void ep2_map(ep2_t p, uint8_t *msg, int len) {
bn_t x;
fp2_t t0;
uint8_t digest[MD_LEN];
bn_null(x);
fp2_null(t0);
TRY {
bn_new(x);
fp2_new(t0);
md_map(digest, msg, len);
bn_read_bin(x, digest, MIN(FP_BYTES, MD_LEN));
fp_prime_conv(p->x[0], x);
fp_zero(p->x[1]);
fp_set_dig(p->z[0], 1);
fp_zero(p->z[1]);
while (1) {
ep2_rhs(t0, p);
if (fp2_srt(p->y, t0)) {
p->norm = 1;
break;
}
fp_add_dig(p->x[0], p->x[0], 1);
}
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
ep2_mul_cof_bn(p, p);
break;
case B12_P638:
ep2_mul_cof_b12(p, p);
break;
default:
/* Now, multiply by cofactor to get the correct group. */
ep2_curve_get_cof(x);
if (bn_bits(x) < BN_DIGIT) {
ep2_mul_dig(p, p, x->dp[0]);
} else {
ep2_mul(p, p, x);
}
break;
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(x);
fp2_free(t0);
}
}
int ep_param_level() {
switch (ep_param_get()) {
case BN_P158:
return 78;
case SECG_P160:
case SECG_K160:
return 80;
case NIST_P192:
case SECG_K192:
return 96;
case NIST_P224:
case SECG_K224:
return 112;
case BN_P254:
return 126;
case NIST_P256:
case SECG_K256:
case BN_P256:
case SS_P1536:
return 128;
case NIST_P384:
return 192;
case NIST_P521:
return 256;
case BN_P638:
case B12_P638:
return 192;
}
return 0;
}
int ep_param_embed() {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
case B12_P638:
return 12;
case SS_P1536:
return 2;
}
return 0;
}
void pp_exp_k12(fp12_t c, fp12_t a) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
pp_exp_bn(c, a);
break;
case B12_P638:
pp_exp_b12(c, a);
break;
}
}
int ep_param_embed(void) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P382:
case BN_P446:
case B12_P446:
case BN_P638:
case B12_P381:
case B12_P455:
case B12_P638:
return 12;
case SS_P1536:
return 2;
case OT8_P511:
return 8;
}
return 0;
}
int ep_param_level(void) {
switch (ep_param_get()) {
case BN_P158:
return 78;
case SECG_P160:
case SECG_K160:
return 80;
case NIST_P192:
case SECG_K192:
return 96;
case NIST_P224:
case SECG_K224:
return 112;
case BN_P254:
case BN_P256:
return 112;
case NIST_P256:
case SECG_K256:
case CURVE_25519:
return 128;
case B12_P381:
case BN_P382:
case BN_P446:
case SS_P1536:
return 128;
case B12_P455:
return 140;
case NIST_P384:
return 192;
case NIST_P521:
return 256;
case BN_P638:
case B12_P638:
return 160;
}
return 0;
}
void ep_param_print() {
switch (ep_param_get()) {
case SECG_P160:
util_banner("Curve SECG-P160:", 0);
break;
case SECG_K160:
util_banner("Curve SECG-K160:", 0);
break;
case NIST_P192:
util_banner("Curve NIST-P192:", 0);
break;
case SECG_K192:
util_banner("Curve SECG-K192:", 0);
break;
case NIST_P224:
util_banner("Curve NIST-P224:", 0);
break;
case SECG_K224:
util_banner("Curve SECG-K224:", 0);
break;
case NIST_P256:
util_banner("Curve NIST-P256:", 0);
break;
case SECG_K256:
util_banner("Curve SECG-K256:", 0);
break;
case NIST_P384:
util_banner("Curve NIST-P384:", 0);
break;
case NIST_P521:
util_banner("Curve NIST-P521:", 0);
break;
case BN_P158:
util_banner("Curve BN-P158:", 0);
break;
case BN_P254:
util_banner("Curve BN-P254:", 0);
break;
case BN_P256:
util_banner("Curve BN-P256:", 0);
break;
case B24_P477:
util_banner("Curve B24-P477:", 0);
break;
case KSS_P508:
util_banner("Curve KSS-P508:", 0);
break;
case BN_P638:
util_banner("Curve BN-P638:", 0);
break;
case B12_P638:
util_banner("Curve B12-P638:", 0);
break;
case SS_P1536:
util_banner("Curve SS-P1536:", 0);
break;
case CURVE_1174:
util_banner("Curve Curve1174:", 0);
