int ed_is_infty(const ed_t p) {
assert(!fp_is_zero(p->z));
int ret = 0;
fp_t norm_y;
fp_null(norm_y);
fp_new(norm_y);
fp_inv(norm_y, p->z);
fp_mul(norm_y, p->y, norm_y);
if (fp_cmp_dig(norm_y, 1) == CMP_EQ && fp_is_zero(p->x)) {
ret = 1;
}
fp_free(norm_y);
return ret;
}
void ep_dbl_projc(ep_t r, const ep_t p) {
if (ep_is_infty(p)) {
ep_set_infty(r);
return;
}
if (fp_is_zero(p->x)) {
ep_set_infty(r);
return;
}
ep_dbl_projc_imp(r, p);
}
int ed_is_valid(const ed_t p) {
ed_t t;
#if ED_ADD == EXTND
fp_t x_times_y;
#endif
int r = 0;
ed_null(t);
#if ED_ADD == EXTND
fp_null(x_times_y);
#endif
if (fp_is_zero(p->z)) {
r = 0;
} else {
TRY {
#if ED_ADD == EXTND
fp_new(x_times_y);
#endif
ed_new(t);
ed_norm(t, p);
// check t coordinate
#if ED_ADD == PROJC
r = ed_affine_is_valid(t->x, t->y);
#elif ED_ADD == EXTND
fp_mul(x_times_y, t->x, t->y);
if (fp_cmp(x_times_y, t->t) != CMP_EQ) {
r = 0;
} else {
r = ed_affine_is_valid(t->x, t->y);
}
#endif
// if (r == 0) {
// util_printf("\n\n(X, Y, T, Z) = \n");
// ed_print(p);
// }
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
#if ED_ADD == EXTND
fp_free(x_times_y);
#endif
ed_free(t);
}
}
return r;
}
/**
* Detects an optimization based on the curve coefficients.
*
* @param[out] opt - the resulting optimization.
* @param[in] a - the curve coefficient.
*/
static void detect_opt(int *opt, fp_t a) {
fp_t t;
fp_null(t);
TRY {
fp_new(t);
fp_prime_conv_dig(t, 3);
fp_neg(t, t);
if (fp_cmp(a, t) == CMP_EQ) {
*opt = OPT_MINUS3;
} else {
if (fp_is_zero(a)) {
*opt = OPT_ZERO;
} else {
fp_set_dig(t, 1);
if (fp_cmp_dig(a, 1) == CMP_EQ) {
*opt = OPT_ONE;
} else {
if (fp_cmp_dig(a, 2) == CMP_EQ) {
*opt = OPT_TWO;
} else {
if (fp_bits(a) <= FP_DIGIT) {
*opt = OPT_DIGIT;
} else {
*opt = RELIC_OPT_NONE;
}
}
}
}
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t);
}
}
int ed_affine_is_valid(const fp_t x, const fp_t y) {
fp_t tmpFP0;
fp_t tmpFP1;
fp_t tmpFP2;
fp_null(tmpFP0);
fp_null(tmpFP1);
fp_null(tmpFP2);
int r = 0;
TRY {
fp_new(tmpFP0);
fp_new(tmpFP1);
fp_new(tmpFP2);
// a * X^2 + Y^2 - 1 - d * X^2 * Y^2 =?= 0
fp_sqr(tmpFP0, x);
fp_mul(tmpFP0, core_get()->ed_a, tmpFP0);
fp_sqr(tmpFP1, y);
fp_add(tmpFP1, tmpFP0, tmpFP1);
