void fp_invn_low(dig_t *c, const dig_t *a) {
bn_st e;
bn_init(&e, RLC_FP_DIGS);
e.used = RLC_FP_DIGS;
dv_copy(e.dp, fp_prime_get(), RLC_FP_DIGS);
bn_sub1_low(e.dp, e.dp, 2, RLC_FP_DIGS);
#if AUTO == ALLOC
fp_exp(c, a, &e);
#else
fp_exp(c, (const fp_t)a, &e);
#endif
bn_clean(&e);
}
/**
* Computes the constants required for evaluating Frobenius maps.
*/
static void fp3_calc() {
bn_t e;
fp3_t t0, t1, t2;
ctx_t *ctx = core_get();
bn_null(e);
fp3_null(t0);
fp3_null(t1);
fp3_null(t2);
TRY {
bn_new(e);
fp3_new(t0);
fp3_new(t1);
fp3_new(t2);
fp_set_dig(ctx->fp3_base[0], -fp_prime_get_cnr());
fp_neg(ctx->fp3_base[0], ctx->fp3_base[0]);
e->used = FP_DIGS;
dv_copy(e->dp, fp_prime_get(), FP_DIGS);
bn_sub_dig(e, e, 1);
bn_div_dig(e, e, 3);
fp_exp(ctx->fp3_base[0], ctx->fp3_base[0], e);
fp_sqr(ctx->fp3_base[1], ctx->fp3_base[0]);
fp3_zero(t0);
fp_set_dig(t0[1], 1);
dv_copy(e->dp, fp_prime_get(), FP_DIGS);
bn_sub_dig(e, e, 1);
bn_div_dig(e, e, 6);
/* t0 = u^((p-1)/6). */
fp3_exp(t0, t0, e);
fp_copy(ctx->fp3_p[0], t0[2]);
fp3_sqr(t1, t0);
fp_copy(ctx->fp3_p[1], t1[1]);
fp3_mul(t2, t1, t0);
fp_copy(ctx->fp3_p[2], t2[0]);
fp3_sqr(t2, t1);
fp_copy(ctx->fp3_p[3], t2[2]);
fp3_mul(t2, t2, t0);
fp_copy(ctx->fp3_p[4], t2[1]);
fp_mul(ctx->fp3_p2[0], ctx->fp3_p[0], ctx->fp3_base[1]);
fp_mul(t0[0], ctx->fp3_p2[0], ctx->fp3_p[0]);
fp_neg(ctx->fp3_p2[0], t0[0]);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_sub(ctx->fp3_p2[0], ctx->fp3_p2[0], t0[0]);
}
fp_mul(ctx->fp3_p2[1], ctx->fp3_p[1], ctx->fp3_base[0]);
fp_mul(ctx->fp3_p2[1], ctx->fp3_p2[1], ctx->fp3_p[1]);
fp_sqr(ctx->fp3_p2[2], ctx->fp3_p[2]);
fp_mul(ctx->fp3_p2[3], ctx->fp3_p[3], ctx->fp3_base[1]);
fp_mul(t0[0], ctx->fp3_p2[3], ctx->fp3_p[3]);
fp_neg(ctx->fp3_p2[3], t0[0]);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_sub(ctx->fp3_p2[3], ctx->fp3_p2[3], t0[0]);
}
fp_mul(ctx->fp3_p2[4], ctx->fp3_p[4], ctx->fp3_base[0]);
fp_mul(ctx->fp3_p2[4], ctx->fp3_p2[4], ctx->fp3_p[4]);
fp_mul(ctx->fp3_p3[0], ctx->fp3_p[0], ctx->fp3_base[0]);
fp_mul(t0[0], ctx->fp3_p3[0], ctx->fp3_p2[0]);
fp_neg(ctx->fp3_p3[0], t0[0]);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_sub(ctx->fp3_p3[0], ctx->fp3_p3[0], t0[0]);
}
fp_mul(ctx->fp3_p3[1], ctx->fp3_p[1], ctx->fp3_base[1]);
fp_mul(t0[0], ctx->fp3_p3[1], ctx->fp3_p2[1]);
fp_neg(ctx->fp3_p3[1], t0[0]);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_sub(ctx->fp3_p3[1], ctx->fp3_p3[1], t0[0]);
