void pp_map_weilp_k12(fp12_t r, ep_t p, ep2_t q) {
ep_t _p[1], t0[1];
ep2_t _q[1], t1[1];
fp12_t r0, r1;
bn_t n;
ep_null(_p[0]);
ep_null(t0[1]);
ep2_null(_q[0]);
ep2_null(t1[1]);
fp12_null(r0);
fp12_null(r1);
bn_null(n);
TRY {
ep_new(_p[0]);
ep_new(t0[0]);
ep2_new(_q[0]);
ep2_new(t1[0]);
fp12_new(r0);
fp12_new(r1);
bn_new(n);
ep_norm(_p[0], p);
ep2_norm(_q[0], q);
ep_curve_get_ord(n);
bn_sub_dig(n, n, 1);
fp12_set_dig(r0, 1);
fp12_set_dig(r1, 1);
if (!ep_is_infty(_p[0]) && !ep2_is_infty(_q[0])) {
pp_mil_lit_k12(r0, t0, _p, _q, 1, n);
pp_mil_k12(r1, t1, _q, _p, 1, n);
fp12_inv(r1, r1);
fp12_mul(r0, r0, r1);
fp12_inv(r1, r0);
fp12_inv_uni(r0, r0);
}
fp12_mul(r, r0, r1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep_free(_p[0]);
ep_free(t0[0]);
ep2_free(_q[0]);
ep2_free(t1[0]);
fp12_free(r0);
fp12_free(r1);
bn_free(n);
}
}
void pp_map_sim_oatep_k12(fp12_t r, ep_t *p, ep2_t *q, int m) {
ep_t _p[m];
ep2_t t[m], _q[m];
bn_t a;
int i, j, len = FP_BITS, s[FP_BITS];
TRY {
bn_null(a);
bn_new(a);
for (i = 0; i < m; i++) {
ep_null(_p[i]);
ep2_null(_q[i]);
ep2_null(t[i]);
ep_new(_p[i]);
ep2_new(_q[i]);
ep2_new(t[i]);
}
j = 0;
for (i = 0; i < m; i++) {
if (!ep_is_infty(p[i]) && !ep2_is_infty(q[i])) {
ep_norm(_p[j], p[i]);
ep2_norm(_q[j++], q[i]);
}
}
fp12_set_dig(r, 1);
fp_param_get_var(a);
bn_mul_dig(a, a, 6);
bn_add_dig(a, a, 2);
fp_param_get_map(s, &len);
if (j > 0) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, j, s, len);
if (bn_sign(a) == BN_NEG) {
/* f_{-a,Q}(P) = 1/f_{a,Q}(P). */
fp12_inv_uni(r, r);
}
for (i = 0; i < j; i++) {
if (bn_sign(a) == BN_NEG) {
ep2_neg(t[i], t[i]);
}
pp_fin_k12_oatep(r, t[i], _q[i], _p[i]);
}
pp_exp_k12(r, r);
break;
case B12_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, j, s, len);
if (bn_sign(a) == BN_NEG) {
fp12_inv_uni(r, r);
}
pp_exp_k12(r, r);
break;
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(a);
for (i = 0; i < m; i++) {
ep_free(_p[i]);
ep2_free(_q[i]);
ep2_free(t[i]);
}
}
}
void pp_map_oatep_k12(fp12_t r, ep_t p, ep2_t q) {
ep_t _p[1];
ep2_t t[1], _q[1];
bn_t a;
int len = FP_BITS, s[FP_BITS];
ep_null(_p[0]);
ep2_null(_q[0]);
ep2_null(t[0]);
bn_null(a);
TRY {
ep_new(_p[0]);
ep2_new(_q[0]);
ep2_new(t[0]);
bn_new(a);
fp_param_get_var(a);
bn_mul_dig(a, a, 6);
bn_add_dig(a, a, 2);