fp_sub_dig(tmpFP1, tmpFP1, 1);
fp_sqr(tmpFP0, x);
fp_mul(tmpFP0, core_get()->ed_d, tmpFP0);
fp_sqr(tmpFP2, y);
fp_mul(tmpFP2, tmpFP0, tmpFP2);
fp_sub(tmpFP0, tmpFP1, tmpFP2);
r = fp_is_zero(tmpFP0);
} CATCH_ANY {
THROW(ERR_CAUGHT);
} FINALLY {
fp_free(tmpFP0);
fp_free(tmpFP1);
fp_free(tmpFP2);
}
return r;
}
int fp3_cmp_dig(fp3_t a, dig_t b) {
return (fp_cmp_dig(a[0], b) == CMP_EQ) && fp_is_zero(a[1]) &&
fp_is_zero(a[2]) ? CMP_EQ : CMP_NE;
}
void fp_rdcs_low(dig_t *c, dig_t *a, dig_t *m) {
align dig_t q[2 * FP_DIGS], _q[2 * FP_DIGS];
align dig_t _r[2 * FP_DIGS], r[2 * FP_DIGS], t[2 * FP_DIGS];
int *sform, len;
int first, i, j, b0, d0, b1, d1;
dig_t carry;
sform = fp_prime_get_sps(&len);
SPLIT(b0, d0, FP_BITS, FP_DIG_LOG);
first = (d0) + (b0 == 0 ? 0 : 1);
/* q = floor(a/b^k) */
dv_zero(q, 2 * FP_DIGS);
bn_rshd_low(q, a, 2 * FP_DIGS, d0);
if (b0 > 0) {
bn_rshb_low(q, q, 2 * FP_DIGS, b0);
}
/* r = a - qb^k. */
dv_copy(r, a, first);
if (b0 > 0) {
r[first - 1] &= MASK(b0);
}
carry = 0;
while (!fp_is_zero(q)) {
dv_zero(_q, 2 * FP_DIGS);
for (i = len - 1; i > 0; i--) {
j = (sform[i] < 0 ? -sform[i] : sform[i]);
SPLIT(b1, d1, j, FP_DIG_LOG);
dv_zero(t, 2 * FP_DIGS);
bn_lshd_low(t, q, FP_DIGS, d1);
if (b1 > 0) {
bn_lshb_low(t, t, 2 * FP_DIGS, b1);
}
if (sform[i] > 0) {
bn_subn_low(_q, _q, t, 2 * FP_DIGS);
} else {
bn_addn_low(_q, _q, t, 2 * FP_DIGS);
}
}
if (sform[0] > 0) {
bn_subn_low(_q, _q, q, 2 * FP_DIGS);
} else {
bn_addn_low(_q, _q, q, 2 * FP_DIGS);
}
bn_rshd_low(q, _q, 2 * FP_DIGS, d0);
if (b0 > 0) {
bn_rshb_low(q, q, 2 * FP_DIGS, b0);
}
dv_copy(_r, _q, first);
if (b0 > 0) {
_r[first - 1] &= MASK(b0);
}
fp_add(r, r, _r);
}
while (fp_cmpn_low(r, m) != CMP_LT) {
fp_subn_low(r, r, m);
}
fp_copy(c, r);
}
int ep_is_infty(const ep_t p) {
return (fp_is_zero(p->z) == 1);
}
int fp2_is_zero(fp2_t a) {
return fp_is_zero(a[0]) && fp_is_zero(a[1]);
}
int fp3_is_zero(fp3_t a) {
return fp_is_zero(a[0]) && fp_is_zero(a[1]) && fp_is_zero(a[2]);
}
/**
* Adds two points represented in affine coordinates on an ordinary prime
* elliptic curve.
*
* @param[out] r - the result.
* @param[out] s - the slope.
* @param[in] p - the first point to add.
* @param[in] q - the second point to add.