}
fp_mul(ctx->fp3_p3[2], ctx->fp3_p[2], ctx->fp3_p2[2]);
fp_mul(ctx->fp3_p3[3], ctx->fp3_p[3], ctx->fp3_base[0]);
fp_mul(t0[0], ctx->fp3_p3[3], ctx->fp3_p2[3]);
fp_neg(ctx->fp3_p3[3], t0[0]);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_sub(ctx->fp3_p3[3], ctx->fp3_p3[3], t0[0]);
}
fp_mul(ctx->fp3_p3[4], ctx->fp3_p[4], ctx->fp3_base[1]);
fp_mul(t0[0], ctx->fp3_p3[4], ctx->fp3_p2[4]);
fp_neg(ctx->fp3_p3[4], t0[0]);
for (int i = -1; i > fp_prime_get_cnr(); i--) {
fp_sub(ctx->fp3_p3[4], ctx->fp3_p3[4], t0[0]);
}
for (int i = 0; i < 5; i++) {
fp_mul(ctx->fp3_p4[i], ctx->fp3_p[i], ctx->fp3_p3[i]);
fp_mul(ctx->fp3_p5[i], ctx->fp3_p2[i], ctx->fp3_p3[i]);
}
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
bn_free(e);
fp3_free(t0);
fp3_free(t1);
fp3_free(t2);
}
}
int fp_srt(fp_t c, const fp_t a) {
bn_t e;
fp_t t0;
fp_t t1;
int r = 0;
bn_null(e);
fp_null(t0);
fp_null(t1);
TRY {
bn_new(e);
fp_new(t0);
fp_new(t1);
/* Make e = p. */
e->used = FP_DIGS;
dv_copy(e->dp, fp_prime_get(), FP_DIGS);
if (fp_prime_get_mod8() == 3 || fp_prime_get_mod8() == 7) {
/* Easy case, compute a^((p + 1)/4). */
bn_add_dig(e, e, 1);
bn_rsh(e, e, 2);
fp_exp(t0, a, e);
fp_sqr(t1, t0);
r = (fp_cmp(t1, a) == CMP_EQ);
fp_copy(c, t0);
} else {
int f = 0, m = 0;
/* First, check if there is a root. Compute t1 = a^((p - 1)/2). */
bn_rsh(e, e, 1);
fp_exp(t0, a, e);
if (fp_cmp_dig(t0, 1) != CMP_EQ) {
/* Nope, there is no square root. */
r = 0;
} else {
r = 1;
/* Find a quadratic non-residue modulo p, that is a number t2
* such that (t2 | p) = t2^((p - 1)/2)!= 1. */
do {
fp_rand(t1);
fp_exp(t0, t1, e);
} while (fp_cmp_dig(t0, 1) == CMP_EQ);
/* Write p - 1 as (e * 2^f), odd e. */
bn_lsh(e, e, 1);
while (bn_is_even(e)) {
bn_rsh(e, e, 1);
f++;
}
/* Compute t2 = t2^e. */
fp_exp(t1, t1, e);
/* Compute t1 = a^e, c = a^((e + 1)/2) = a^(e/2 + 1), odd e. */
bn_rsh(e, e, 1);
fp_exp(t0, a, e);
fp_mul(e->dp, t0, a);
fp_sqr(t0, t0);
fp_mul(t0, t0, a);
fp_copy(c, e->dp);
while (1) {
if (fp_cmp_dig(t0, 1) == CMP_EQ) {
break;
}
fp_copy(e->dp, t0);
for (m = 0; (m < f) && (fp_cmp_dig(t0, 1) != CMP_EQ); m++) {
fp_sqr(t0, t0);
}
fp_copy(t0, e->dp);
for (int i = 0; i < f - m - 1; i++) {
fp_sqr(t1, t1);
}
fp_mul(c, c, t1);
fp_sqr(t1, t1);
fp_mul(t0, t0, t1);
f = m;
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(e);
fp_free(t0);
fp_free(t1);
}
return r;
}
