void ep_rhs(fp_t rhs, const ep_t p) { fp_t t0; fp_t t1; fp_null(t0); fp_null(t1); TRY { fp_new(t0); fp_new(t1); /* t0 = x1^2. */ fp_sqr(t0, p->x); /* t1 = x1^3. */ fp_mul(t1, t0, p->x); /* t1 = x1^3 + a * x1 + b. */ switch (ep_curve_opt_a()) { case OPT_ZERO: break; case OPT_ONE: fp_add(t1, t1, p->x); break; #if FP_RDC != MONTY case OPT_DIGIT: fp_mul_dig(t0, p->x, ep_curve_get_a()[0]); fp_add(t1, t1, t0); break; #endif default: fp_mul(t0, p->x, ep_curve_get_a()); fp_add(t1, t1, t0); break; } switch (ep_curve_opt_b()) { case OPT_ZERO: break; case OPT_ONE: fp_add_dig(t1, t1, 1); break; #if FP_RDC != MONTY case OPT_DIGIT: fp_add_dig(t1, t1, ep_curve_get_b()[0]); break; #endif default: fp_add(t1, t1, ep_curve_get_b()); break; } fp_copy(rhs, t1); } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp_free(t0); fp_free(t1); } }
/** * Doubles a point represented in affine coordinates on an ordinary prime * elliptic curve. * * @param[out] r - the result. * @param[out] s - the resulting slope. * @param[in] p - the point to double. */ static void ep2_dbl_basic_imp(ep2_t r, fp2_t s, ep2_t p) { fp2_t t0, t1, t2; fp2_null(t0); fp2_null(t1); fp2_null(t2); TRY { fp2_new(t0); fp2_new(t1); fp2_new(t2); /* t0 = 1/(2 * y1). */ fp2_dbl(t0, p->y); fp2_inv(t0, t0); /* t1 = 3 * x1^2 + a. */ fp2_sqr(t1, p->x); fp2_copy(t2, t1); fp2_dbl(t1, t1); fp2_add(t1, t1, t2); if (ep2_curve_is_twist()) { switch (ep_curve_opt_a()) { case OPT_ZERO: break; case OPT_ONE: fp_set_dig(t2[0], 1); fp2_mul_art(t2, t2); fp2_mul_art(t2, t2); fp2_add(t1, t1, t2); break; case OPT_DIGIT: fp_set_dig(t2[0], ep_curve_get_a()[0]); fp2_mul_art(t2, t2); fp2_mul_art(t2, t2); fp2_add(t1, t1, t2); break; default: fp_copy(t2[0], ep_curve_get_a()); fp_zero(t2[1]); fp2_mul_art(t2, t2); fp2_mul_art(t2, t2); fp2_add(t1, t1, t2); break; } } /* t1 = (3 * x1^2 + a)/(2 * y1). */ fp2_mul(t1, t1, t0); if (s != NULL) { fp2_copy(s, t1); } /* t2 = t1^2. */ fp2_sqr(t2, t1); /* x3 = t1^2 - 2 * x1. */ fp2_dbl(t0, p->x); fp2_sub(t0, t2, t0); /* y3 = t1 * (x1 - x3) - y1. */ fp2_sub(t2, p->x, t0); fp2_mul(t1, t1, t2); fp2_sub(r->y, t1, p->y); fp2_copy(r->x, t0); fp2_copy(r->z, p->z); r->norm = 1; } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp2_free(t0); fp2_free(t1); fp2_free(t2); } }
/** * Doubles a point represented in affine coordinates on an ordinary prime * elliptic curve. * * @param[out] r - the result. * @param[in] p - the point to double. */ static void ep2_dbl_projc_imp(ep2_t r, ep2_t p) { fp2_t t0, t1, t2, t3, t4, t5; fp2_null(t0); fp2_null(t1); fp2_null(t2); fp2_null(t3); fp2_null(t4); fp2_null(t5); TRY { if (ep_curve_opt_a() == OPT_ZERO) { fp2_new(t0); fp2_new(t1); fp2_new(t2); fp2_new(t3); fp2_new(t4); fp2_new(t5); fp2_sqr(t0, p->x); fp2_add(t2, t0, t0); fp2_add(t0, t2, t0); fp2_sqr(t3, p->y); fp2_mul(t1, t3, p->x); fp2_add(t1, t1, t1); fp2_add(t1, t1, t1); fp2_sqr(r->x, t0); fp2_add(t2, t1, t1); fp2_sub(r->x, r->x, t2); fp2_mul(r->z, p->z, p->y); fp2_add(r->z, r->z, r->z); fp2_add(t3, t3, t3); fp2_sqr(t3, t3); fp2_add(t3, t3, t3); fp2_sub(t1, t1, r->x); fp2_mul(r->y, t0, t1); fp2_sub(r->y, r->y, t3); } else { /* dbl-2007-bl formulas: 1M + 8S + 1*a + 10add + 1*8 + 2*2 + 1*3 */ /* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl */ /* t0 = x1^2, t1 = y1^2, t2 = y1^4. */ fp2_sqr(t0, p->x); fp2_sqr(t1, p->y); fp2_sqr(t2, t1); if (!p->norm) { /* t3 = z1^2. */ fp2_sqr(t3, p->z); if (ep_curve_get_a() == OPT_ZERO) { /* z3 = 2 * y1 * z1. */ fp2_mul(r->z, p->y, p->z); fp2_dbl(r->z, r->z); } else { /* z3 = (y1 + z1)^2 - y1^2 - z1^2. */ fp2_add(r->z, p->y, p->z); fp2_sqr(r->z, r->z); fp2_sub(r->z, r->z, t1); fp2_sub(r->z, r->z, t3); } } else { /* z3 = 2 * y1. */ fp2_dbl(r->z, p->y); } /* t4 = S = 2*((x1 + y1^2)^2 - x1^2 - y1^4). */ fp2_add(t4, p->x, t1); fp2_sqr(t4, t4); fp2_sub(t4, t4, t0); fp2_sub(t4, t4, t2); fp2_dbl(t4, t4); /* t5 = M = 3 * x1^2 + a * z1^4. */ fp2_dbl(t5, t0); fp2_add(t5, t5, t0); ep2_curve_get_a(t0); if (!p->norm) { fp2_sqr(t3, t3); fp2_mul(t1, t0, t3); fp2_add(t5, t5, t1); } else { fp2_add(t5, t5, t0); } /* x3 = T = M^2 - 2 * S. */ fp2_sqr(r->x, t5); fp2_dbl(t1, t4); fp2_sub(r->x, r->x, t1); /* y3 = M * (S - T) - 8 * y1^4. */ fp2_dbl(t2, t2); fp2_dbl(t2, t2); fp2_dbl(t2, t2); fp2_sub(t4, t4, r->x); fp2_mul(t5, t5, t4); fp2_sub(r->y, t5, t2); } r->norm = 0; r->norm = 0; } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp2_free(t0); fp2_free(t1); fp2_free(t2); fp2_free(t3); fp2_free(t4); fp2_free(t5); } }
/** * Doubles a point represented in affine coordinates on an ordinary prime * elliptic curve. * * @param[out] r - the result. * @param[out] s - the slope. * @param[in] p - the point to double. */ static void ep_dbl_basic_imp(ep_t r, fp_t s, const ep_t p) { fp_t t0, t1, t2; fp_null(t0); fp_null(t1); fp_null(t2); TRY { fp_new(t0); fp_new(t1); fp_new(t2); /* t0 = 1/2 * y1. */ fp_dbl(t0, p->y); fp_inv(t0, t0); /* t1 = 3 * x1^2 + a. */ fp_sqr(t1, p->x); fp_copy(t2, t1); fp_dbl(t1, t1); fp_add(t1, t1, t2); switch (ep_curve_opt_a()) { case OPT_ZERO: break; case OPT_ONE: fp_add_dig(t1, t1, (dig_t)1); break; #if FP_RDC != MONTY case OPT_DIGIT: fp_add_dig(t1, t1, ep_curve_get_a()[0]); break; #endif default: fp_add(t1, t1, ep_curve_get_a()); break; } /* t1 = (3 * x1^2 + a)/(2 * y1). */ fp_mul(t1, t1, t0); if (s != NULL) { fp_copy(s, t1); } /* t2 = t1^2. */ fp_sqr(t2, t1); /* x3 = t1^2 - 2 * x1. */ fp_dbl(t0, p->x); fp_sub(t0, t2, t0); /* y3 = t1 * (x1 - x3) - y1. */ fp_sub(t2, p->x, t0); fp_mul(t1, t1, t2); fp_sub(r->y, t1, p->y); fp_copy(r->x, t0); fp_copy(r->z, p->z); r->norm = 1; } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp_free(t0); fp_free(t1); fp_free(t2); } }
/** * Doubles a point represented in projective coordinates on an ordinary prime * elliptic curve. * * @param r - the result. * @param p - the point to double. */ static void ep_dbl_projc_imp(ep_t r, const ep_t p) { fp_t t0, t1, t2, t3, t4, t5; fp_null(t1); fp_null(t2); fp_null(t3); fp_null(t4); fp_null(t5); TRY { fp_new(t0); fp_new(t1); fp_new(t2); fp_new(t3); fp_new(t4); fp_new(t5); if (!p->norm && ep_curve_opt_a() == OPT_MINUS3) { /* dbl-2001-b formulas: 3M + 5S + 8add + 1*4 + 2*8 + 1*3 */ /* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b */ /* t0 = delta = z1^2. */ fp_sqr(t0, p->z); /* t1 = gamma = y1^2. */ fp_sqr(t1, p->y); /* t2 = beta = x1 * y1^2. */ fp_mul(t2, p->x, t1); /* t3 = alpha = 3 * (x1 - z1^2) * (x1 + z1^2). */ fp_sub(t3, p->x, t0); fp_add(t4, p->x, t0); fp_mul(t4, t3, t4); fp_dbl(t3, t4); fp_add(t3, t3, t4); /* x3 = alpha^2 - 8 * beta. */ fp_dbl(t2, t2); fp_dbl(t2, t2); fp_dbl(t5, t2); fp_sqr(r->x, t3); fp_sub(r->x, r->x, t5); /* z3 = (y1 + z1)^2 - gamma - delta. */ fp_add(r->z, p->y, p->z); fp_sqr(r->z, r->z); fp_sub(r->z, r->z, t1); fp_sub(r->z, r->z, t0); /* y3 = alpha * (4 * beta - x3) - 8 * gamma^2. */ fp_dbl(t1, t1); fp_sqr(t1, t1); fp_dbl(t1, t1); fp_sub(r->y, t2, r->x); fp_mul(r->y, r->y, t3); fp_sub(r->y, r->y, t1); } else if (ep_curve_opt_a() == OPT_ZERO) { /* dbl-2009-l formulas: 2M + 5S + 6add + 1*8 + 3*2 + 1*3. */ /* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l */ /* A = X1^2 */ fp_sqr(t0, p->x); /* B = Y1^2 */ fp_sqr(t1, p->y); /* C = B^2 */ fp_sqr(t2, t1); /* D = 2*((X1+B)^2-A-C) */ fp_add(t1, t1, p->x); fp_sqr(t1, t1); fp_sub(t1, t1, t0); fp_sub(t1, t1, t2); fp_dbl(t1, t1); /* E = 3*A */ fp_dbl(t3, t0); fp_add(t0, t3, t0); /* F = E^2 */ fp_sqr(t3, t0); /* Z3 = 2*Y1*Z1 */ fp_mul(r->z, p->y, p->z); fp_dbl(r->z, r->z); /* X3 = F-2*D */ fp_sub(r->x, t3, t1); fp_sub(r->x, r->x, t1); /* Y3 = E*(D-X3)-8*C */ fp_sub(r->y, t1, r->x); fp_mul(r->y, r->y, t0); fp_dbl(t2, t2); fp_dbl(t2, t2); fp_dbl(t2, t2); fp_sub(r->y, r->y, t2); } else { /* dbl-2007-bl formulas: 1M + 8S + 1*a + 10add + 1*8 + 2*2 + 1*3 */ /* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl */ /* t0 = x1^2, t1 = y1^2, t2 = y1^4. */ fp_sqr(t0, p->x); fp_sqr(t1, p->y); fp_sqr(t2, t1); if (!p->norm) { /* t3 = z1^2. */ fp_sqr(t3, p->z); if (ep_curve_get_a() == OPT_ZERO) { /* z3 = 2 * y1 * z1. */ fp_mul(r->z, p->y, p->z); fp_dbl(r->z, r->z); } else { /* z3 = (y1 + z1)^2 - y1^2 - z1^2. */ fp_add(r->z, p->y, p->z); fp_sqr(r->z, r->z); fp_sub(r->z, r->z, t1); fp_sub(r->z, r->z, t3); } } else { /* z3 = 2 * y1. */ fp_dbl(r->z, p->y); } /* t4 = S = 2*((x1 + y1^2)^2 - x1^2 - y1^4). */ fp_add(t4, p->x, t1); fp_sqr(t4, t4); fp_sub(t4, t4, t0); fp_sub(t4, t4, t2); fp_dbl(t4, t4); /* t5 = M = 3 * x1^2 + a * z1^4. */ fp_dbl(t5, t0); fp_add(t5, t5, t0); if (!p->norm) { fp_sqr(t3, t3); switch (ep_curve_opt_a()) { case OPT_ZERO: break; case OPT_ONE: fp_add(t5, t5, ep_curve_get_a()); break; case OPT_DIGIT: fp_mul_dig(t1, t3, ep_curve_get_a()[0]); fp_add(t5, t5, t1); break; default: fp_mul(t1, ep_curve_get_a(), t3); fp_add(t5, t5, t1); break; } } else { switch (ep_curve_opt_a()) { case OPT_ZERO: break; case OPT_ONE: fp_add_dig(t5, t5, (dig_t)1); break; case OPT_DIGIT: fp_add_dig(t5, t5, ep_curve_get_a()[0]); break; default: fp_add(t5, t5, ep_curve_get_a()); break; } } /* x3 = T = M^2 - 2 * S. */ fp_sqr(r->x, t5); fp_dbl(t1, t4); fp_sub(r->x, r->x, t1); /* y3 = M * (S - T) - 8 * y1^4. */ fp_dbl(t2, t2); fp_dbl(t2, t2); fp_dbl(t2, t2); fp_sub(t4, t4, r->x); fp_mul(t5, t5, t4); fp_sub(r->y, t5, t2); } r->norm = 0; } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp_free(t0); fp_free(t1); fp_free(t2); fp_free(t3); fp_free(t4); fp_free(t5); } }