/**
* Multiplies a binary elliptic curve point by an integer using the w-NAF mixed coordinate
* method.
*
* @param[out] r - the result.
* @param[in] t - the precomputed table.
* @param[in] k - the integer.
*/
static void ed_mul_fix_plain_mixed(ed_t r, const ed_t *t, const bn_t k) {
int l, i, n;
int8_t naf[FP_BITS + 1], *_k;
/* Compute the w-TNAF representation of k. */
l = FP_BITS + 1;
bn_rec_naf(naf, &l, k, ED_DEPTH);
_k = naf + l - 1;
ed_set_infty(r);
for (i = l - 1; i >= 0; i--, _k--) {
n = *_k;
if (n == 0) {
/* doubling is followed by another doubling */
if (i > 0) {
ed_dbl_short(r, r);
} else {
/* use full extended coordinate doubling for last step */
ed_dbl(r, r);
}
} else {
ed_dbl(r, r);
if (n > 0) {
ed_add(r, r, t[n / 2]);
} else if (n < 0) {
ed_sub(r, r, t[-n / 2]);
}
}
}
/* Convert r to affine coordinates. */
ed_norm(r, r);
}
void ed_mul_pre_nafwi(ed_t *t, const ed_t p) {
int l;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ed_curve_get_ord(n);
l = bn_bits(n) + 1;
l = ((l % ED_DEPTH) == 0 ? (l / ED_DEPTH) : (l / ED_DEPTH) + 1);
ed_copy(t[0], p);
for (int i = 1; i < l; i++) {
ed_dbl(t[i], t[i - 1]);
for (int j = 1; j < ED_DEPTH; j++) {
ed_dbl(t[i], t[i]);
}
}
ed_norm_sim(t + 1, (const ed_t *)t + 1, l - 1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ed_mul_basic(ed_t r, const ed_t p, const bn_t k) {
ed_t t;
ed_null(t);
if (bn_is_zero(k) || ed_is_infty(p)) {
ed_set_infty(r);
return;
}
TRY {
ed_new(t);
ed_copy(t, p);
for (int i = bn_bits(k) - 2; i >= 0; i--) {
ed_dbl(t, t);
if (bn_get_bit(k, i)) {
ed_add(t, t, p);
}
}
ed_norm(r, t);
if (bn_sign(k) == RLC_NEG) {
ed_neg(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ed_free(t);
}
}
void ed_mul_dig(ed_t r, const ed_t p, dig_t k) {
int i, l;
ed_t t;
ed_null(t);
if (k == 0) {
ed_set_infty(r);
return;
}
TRY {
ed_new(t);
l = util_bits_dig(k);
ed_copy(t, p);
for (i = l - 2; i >= 0; i--) {
ed_dbl(t, t);
if (k & ((dig_t)1 << i)) {
ed_add(t, t, p);
}
}
ed_norm(r, t);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ed_free(t);
}
}
void ed_mul_pre_combd(ed_t *t, const ed_t p) {
int i, j, d, e;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ed_curve_get_ord(n);
d = bn_bits(n);
d = ((d % ED_DEPTH) == 0 ? (d / ED_DEPTH) : (d / ED_DEPTH) + 1);
e = (d % 2 == 0 ? (d / 2) : (d / 2) + 1);
ed_set_infty(t[0]);
ed_copy(t[1], p);
for (j = 1; j < ED_DEPTH; j++) {
ed_dbl(t[1 << j], t[1 << (j - 1)]);
for (i = 1; i < d; i++) {
ed_dbl(t[1 << j], t[1 << j]);
}
#if defined(ED_MIXED)
ed_norm(t[1 << j], t[1 << j]);
#endif
for (i = 1; i < (1 << j); i++) {
ed_add(t[(1 << j) + i], t[i], t[1 << j]);
}
}
ed_set_infty(t[1 << ED_DEPTH]);
for (j = 1; j < (1 << ED_DEPTH); j++) {
ed_dbl(t[(1 << ED_DEPTH) + j], t[j]);