*/
static void ep_add_basic_imp(ep_t r, fp_t s, const ep_t p, const ep_t q) {
fp_t t0, t1, t2;
fp_null(t0);
fp_null(t1);
fp_null(t2);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
/* t0 = x2 - x1. */
fp_sub(t0, q->x, p->x);
/* t1 = y2 - y1. */
fp_sub(t1, q->y, p->y);
/* If t0 is zero. */
if (fp_is_zero(t0)) {
if (fp_is_zero(t1)) {
/* If t1 is zero, q = p, should have doubled. */
ep_dbl_basic(r, p);
} else {
/* If t1 is not zero and t0 is zero, q = -p and r = infinity. */
ep_set_infty(r);
}
} else {
/* t2 = 1/(x2 - x1). */
fp_inv(t2, t0);
/* t2 = lambda = (y2 - y1)/(x2 - x1). */
fp_mul(t2, t1, t2);
/* x3 = lambda^2 - x2 - x1. */
fp_sqr(t1, t2);
fp_sub(t0, t1, p->x);
fp_sub(t0, t0, q->x);
/* y3 = lambda * (x1 - x3) - y1. */
fp_sub(t1, p->x, t0);
fp_mul(t1, t2, t1);
fp_sub(r->y, t1, p->y);
fp_copy(r->x, t0);
fp_copy(r->z, p->z);
if (s != NULL) {
fp_copy(s, t2);
}
r->norm = 1;
}
fp_free(t0);
fp_free(t1);
fp_free(t2);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
}
}
/**
* Adds two points represented in projective coordinates on an ordinary prime
* elliptic curve.
*
* @param[out] r - the result.
* @param[in] p - the first point to add.
* @param[in] q - the second point to add.
*/
static void ep_add_projc_imp(ep_t r, const ep_t p, const ep_t q) {
#if defined(EP_MIXED) && defined(STRIP)
/* If code size is a problem, leave only the mixed version. */
ep_add_projc_mix(r, p, q);
#else /* General addition. */
#if defined(EP_MIXED) || !defined(STRIP)
/* Test if z2 = 1 only if mixed coordinates are turned on. */
if (q->norm) {
ep_add_projc_mix(r, p, q);
return;
}
#endif
fp_t t0, t1, t2, t3, t4, t5, t6;
fp_null(t0);
fp_null(t1);
fp_null(t2);
fp_null(t3);
fp_null(t4);
fp_null(t5);
fp_null(t6);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
fp_new(t3);
fp_new(t4);
fp_new(t5);
fp_new(t6);
/* add-2007-bl formulas: 11M + 5S + 9add + 4*2 */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl */
/* t0 = z1^2. */
fp_sqr(t0, p->z);
/* t1 = z2^2. */
fp_sqr(t1, q->z);
/* t2 = U1 = x1 * z2^2. */
fp_mul(t2, p->x, t1);
/* t3 = U2 = x2 * z1^2. */
fp_mul(t3, q->x, t0);
/* t6 = z1^2 + z2^2. */
fp_add(t6, t0, t1);
/* t0 = S2 = y2 * z1^3. */
fp_mul(t0, t0, p->z);
fp_mul(t0, t0, q->y);
/* t1 = S1 = y1 * z2^3. */
fp_mul(t1, t1, q->z);
fp_mul(t1, t1, p->y);
/* t3 = H = U2 - U1. */
fp_sub(t3, t3, t2);
/* t0 = R = 2 * (S2 - S1). */
fp_sub(t0, t0, t1);
fp_dbl(t0, t0);
/* If E is zero. */
if (fp_is_zero(t3)) {
if (fp_is_zero(t0)) {
/* If I is zero, p = q, should have doubled. */
ep_dbl_projc(r, p);
} else {
/* If I is not zero, q = -p, r = infinity. */
ep_set_infty(r);
}
} else {
/* t4 = I = (2*H)^2. */
fp_dbl(t4, t3);
fp_sqr(t4, t4);
/* t5 = J = H * I. */
fp_mul(t5, t3, t4);
/* t4 = V = U1 * I. */
fp_mul(t4, t2, t4);
/* x3 = R^2 - J - 2 * V. */
fp_sqr(r->x, t0);
fp_sub(r->x, r->x, t5);
fp_dbl(t2, t4);
fp_sub(r->x, r->x, t2);
/* y3 = R * (V - x3) - 2 * S1 * J. */
fp_sub(t4, t4, r->x);
fp_mul(t4, t4, t0);
fp_mul(t1, t1, t5);
fp_dbl(t1, t1);
fp_sub(r->y, t4, t1);
/* z3 = ((z1 + z2)^2 - z1^2 - z2^2) * H. */
fp_add(r->z, p->z, q->z);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t6);
fp_mul(r->z, r->z, t3);
}
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
fp_free(t3);
fp_free(t4);
fp_free(t5);
fp_free(t6);
}
#endif
}
/**
* Adds a point represented in affine coordinates to a point represented in
* projective coordinates.
