void pp_dbl_k12_basic(fp12_t l, ep2_t r, ep2_t q, ep_t p) { fp2_t s; ep2_t t; int one = 1, zero = 0; fp2_null(s); ep2_null(t); TRY { fp2_new(s); ep2_new(t); ep2_copy(t, q); ep2_dbl_slp_basic(r, s, q); fp12_zero(l); if (ep2_curve_is_twist() == EP_MTYPE) { one ^= 1; zero ^= 1; } fp_mul(l[one][zero][0], s[0], p->x); fp_mul(l[one][zero][1], s[1], p->x); fp2_mul(l[one][one], s, t->x); fp2_sub(l[one][one], t->y, l[one][one]); fp_copy(l[zero][zero][0], p->y); } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp2_free(s); ep2_free(t); } }
/** * Compute the final lines for optimal ate pairings. * * @param[out] r - the result. * @param[out] t - the resulting point. * @param[in] q - the first point of the pairing, in G_2. * @param[in] p - the second point of the pairing, in G_1. * @param[in] a - the loop parameter. */ static void pp_fin_k12_oatep(fp12_t r, ep2_t t, ep2_t q, ep_t p) { ep2_t q1, q2; fp12_t tmp; fp12_null(tmp); ep2_null(q1); ep2_null(q2); TRY { ep2_new(q1); ep2_new(q2); fp12_new(tmp); fp12_zero(tmp); fp2_set_dig(q1->z, 1); fp2_set_dig(q2->z, 1); ep2_frb(q1, q, 1); ep2_frb(q2, q, 2); ep2_neg(q2, q2); pp_add_k12(tmp, t, q1, p); fp12_mul_dxs(r, r, tmp); pp_add_k12(tmp, t, q2, p); fp12_mul_dxs(r, r, tmp); } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp12_free(tmp); ep2_free(q1); ep2_free(q2); } }
/** * Compute the Miller loop for pairings of type G_2 x G_1 over the bits of a * given parameter. * * @param[out] r - the result. * @param[out] t - the resulting point. * @param[in] q - the first pairing argument in affine coordinates. * @param[in] p - the second pairing argument in affine coordinates. * @param[in] n - the number of pairings to evaluate. * @param[in] a - the loop parameter. */ static void pp_mil_k12(fp12_t r, ep2_t *t, ep2_t *q, ep_t *p, int m, bn_t a) { fp12_t l; ep_t _p[m]; int i, j; if (m == 0) { return; } fp12_null(l); TRY { fp12_new(l); for (j = 0; j < m; j++) { ep_null(_p[j]); ep_new(_p[j]); #if EP_ADD == BASIC ep_neg(_p[j], p[i]); #else fp_add(_p[j]->x, p[j]->x, p[j]->x); fp_add(_p[j]->x, _p[j]->x, p[j]->x); fp_neg(_p[j]->y, p[j]->y); #endif ep2_copy(t[j], q[j]); } fp12_zero(l); /* Precomputing. */ pp_dbl_k12(r, t[0], t[0], _p[0]); if (bn_get_bit(a, bn_bits(a) - 2)) { for (j = 0; j < m; j++) { pp_add_k12(l, t[j], q[j], p[j]); fp12_mul_dxs(r, r, l); } } for (i = bn_bits(a) - 3; i >= 0; i--) { fp12_sqr(r, r); for (j = 0; j < m; j++) { pp_dbl_k12(l, t[j], t[j], _p[j]); fp12_mul_dxs(r, r, l); if (bn_get_bit(a, i)) { pp_add_k12(l, t[j], q[j], p[j]); fp12_mul_dxs(r, r, l); } } } } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp12_free(l); for (j = 0; j < m; j++) { ep_free(_p[j]); } } }
/** * Compute the Miller loop for pairings of type G_1 x G_2 over the bits of a * given parameter. * * @param[out] r - the result. * @param[out] t - the resulting point. * @param[in] p - the first pairing argument in affine coordinates. * @param[in] q - the second pairing argument in affine coordinates. * @param[in] n - the number of pairings to evaluate. * @param[in] a - the loop parameter. */ static void pp_mil_lit_k12(fp12_t r, ep_t *t, ep_t *p, ep2_t *q, int m, bn_t a) { fp12_t l; ep2_t _q[m]; int j; fp12_null(l); TRY { fp12_new(l); for (j = 0; j < m; j++) { ep2_null(_q[j]); ep2_new(_q[j]); ep_copy(t[j], p[j]); ep2_neg(_q[j], q[j]); } fp12_zero(l); for (int i = bn_bits(a) - 2; i >= 0; i--) { fp12_sqr(r, r); for (j = 0; j < m; j++) { pp_dbl_lit_k12(l, t[j], t[j], _q[j]); fp12_mul(r, r, l); if (bn_get_bit(a, i)) { pp_add_lit_k12(l, t[j], p[j], q[j]); fp12_mul(r, r, l); } } } } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp12_free(l); for (j = 0; j < m; j++) { ep2_free(_q[j]); } } }
void fp12_set_dig(fp12_t a, dig_t b) { fp12_zero(a); fp_set_dig(a[0][0][0], b); }
/** * Compute the Miller loop for pairings of type G_2 x G_1 over the bits of a * given parameter represented in sparse form. * * @param[out] r - the result. * @param[out] t - the resulting point. * @param[in] q - the vector of first arguments in affine coordinates. * @param[in] p - the vector of second arguments in affine coordinates. * @param[in] n - the number of pairings to evaluate. * @param[in] s - the loop parameter in sparse form. * @paramin] len - the length of the loop parameter. */ static void pp_mil_sps_k12(fp12_t r, ep2_t *t, ep2_t *q, ep_t *p, int m, int *s, int len) { fp12_t l; ep_t _p[m]; ep2_t _q[m]; int i, j; if (m == 0) { return; } fp12_null(l); TRY { fp12_new(l); fp12_zero(l); for (j = 0; j < m; j++) { ep_null(_p[j]); ep2_null(_q[j]); ep_new(_p[j]); ep2_new(_q[j]); ep2_copy(t[j], q[j]); ep2_neg(_q[j], q[j]); #if EP_ADD == BASIC ep_neg(_p[j], p[j]); #else fp_add(_p[j]->x, p[j]->x, p[j]->x); fp_add(_p[j]->x, _p[j]->x, p[j]->x); fp_neg(_p[j]->y, p[j]->y); #endif } pp_dbl_k12(r, t[0], t[0], _p[0]); for (j = 1; j < m; j++) { pp_dbl_k12(l, t[j], t[j], _p[j]); fp12_mul_dxs(r, r, l); } if (s[len - 2] > 0) { for (j = 0; j < m; j++) { pp_add_k12(l, t[j], q[j], p[j]); fp12_mul_dxs(r, r, l); } } if (s[len - 2] < 0) { for (j = 0; j < m; j++) { pp_add_k12(l, t[j], _q[j], p[j]); fp12_mul_dxs(r, r, l); } } for (i = len - 3; i >= 0; i--) { fp12_sqr(r, r); for (j = 0; j < m; j++) { pp_dbl_k12(l, t[j], t[j], _p[j]); fp12_mul_dxs(r, r, l); if (s[i] > 0) { pp_add_k12(l, t[j], q[j], p[j]); fp12_mul_dxs(r, r, l); } if (s[i] < 0) { pp_add_k12(l, t[j], _q[j], p[j]); fp12_mul_dxs(r, r, l); } } } } CATCH_ANY { THROW(ERR_CAUGHT); } FINALLY { fp12_free(l); for (j = 0; j < m; j++) { ep_free(_p[j]); ep2_free(_q[j]); } } }