fp_param_get_map(s, &len);
fp12_set_dig(r, 1);
ep_norm(_p[0], p);
ep2_norm(_q[0], q);
if (!ep_is_infty(_p[0]) && !ep2_is_infty(_q[0])) {
switch (ep_param_get()) {
case BN_P158:
case BN_P254:
case BN_P256:
case BN_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, 1, s, len);
if (bn_sign(a) == BN_NEG) {
/* f_{-a,Q}(P) = 1/f_{a,Q}(P). */
fp12_inv_uni(r, r);
ep2_neg(t[0], t[0]);
}
pp_fin_k12_oatep(r, t[0], _q[0], _p[0]);
pp_exp_k12(r, r);
break;
case B12_P638:
/* r = f_{|a|,Q}(P). */
pp_mil_sps_k12(r, t, _q, _p, 1, s, len);
if (bn_sign(a) == BN_NEG) {
fp12_inv_uni(r, r);
ep2_neg(t[0], t[0]);
}
pp_exp_k12(r, r);
break;
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ep_free(_p[0]);
ep2_free(_q[0]);
ep2_free(t[0]);
bn_free(a);
}
}
void pp_map_sim_weilp_k12(fp12_t r, ep_t *p, ep2_t *q, int m) {
ep_t _p[m], t0[m];
ep2_t _q[m], t1[m];
fp12_t r0, r1;
bn_t n;
int i, j;
fp12_null(r0);
fp12_null(r1);
bn_null(r);
TRY {
fp12_new(r0);
fp12_new(r1);
bn_new(n);
for (i = 0; i < m; i++) {
ep_null(_p[i]);
ep_null(t0[i]);
ep2_null(_q[i]);
ep2_null(t1[i]);
ep_new(_p[i]);
ep_new(t0[i]);
ep2_new(_q[i]);
ep2_new(t1[i]);
}
j = 0;
for (i = 0; i < m; i++) {
if (!ep_is_infty(p[i]) && !ep2_is_infty(q[i])) {
ep_norm(_p[j], p[i]);
ep2_norm(_q[j++], q[i]);
}
}
ep_curve_get_ord(n);
bn_sub_dig(n, n, 1);
fp12_set_dig(r0, 1);
fp12_set_dig(r1, 1);
if (j > 0) {
pp_mil_lit_k12(r0, t0, _p, _q, j, n);
pp_mil_k12(r1, t1, _q, _p, j, n);
fp12_inv(r1, r1);
fp12_mul(r0, r0, r1);
fp12_inv(r1, r0);
fp12_inv_uni(r0, r0);
}
fp12_mul(r, r0, r1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(r0);
fp12_free(r1);
bn_free(n);
for (i = 0; i < m; i++) {
ep_free(_p[i]);
ep_free(t0[i]);
ep2_free(_q[i]);
ep2_free(t1[i]);
}
}
}
/**
* Computes the final exponentiation of a pairing defined over a Barreto-Naehrig
* curve.
*
* @param[out] c - the result.
* @param[in] a - the extension field element to exponentiate.
*/
static void pp_exp_bn(fp12_t c, fp12_t a) {
fp12_t t0, t1, t2, t3;
int l = MAX_TERMS + 1, b[MAX_TERMS + 1];
bn_t x;
fp12_null(t0);
fp12_null(t1);
fp12_null(t2);
fp12_null(t3);
bn_null(x);
TRY {
fp12_new(t0);
fp12_new(t1);
fp12_new(t2);
fp12_new(t3);
bn_new(x);
/*
* New final exponentiation following Fuentes-Castañeda, Knapp and
* Rodríguez-Henríquez: Fast Hashing to G_2.