break;
case CURVE_25519:
util_banner("Curve Curve25519:", 0);
break;
case CURVE_383187:
util_banner("Curve Curve383187:", 0);
break;
}
}
void ep2_curve_set_twist(int type) {
char str[2 * FP_BYTES + 1];
ctx_t *ctx = core_get();
ep2_t g;
fp2_t a;
fp2_t b;
bn_t r;
ep2_null(g);
fp2_null(a);
fp2_null(b);
bn_null(r);
ctx->ep2_is_twist = 0;
if (type == EP_MTYPE || type == EP_DTYPE) {
ctx->ep2_is_twist = type;
} else {
return;
}
TRY {
ep2_new(g);
fp2_new(a);
fp2_new(b);
bn_new(r);
switch (ep_param_get()) {
#if FP_PRIME == 158
case BN_P158:
ASSIGN(BN_P158);
break;
#elif FP_PRIME == 254
case BN_P254:
ASSIGN(BN_P254);
break;
#elif FP_PRIME == 256
case BN_P256:
ASSIGN(BN_P256);
break;
#elif FP_PRIME == 638
case BN_P638:
ASSIGN(BN_P638);
break;
case B12_P638:
ASSIGN(B12_P638);
break;
#endif
default:
(void)str;
THROW(ERR_NO_VALID);
break;
}
fp2_zero(g->z);
fp_set_dig(g->z[0], 1);
g->norm = 1;
ep2_copy(&(ctx->ep2_g), g);
fp_copy(ctx->ep2_a[0], a[0]);
fp_copy(ctx->ep2_a[1], a[1]);
fp_copy(ctx->ep2_b[0], b[0]);
fp_copy(ctx->ep2_b[1], b[1]);
bn_copy(&(ctx->ep2_r), r);
/* I don't have a better place for this. */
fp_prime_calc();
#if defined(EP_PRECO)
ep2_mul_pre((ep2_t *)ep2_curve_get_tab(), &(ctx->ep2_g));
#endif
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep2_free(g);
fp2_free(a);
fp2_free(b);
bn_free(r);
}
}
void pp_map_sim_oatep_k12(fp12_t r, ep_t *p, ep2_t *q, int m) {
ep_t _p[m];
ep2_t t[m], _q[m];
bn_t a;
int i, j, len = FP_BITS, s[FP_BITS];
TRY {
bn_null(a);
bn_new(a);
for (i = 0; i < m; i++) {
ep_null(_p[i]);
ep2_null(_q[i]);
ep2_null(t[i]);
ep_new(_p[i]);
ep2_new(_q[i]);
ep2_new(t[i]);
}
j = 0;
for (i = 0; i < m; i++) {
if (!ep_is_infty(p[i]) && !ep2_is_infty(q[i])) {
ep_norm(_p[j], p[i]);
ep2_norm(_q[j++], q[i]);
}
}
fp12_set_dig(r, 1);
fp_param_get_var(a);
bn_mul_dig(a, a, 6);
bn_add_dig(a, a, 2);
fp_param_get_map(s, &len);
if (j > 0) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, j, s, len);
if (bn_sign(a) == BN_NEG) {
/* f_{-a,Q}(P) = 1/f_{a,Q}(P). */
fp12_inv_uni(r, r);
}
for (i = 0; i < j; i++) {
if (bn_sign(a) == BN_NEG) {
ep2_neg(t[i], t[i]);
}
pp_fin_k12_oatep(r, t[i], _q[i], _p[i]);
}
pp_exp_k12(r, r);
break;
case B12_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, j, s, len);
if (bn_sign(a) == BN_NEG) {
fp12_inv_uni(r, r);
}
pp_exp_k12(r, r);
break;
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(a);
for (i = 0; i < m; i++) {
ep_free(_p[i]);
ep2_free(_q[i]);
ep2_free(t[i]);
}
}
}
void pp_map_oatep_k12(fp12_t r, ep_t p, ep2_t q) {
ep_t _p[1];
ep2_t t[1], _q[1];
bn_t a;
int len = FP_BITS, s[FP_BITS];
ep_null(_p[0]);
ep2_null(_q[0]);
ep2_null(t[0]);
bn_null(a);
TRY {
ep_new(_p[0]);
ep2_new(_q[0]);
ep2_new(t[0]);
bn_new(a);
fp_param_get_var(a);
bn_mul_dig(a, a, 6);
bn_add_dig(a, a, 2);
fp_param_get_map(s, &len);
fp12_set_dig(r, 1);
ep_norm(_p[0], p);
ep2_norm(_q[0], q);
if (!ep_is_infty(_p[0]) && !ep2_is_infty(_q[0])) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, 1, s, len);
if (bn_sign(a) == BN_NEG) {
/* f_{-a,Q}(P) = 1/f_{a,Q}(P). */
fp12_inv_uni(r, r);
ep2_neg(t[0], t[0]);
}
pp_fin_k12_oatep(r, t[0], _q[0], _p[0]);
pp_exp_k12(r, r);
break;
case B12_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, 1, s, len);
if (bn_sign(a) == BN_NEG) {
fp12_inv_uni(r, r);
ep2_neg(t[0], t[0]);
}
pp_exp_k12(r, r);
break;
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep_free(_p[0]);
ep2_free(_q[0]);
ep2_free(t[0]);
bn_free(a);
}
}