*
* @param[out] r - the result.
* @param[in] p - the projective point.
* @param[in] q - the affine point.
*/
static void ep_add_projc_mix(ep_t r, const ep_t p, const ep_t q) {
fp_t t0, t1, t2, t3, t4, t5, t6;
fp_null(t0);
fp_null(t1);
fp_null(t2);
fp_null(t3);
fp_null(t4);
fp_null(t5);
fp_null(t6);
TRY {
fp_new(t0);
fp_new(t1);
fp_new(t2);
fp_new(t3);
fp_new(t4);
fp_new(t5);
fp_new(t6);
/* madd-2007-bl formulas: 7M + 4S + 9add + 1*4 + 3*2. */
/* http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-madd-2007-bl */
if (!p->norm) {
/* t0 = z1^2. */
fp_sqr(t0, p->z);
/* t3 = U2 = x2 * z1^2. */
fp_mul(t3, q->x, t0);
/* t1 = S2 = y2 * z1^3. */
fp_mul(t1, t0, p->z);
fp_mul(t1, t1, q->y);
/* t3 = H = U2 - x1. */
fp_sub(t3, t3, p->x);
/* t1 = R = 2 * (S2 - y1). */
fp_sub(t1, t1, p->y);
fp_dbl(t1, t1);
} else {
/* H = x2 - x1. */
fp_sub(t3, q->x, p->x);
/* t1 = R = 2 * (y2 - y1). */
fp_sub(t1, q->y, p->y);
fp_dbl(t1, t1);
}
/* t2 = HH = H^2. */
fp_sqr(t2, t3);
/* If E is zero. */
if (fp_is_zero(t3)) {
if (fp_is_zero(t1)) {
/* If I is zero, p = q, should have doubled. */
ep_dbl_projc(r, p);
} else {
/* If I is not zero, q = -p, r = infinity. */
ep_set_infty(r);
}
} else {
/* t4 = I = 4*HH. */
fp_dbl(t4, t2);
fp_dbl(t4, t4);
/* t5 = J = H * I. */
fp_mul(t5, t3, t4);
/* t4 = V = x1 * I. */
fp_mul(t4, p->x, t4);
/* x3 = R^2 - J - 2 * V. */
fp_sqr(r->x, t1);
fp_sub(r->x, r->x, t5);
fp_dbl(t6, t4);
fp_sub(r->x, r->x, t6);
/* y3 = R * (V - x3) - 2 * Y1 * J. */
fp_sub(t4, t4, r->x);
fp_mul(t4, t4, t1);
fp_mul(t1, p->y, t5);
fp_dbl(t1, t1);
fp_sub(r->y, t4, t1);
if (!p->norm) {
/* z3 = (z1 + H)^2 - z1^2 - HH. */
fp_add(r->z, p->z, t3);
fp_sqr(r->z, r->z);
fp_sub(r->z, r->z, t0);
fp_sub(r->z, r->z, t2);
} else {
/* z3 = 2 * H. */
fp_dbl(r->z, t3);
}
}
r->norm = 0;
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
fp_free(t0);
fp_free(t1);
fp_free(t2);
fp_free(t3);
fp_free(t4);
fp_free(t5);
fp_free(t6);
}
}