for (i = 1; i < e; i++) {
ed_dbl(t[(1 << ED_DEPTH) + j], t[(1 << ED_DEPTH) + j]);
}
}
ed_norm_sim(t + 2, (const ed_t *)t + 2, (1 << ED_DEPTH) - 2);
ed_norm_sim(t + (1 << ED_DEPTH) + 1,
(const ed_t *)t + (1 << ED_DEPTH) + 1, (1 << ED_DEPTH) - 1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ed_mul_pre_combs(ed_t *t, const ed_t p) {
int i, j, l;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ed_curve_get_ord(n);
l = bn_bits(n);
l = ((l % ED_DEPTH) == 0 ? (l / ED_DEPTH) : (l / ED_DEPTH) + 1);
#if defined(ED_ENDOM)
if (ed_curve_is_endom()) {
l = bn_bits(n);
l = ((l % (2 * ED_DEPTH)) ==
0 ? (l / (2 * ED_DEPTH)) : (l / (2 * ED_DEPTH)) + 1);
}
#endif
ed_set_infty(t[0]);
ed_copy(t[1], p);
for (j = 1; j < ED_DEPTH; j++) {
ed_dbl(t[1 << j], t[1 << (j - 1)]);
for (i = 1; i < l; i++) {
ed_dbl(t[1 << j], t[1 << j]);
}
#if defined(ED_MIXED)
ed_norm(t[1 << j], t[1 << j]);
#endif
for (i = 1; i < (1 << j); i++) {
ed_add(t[(1 << j) + i], t[i], t[1 << j]);
}
}
ed_norm_sim(t + 2, (const ed_t *)t + 2, ED_TABLE_COMBS - 2);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ed_mul_fixed(ed_t r, const ed_t b, const bn_t k) {
ed_t pre[4];
int h, l;
if (bn_is_zero(k)) {
ed_set_infty(r);
return;
}
for (int n = 0; n < 4; n++) {
ed_null(pre[n]);
ed_new(pre[n]);
}
// precomputation
ed_set_infty(pre[0]);
ed_copy(pre[1], b);
ed_dbl(pre[2], b);
ed_add(pre[3], pre[2], pre[1]);
l = bn_bits(k);
h = bn_get_bit(k, l - 1 + (l % 2)) * 2 + bn_get_bit(k, l - 2 + (l % 2));
ed_copy(r, pre[h]);
for (int i = ((l - 1) / 2) * 2; i > 1; i -= 2) {
int index = (i - 2) / (sizeof(dig_t) * 8);
int shift = (i - 2) % (sizeof(dig_t) * 8);
int bits = (k->dp[index] >> shift) & 3;
r->norm = 2;
ed_dbl(r, r);
ed_dbl(r, r);
ed_add(r, r, pre[bits]);
}
ed_norm(r, r);
for (int n = 0; n < 4; n++) {
ed_free(pre[n]);
}
}
void ed_mul_fix_combd(ed_t r, const ed_t *t, const bn_t k) {
int i, j, d, e, w0, w1, n0, p0, p1;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ed_curve_get_ord(n);
d = bn_bits(n);
d = ((d % ED_DEPTH) == 0 ? (d / ED_DEPTH) : (d / ED_DEPTH) + 1);
e = (d % 2 == 0 ? (d / 2) : (d / 2) + 1);
ed_set_infty(r);
n0 = bn_bits(k);
p1 = (e - 1) + (ED_DEPTH - 1) * d;
for (i = e - 1; i >= 0; i--) {
ed_dbl(r, r);
w0 = 0;
p0 = p1;
for (j = ED_DEPTH - 1; j >= 0; j--, p0 -= d) {
w0 = w0 << 1;
if (p0 < n0 && bn_get_bit(k, p0)) {
w0 = w0 | 1;
}
}
w1 = 0;
p0 = p1-- + e;
for (j = ED_DEPTH - 1; j >= 0; j--, p0 -= d) {
w1 = w1 << 1;
if (i + e < d && p0 < n0 && bn_get_bit(k, p0)) {
w1 = w1 | 1;
}
}
ed_add(r, r, t[w0]);
ed_add(r, r, t[(1 << ED_DEPTH) + w1]);
}
ed_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
/**
* Multiplies a prime elliptic curve point by an integer using the COMBS
* method.
