BOOL ate(ECn3& Q,ECn& P,Big &x,ZZn2& X,ZZn6& res) { int i,j,n,nb,nbw,nzs; ECn3 A; ZZn Px,Py; ZZn6 w; Big q=x*x-x+1; #ifdef MR_COUNT_OPS fpc=fpa=fpx=0; #endif normalise(P); #ifdef PROJECTIVE Q.norm(); #endif extract(P,Px,Py); Px+=Px; // because x^6+2 is irreducible.. simplifies line function calculation Py+=Py; res=1; A=Q; // reset A nb=bits(x); res.mark_as_miller(); for (i=nb-2;i>=0;i--) { res*=res; res*=g(A,A,Px,Py); if (bit(x,i)==1) res*=g(A,Q,Px,Py); if (res.iszero()) return FALSE; } #ifdef MR_COUNT_OPS printf("After Miller fpc= %d fpa= %d fpx= %d\n",fpc,fpa,fpx); #endif // if (!A.iszero() || res.iszero()) return FALSE; w=res; w.powq(X); res*=w; // ^(p+1) w=res; w.powq(X); w.powq(X); w.powq(X); res=w/res; // ^(p^3-1) // exploit the clever "trick" for a half-length exponentiation! res.mark_as_unitary(); w=res; res.powq(X); // res*=res; // res=pow(res,CF); if (x<0) res/=powu(w,-x); else res*=powu(w,x); #ifdef MR_COUNT_OPS printf("After pairing fpc= %d fpa= %d fpx= %d\n",fpc,fpa,fpx); fpa=fpc=fpx=0; #endif if (res==(ZZn6)1) return FALSE; return TRUE; }
BOOL fast_tate_pairing(ECn& P,ZZn3& Qx,ZZn3& Qy,Big &x,ZZn2& X,ZZn6& res) { int i,j,n,nb,nbw,nzs; ECn A,P2,t[PRECOMP]; ZZn6 w,hc,z2n,zn[PRECOMP]; Big q=x*x-x+1; res=zn[0]=1; t[0]=P2=A=P; z2n=g(P2,P2,Qx,Qy); // P2=P+P normalise(P2); // // Build windowing table // for (i=1;i<PRECOMP;i++) { hc=g(A,P2,Qx,Qy); t[i]=A; zn[i]=z2n*zn[i-1]*hc; } multi_norm(PRECOMP,t); // make t points Affine /* A=P; // reset A nb=bits(q); for (i=nb-2;i>=0;i--) { res*=res; res*=g(A,A,Qx,Qy); if (bit(q,i)==1) res*=g(A,P,Qx,Qy); if (res.iszero()) return FALSE; } */ A=P; // reset A nb=bits(q); for (i=nb-2;i>=0;i-=(nbw+nzs)) { // windowing helps a little.. n=window(q,i,&nbw,&nzs,WINDOW_SIZE); // standard MIRACL windowing for (j=0;j<nbw;j++) { res*=res; res*=g(A,A,Qx,Qy); } if (n>0) { res*=zn[n/2]; res*=g(A,t[n/2],Qx,Qy); } for (j=0;j<nzs;j++) { res*=res; res*=g(A,A,Qx,Qy); } if (res.iszero()) return FALSE; } #ifdef MR_COUNT_OPS printf("After Miller fpc= %d fpa= %d fpx= %d\n",fpc,fpa,fpx); #endif // if (!A.iszero() || res.iszero()) return FALSE; w=res; w.powq(X); res*=w; // ^(p+1) w=res; w.powq(X); w.powq(X); w.powq(X); res=w/res; // ^(p^3-1) // exploit the clever "trick" for a half-length exponentiation! res.mark_as_unitary(); w=res; res.powq(X); // res*=res; // res=pow(res,CF); if (x<0) res/=powu(w,-x); else res*=powu(w,x); if (res==(ZZn6)1) return FALSE; return TRUE; }