OPT_DIGIT:
fp_mul_dig(t1, t3, ep_curve_get_a()[0]);
fp_add(t5, t5, t1);
break;
default:
fp_mul(t1, ep_curve_get_a(), t3);
fp_add(t5, t5, t1);
break;
}
} else {
switch (ep_curve_opt_a()) {
case OPT_ZERO:
break;
case OPT_ONE:
fp_add_dig(t5, t5, (dig_t)1);
break;
case OPT_DIGIT:
fp_add_dig(t5, t5, ep_curve_get_a()[0]);
break;
default:
fp_add(t5, t5, ep_curve_get_a());
break;
}
}
/* x3 = T = M^2 - 2 * S. */
fp_sqr(r->x, t5);
fp_dbl(t1, t4);
fp_sub(r->x, r->x, t1);
/* y3 = M * (S - T) - 8 * y1^4. */
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_dbl(t2, t2);
fp_sub(t4, t4, r->x);
fp_mul(t5, t5, t4);
fp_sub(r->y, t5, t2);
}
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
fp_free(t3);
fp_free(t4);
fp_free(t5);
}
}