*
* @param[out] r - the result.
* @param[in] t - the precomputed table.
* @param[in] k - the integer.
*/
static void ed_mul_combs_plain(ed_t r, const ed_t *t, const bn_t k) {
int i, j, l, w, n0, p0, p1;
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ed_curve_get_ord(n);
l = bn_bits(n);
l = ((l % ED_DEPTH) == 0 ? (l / ED_DEPTH) : (l / ED_DEPTH) + 1);
n0 = bn_bits(k);
p0 = (ED_DEPTH) * l - 1;
w = 0;
p1 = p0--;
for (j = ED_DEPTH - 1; j >= 0; j--, p1 -= l) {
w = w << 1;
if (p1 < n0 && bn_get_bit(k, p1)) {
w = w | 1;
}
}
ed_copy(r, t[w]);
for (i = l - 2; i >= 0; i--) {
ed_dbl(r, r);
w = 0;
p1 = p0--;
for (j = ED_DEPTH - 1; j >= 0; j--, p1 -= l) {
w = w << 1;
if (p1 < n0 && bn_get_bit(k, p1)) {
w = w | 1;
}
}
if (w > 0) {
ed_add(r, r, t[w]);
}
}
ed_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
void ed_mul_monty(ed_t r, const ed_t p, const bn_t k) {
ed_t t[2];
ed_null(t[0]);
ed_null(t[1]);
if (bn_is_zero(k) || ed_is_infty(p)) {
ed_set_infty(r);
return;
}
TRY {
ed_new(t[0]);
ed_new(t[1]);
ed_set_infty(t[0]);
ed_copy(t[1], p);
for (int i = bn_bits(k) - 1; i >= 0; i--) {
int j = bn_get_bit(k, i);
dv_swap_cond(t[0]->x, t[1]->x, RLC_FP_DIGS, j ^ 1);
dv_swap_cond(t[0]->y, t[1]->y, RLC_FP_DIGS, j ^ 1);
dv_swap_cond(t[0]->z, t[1]->z, RLC_FP_DIGS, j ^ 1);
#if ED_ADD == EXTND
dv_swap_cond(t[0]->t, t[1]->t, RLC_FP_DIGS, j ^ 1);
#endif
ed_add(t[0], t[0], t[1]);
ed_dbl(t[1], t[1]);
dv_swap_cond(t[0]->x, t[1]->x, RLC_FP_DIGS, j ^ 1);
dv_swap_cond(t[0]->y, t[1]->y, RLC_FP_DIGS, j ^ 1);
dv_swap_cond(t[0]->z, t[1]->z, RLC_FP_DIGS, j ^ 1);
#if ED_ADD == EXTND
dv_swap_cond(t[0]->t, t[1]->t, RLC_FP_DIGS, j ^ 1);
#endif
}
ed_norm(r, t[0]);
if (bn_sign(k) == RLC_NEG) {
ed_neg(r, r);
}
} CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
ed_free(t[1]);
ed_free(t[0]);
}
}
static void ed_mul_reg_imp(ed_t r, const ed_t p, const bn_t k) {
int l, i, j, n;
int8_t reg[RLC_CEIL(RLC_FP_BITS + 1, ED_WIDTH - 1)], *_k;
ed_t t[1 << (ED_WIDTH - 2)];
TRY {
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (ED_WIDTH - 2)); i++) {
ed_null(t[i]);
ed_new(t[i]);
}
/* Compute the precomputation table. */
ed_tab(t, p, ED_WIDTH);
/* Compute the w-NAF representation of k. */
l = RLC_CEIL(RLC_FP_BITS + 1, ED_WIDTH - 1);
bn_rec_reg(reg, &l, k, RLC_FP_BITS, ED_WIDTH);
_k = reg + l - 1;
ed_set_infty(r);
for (i = l - 1; i >= 0; i--, _k--) {
for (j = 0; j < ED_WIDTH - 1; j++) {
r->norm = 2;
ed_dbl(r, r);
}
n = *_k;
if (n > 0) {
ed_add(r, r, t[n / 2]);
}
if (n < 0) {
ed_sub(r, r, t[-n / 2]);
}
}
/* Convert r to affine coordinates. */