*/
fp_param_get_var(x);
fp_param_get_sps(b, &l);
/* First, compute m = f^(p^6 - 1)(p^2 + 1). */
fp12_conv_cyc(c, a);
/* Now compute m^((p^4 - p^2 + 1) / r). */
/* t0 = m^2x. */
fp12_exp_cyc_sps(t0, c, b, l);
fp12_sqr_cyc(t0, t0);
/* t1 = m^6x. */
fp12_sqr_cyc(t1, t0);
fp12_mul(t1, t1, t0);
/* t2 = m^6x^2. */
fp12_exp_cyc_sps(t2, t1, b, l);
/* t3 = m^12x^3. */
fp12_sqr_cyc(t3, t2);
fp12_exp_cyc_sps(t3, t3, b, l);
if (bn_sign(x) == BN_NEG) {
fp12_inv_uni(t0, t0);
fp12_inv_uni(t1, t1);
fp12_inv_uni(t3, t3);
}
/* t3 = a = m^12x^3 * m^6x^2 * m^6x. */
fp12_mul(t3, t3, t2);
fp12_mul(t3, t3, t1);
/* t0 = b = 1/(m^2x) * t3. */
fp12_inv_uni(t0, t0);
fp12_mul(t0, t0, t3);
/* Compute t2 * t3 * m * b^p * a^p^2 * [b * 1/m]^p^3. */
fp12_mul(t2, t2, t3);
fp12_mul(t2, t2, c);
fp12_inv_uni(c, c);
fp12_mul(c, c, t0);
fp12_frb(c, c, 3);
fp12_mul(c, c, t2);
fp12_frb(t0, t0, 1);
fp12_mul(c, c, t0);
fp12_frb(t3, t3, 2);
fp12_mul(c, c, t3);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp12_free(t0);
fp12_free(t1);
fp12_free(t2);
fp12_free(t3);
bn_free(x);
}
}
/**
* Computes the final exponentiation of a pairing defined over a
* Barreto-Lynn-Scott curve.
*
* @param[out] c - the result.
* @param[in] a - the extension field element to exponentiate.
*/
static void pp_exp_b12(fp12_t c, fp12_t a) {
fp12_t t[10];
bn_t x;
int l = MAX_TERMS + 1, b[MAX_TERMS + 1];
bn_null(x);
TRY {
for (int i = 0; i < 10; i++) {
fp12_null(t[i]);
fp12_new(t[i]);
}
bn_new(x);
fp_param_get_var(x);
fp_param_get_sps(b, &l);
/* First, compute m^(p^6 - 1)(p^2 + 1). */
fp12_conv_cyc(c, a);
/* v0 = f^-1. */
fp12_inv_uni(t[0], c);
/* v1 = f^-2. */
fp12_sqr_cyc(t[1], t[0]);
/* v2 = f^x. */
fp12_exp_cyc_sps(t[2], c, b, l);
if (bn_sign(x) == BN_NEG) {
fp12_inv_uni(t[2], t[2]);
}
/* v3 = f^2x. */
fp12_sqr_cyc(t[3], t[2]);
/* v4 = f^(x - 2). */
fp12_mul(t[4], t[2], t[1]);
/* v5 = f^(x^2 - 2x). */
fp12_exp_cyc_sps(t[5], t[4], b, l);
if (bn_sign(x) == BN_NEG) {
fp12_inv_uni(t[5], t[5]);
}
/* v6 = f^(x^3 - 2x^2). */
fp12_exp_cyc_sps(t[6], t[5], b, l);
if (bn_sign(x) == BN_NEG) {
fp12_inv_uni(t[6], t[6]);
}
/* v7 = f^(x^4 - 2x^3 + 2x). */
fp12_exp_cyc_sps(t[7], t[6], b, l);
if (bn_sign(x) == BN_NEG) {
fp12_inv_uni(t[7], t[7]);
}
fp12_mul(t[7], t[7], t[3]);
/* v8 = f^(x^5 - 2x^4 + 2x^2). */
fp12_exp_cyc_sps(t[8], t[7], b, l);
if (bn_sign(x) == BN_NEG) {
fp12_inv_uni(t[8], t[8]);
}
/* v7 = f^(x^4 - 2x^3 + 2x - 1)^p. */
fp12_mul(t[7], t[7], t[0]);
fp12_frb(t[7], t[7], 1);
/* v6 = f^(x^3 - 2x^2 + x)^p^2. */
fp12_mul(t[6], t[6], t[2]);
fp12_frb(t[6], t[6], 2);
/* v5 = f^(x^2 - 2x + 1)^p^3. */
fp12_mul(t[5], t[5], c);
fp12_frb(t[5], t[5], 1);
fp12_frb(t[5], t[5], 2);
/* v4 = f^(2 - x). */
fp12_inv_uni(t[4], t[4]);
/* Now compute f * v4 * v5 * v6 * v7 * v8. */
fp12_mul(c, c, t[4]);
fp12_mul(c, c, t[5]);
fp12_mul(c, c, t[6]);
fp12_mul(c, c, t[7]);
fp12_mul(c, c, t[8]);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
for (int i = 0; i < 9; i++) {
fp12_free(t[i]);
}
bn_free(x);
}
}
