void miller(element_t res, mpz_t q, element_t P, element_ptr Qx, element_ptr Qy) {
int m;
element_t v;
element_t Z;
element_t a, b, c;
element_t t0;
element_t e0;
const element_ptr cca = curve_a_coeff(P);
const element_ptr Px = curve_x_coord(P);
const element_ptr Py = curve_y_coord(P);
element_ptr Zx, Zy;
void do_tangent(void) {
// a = -(3 Zx^2 + cc->a)
// b = 2 * Zy
// c = -(2 Zy^2 + a Zx);
element_square(a, Zx); mult1++;
element_mul_si(a, a, 3); add1++; add1++; add1++;
element_add(a, a, cca); add1++;
element_neg(a, a);
element_add(b, Zy, Zy); add1++;
element_mul(t0, b, Zy); mult1++;
element_mul(c, a, Zx); mult1++;
element_add(c, c, t0); add1++;
element_neg(c, c);
d_miller_evalfn(e0, a, b, c, Qx, Qy);
element_mul(v, v, e0); multk++;
}
static void d_pairing_pp_apply(element_ptr out, element_ptr in2,
pairing_pp_t p) {
mpz_ptr q = p->pairing->r;
pptr info = p->pairing->data;
mp_bitcnt_t m = (mp_bitcnt_t)mpz_sizeinbase(q, 2);
m = (m > 2 ? m - 2 : 0);
pp_coeff_t *coeff = (pp_coeff_t *) p->data;
pp_coeff_ptr pp = coeff[0];
element_ptr Qbase = in2;
element_t e0;
element_t Qx, Qy;
element_t v;
element_init_same_as(e0, out);
element_init_same_as(v, out);
element_init(Qx, info->Fqd);
element_init(Qy, info->Fqd);
// Twist: (x, y) --> (v^-1 x, v^-(3/2) y)
// where v is the quadratic nonresidue used to construct the twist
element_mul(Qx, curve_x_coord(Qbase), info->nqrinv);
// v^-3/2 = v^-2 * v^1/2
element_mul(Qy, curve_y_coord(Qbase), info->nqrinv2);
element_set1(out);
for(;;) {
d_miller_evalfn(e0, pp->a, pp->b, pp->c, Qx, Qy);
element_mul(out, out, e0);
pp++;
if (!m) break;
if (mpz_tstbit(q, m)) {
d_miller_evalfn(e0, pp->a, pp->b, pp->c, Qx, Qy);
element_mul(out, out, e0);
pp++;
}
m--;
element_square(out, out);
}
cc_tatepower(out, out, p->pairing);
element_clear(e0);
element_clear(Qx);
element_clear(Qy);
element_clear(v);
}
void do_line(void) {
// a = -(B.y - A.y) / (B.x - A.x);
// b = 1;
// c = -(A.y + a * A.x);
// but we multiply by B.x - A.x to avoid division.
element_sub(b, Px, Zx); add1++;
element_sub(a, Zy, Py); add1++;
element_mul(t0, b, Zy); mult1++;
element_mul(c, a, Zx); mult1++;
element_add(c, c, t0); add1++;
element_neg(c, c);
d_miller_evalfn(e0, a, b, c, Qx, Qy);
element_mul(v, v, e0); multk++;
}