ed_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
/* Free the precomputation table. */
for (i = 0; i < (1 << (ED_WIDTH - 2)); i++) {
ed_free(t[i]);
}
}
}
void ed_tab(ed_t *t, const ed_t p, int w) {
if (w > 2) {
ed_dbl(t[0], p);
#if defined(ED_MIXED)
ed_norm(t[0], t[0]);
#endif
ed_add(t[1], t[0], p);
for (int i = 2; i < (1 << (w - 2)); i++) {
ed_add(t[i], t[i - 1], t[0]);
}
#if defined(ED_MIXED)
ed_norm_sim(t + 1, (const ed_t *)t + 1, (1 << (w - 2)) - 1);
#endif
}
ed_copy(t[0], p);
}
void ed_mul_pre_basic(ed_t *t, const ed_t p) {
bn_t n;
bn_null(n);
TRY {
bn_new(n);
ed_curve_get_ord(n);
ed_copy(t[0], p);
for (int i = 1; i < bn_bits(n); i++) {
ed_dbl(t[i], t[i - 1]);
}
ed_norm_sim(t + 1, (const ed_t *)t + 1, bn_bits(n) - 1);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
}
}
/**
* Multiplies a binary elliptic curve point by an integer using the w-NAF
* method.
*
* @param[out] r - the result.
* @param[in] t - the precomputed table.
* @param[in] k - the integer.
*/
static void ed_mul_fix_plain(ed_t r, const ed_t *t, const bn_t k) {
int l, i, n;
int8_t naf[FP_BITS + 1], *_k;
/* Compute the w-TNAF representation of k. */
l = FP_BITS + 1;
bn_rec_naf(naf, &l, k, ED_DEPTH);
_k = naf + l - 1;
ed_set_infty(r);
for (i = l - 1; i >= 0; i--, _k--) {
ed_dbl(r, r);
n = *_k;
if (n > 0) {
ed_add(r, r, t[n / 2]);
}
if (n < 0) {
ed_sub(r, r, t[-n / 2]);
}
}
/* Convert r to affine coordinates. */
ed_norm(r, r);
}
/**
* Multiplies a prime elliptic curve point by an integer using the COMBS
* method.
*
* @param[out] r - the result.
* @param[in] t - the precomputed table.
* @param[in] k - the integer.
*/
static void ed_mul_combs_endom(ed_t r, const ed_t *t, const bn_t k) {
int i, j, l, w0, w1, n0, n1, p0, p1, s0, s1;
bn_t n, k0, k1, v1[3], v2[3];
ed_t u;
bn_null(n);
bn_null(k0);
bn_null(k1);
ed_null(u);
TRY {
bn_new(n);
bn_new(k0);
bn_new(k1);
ed_new(u);
for (i = 0; i < 3; i++) {
bn_null(v1[i]);
bn_null(v2[i]);
bn_new(v1[i]);
bn_new(v2[i]);
}
ed_curve_get_ord(n);
ed_curve_get_v1(v1);
ed_curve_get_v2(v2);
l = bn_bits(n);
l = ((l % (2 * ED_DEPTH)) ==
0 ? (l / (2 * ED_DEPTH)) : (l / (2 * ED_DEPTH)) + 1);
bn_rec_glv(k0, k1, k, n, (const bn_t *)v1, (const bn_t *)v2);
s0 = bn_sign(k0);
s1 = bn_sign(k1);
bn_abs(k0, k0);
bn_abs(k1, k1);
n0 = bn_bits(k0);
n1 = bn_bits(k1);
p0 = (ED_DEPTH) * l - 1;
ed_set_infty(r);
for (i = l - 1; i >= 0; i--) {
ed_dbl(r, r);
w0 = 0;
w1 = 0;
p1 = p0--;
for (j = ED_DEPTH - 1; j >= 0; j--, p1 -= l) {
w0 = w0 << 1;
w1 = w1 << 1;
if (p1 < n0 && bn_get_bit(k0, p1)) {
w0 = w0 | 1;
}
if (p1 < n1 && bn_get_bit(k1, p1)) {
w1 = w1 | 1;
}
}
if (w0 > 0) {
if (s0 == BN_POS) {
ed_add(r, r, t[w0]);
} else {
ed_sub(r, r, t[w0]);
}
}
if (w1 > 0) {
ed_copy(u, t[w1]);
fp_mul(u->x, u->x, ed_curve_get_beta());
if (s1 == BN_NEG) {
ed_neg(u, u);
}
ed_add(r, r, u);
}
}
ed_norm(r, r);
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
bn_free(n);
bn_free(k0);
bn_free(k1);
ed_free(u);
for (i = 0; i < 3; i++) {
bn_free(v1[i]);
bn_free(v2[i]);
}
}
}
void ed_mul_slide(ed_t r, const ed_t p, const bn_t k) {
ed_t t[1 << (EP_WIDTH - 1)], q;
int i, j, l;
uint8_t win[RLC_FP_BITS + 1];
ed_null(q);
if (bn_is_zero(k) || ed_is_infty(p)) {
ed_set_infty(r);
return;
}
TRY {
for (i = 0; i < (1 << (EP_WIDTH - 1)); i ++) {
ed_null(t[i]);
ed_new(t[i]);
}
ed_new(q);
ed_copy(t[0], p);
ed_dbl(q, p);
#if defined(EP_MIXED)
ed_norm(q, q);
#endif
/* Create table. */
for (i = 1; i < (1 << (EP_WIDTH - 1)); i++) {
ed_add(t[i], t[i - 1], q);
}
#if defined(EP_MIXED)
ed_norm_sim(t + 1, (const ed_t *)t + 1, (1 << (EP_WIDTH - 1)) - 1);
#endif
ed_set_infty(q);
l = RLC_FP_BITS + 1;
bn_rec_slw(win, &l, k, EP_WIDTH);
for (i = 0; i < l; i++) {
if (win[i] == 0) {
ed_dbl(q, q);
} else {
for (j = 0; j < util_bits_dig(win[i]); j++) {
ed_dbl(q, q);
}
ed_add(q, q, t[win[i] >> 1]);
}
}
ed_norm(r, q);
if (bn_sign(k) == RLC_NEG) {
ed_neg(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
for (i = 0; i < (1 << (EP_WIDTH - 1)); i++) {
ed_free(t[i]);
}
ed_free(q);
}
}
static void ed_mul_naf_imp(ed_t r, const ed_t p, const bn_t k) {
int l, i, n;
int8_t naf[RLC_FP_BITS + 1];
ed_t t[1 << (ED_WIDTH - 2)];
if (bn_is_zero(k)) {
ed_set_infty(r);
return;
}
TRY {
/* Prepare the precomputation table. */
for (i = 0; i < (1 << (ED_WIDTH - 2)); i++) {
ed_null(t[i]);
ed_new(t[i]);
}
/* Compute the precomputation table. */
ed_tab(t, p, ED_WIDTH);
/* Compute the w-NAF representation of k. */
l = sizeof(naf);
bn_rec_naf(naf, &l, k, EP_WIDTH);
ed_set_infty(r);
for (i = l - 1; i > 0; i--) {
n = naf[i];
if (n == 0) {
/* This point will be doubled in the previous iteration. */
r->norm = 2;
ed_dbl(r, r);
} else {
ed_dbl(r, r);
if (n > 0) {
ed_add(r, r, t[n / 2]);
} else if (n < 0) {
ed_sub(r, r, t[-n / 2]);
}
}
}
/* Last iteration. */
n = naf[0];
ed_dbl(r, r);
if (n > 0) {
ed_add(r, r, t[n / 2]);
} else if (n < 0) {
ed_sub(r, r, t[-n / 2]);
}
/* Convert r to affine coordinates. */
ed_norm(r, r);
if (bn_sign(k) == RLC_NEG) {
ed_neg(r, r);
}
}
CATCH_ANY {
THROW(ERR_CAUGHT);
}
FINALLY {
/* Free the precomputation table. */
for (i = 0; i < (1 << (ED_WIDTH - 2)); i++) {
ed_free(t[i]);
}
}
}
