/* Multiply P by e in group G1 */
public static ECP G1Mul(ECP P, BIG e)
{
ECP R;
if (USE_GLV)
{
//P.affine();
R = new ECP();
R.Copy(P);
int np, nn;
ECP Q = new ECP();
Q.Copy(P);
Q.Affine();
BIG q = new BIG(ROM.CURVE_Order);
FP cru = new FP(new BIG(ROM.CURVE_Cru));
BIG t = new BIG(0);
BIG[] u = Glv(e);
Q.GetX().Mul(cru);
np = u[0].NBits();
t.Copy(BIG.ModNeg(u[0], q));
nn = t.NBits();
if (nn < np)
{
u[0].Copy(t);
R.Neg();
}
np = u[1].NBits();
t.Copy(BIG.ModNeg(u[1], q));
nn = t.NBits();
if (nn < np)
{
u[1].Copy(t);
Q.Neg();
}
u[0].Norm();
u[1].Norm();
R = R.Mul2(u[0], Q, u[1]);
}
else
{
R = P.Mul(e);
}
return(R);
}
/* r=x^n using XTR method on traces of FP12s */
public FP4 Xtr_Pow(BIG n)
{
FP4 a = new FP4(3);
FP4 b = new FP4(this);
FP4 c = new FP4(b);
c.Xtr_D();
FP4 t = new FP4(0);
FP4 r = new FP4(0);
n.Norm();
int par = n.Parity();
BIG v = new BIG(n);
v.FShr(1);
if (par == 0)
{
v.Dec(1);
v.Norm();
}
int nb = v.NBits();
for (int i = nb - 1; i >= 0; i--)
{
if (v.Bit(i) != 1)
{
t.Copy(b);
Conj();
c.Conj();
b.Xtr_A(a, this, c);
Conj();
c.Copy(t);
c.Xtr_D();
a.Xtr_D();
}
else
{
t.Copy(a);
t.Conj();
a.Copy(b);
a.Xtr_D();
b.Xtr_A(c, this, t);
c.Xtr_D();
}
}
if (par == 0)
{
r.Copy(c);
}
else
{
r.Copy(b);
}
r.Reduce();
return(r);
}
/* Multiply P by e in group G2 */
public static ECP2 G2Mul(ECP2 P, BIG e)
{
ECP2 R;
if (USE_GS_G2)
{
ECP2[] Q = new ECP2[4];
FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
if (ECP.SEXTIC_TWIST == ECP.M_TYPE)
{
f.Inverse();
f.Norm();
}
BIG q = new BIG(ROM.CURVE_Order);
BIG[] u = GS(e);
BIG t = new BIG(0);
int i, np, nn;
//P.affine();
Q[0] = new ECP2();
Q[0].Copy(P);
for (i = 1; i < 4; i++)
{
Q[i] = new ECP2();
Q[i].Copy(Q[i - 1]);
Q[i].Frob(f);
}
for (i = 0; i < 4; i++)
{
np = u[i].NBits();
t.Copy(BIG.ModNeg(u[i], q));
nn = t.NBits();
if (nn < np)
{
u[i].Copy(t);
Q[i].Neg();
}
u[i].Norm();
//Q[i].affine();
}
R = ECP2.Mul4(Q, u);
}
else
{
R = P.Mul(e);
}
return(R);
}
/* this=this^e */
/* Note this is simple square and multiply, so not side-channel safe */
public FP12 Pow(BIG e)
{
Norm();
e.Norm();
BIG e3 = new BIG(e);
e3.PMul(3);
e3.Norm();
FP12 w = new FP12(this);
int nb = e3.NBits();
for (int i = nb - 2; i >= 1; i--)
{
w.USqr();
int bt = e3.Bit(i) - e.Bit(i);
if (bt == 1)
{
w.mul(this);
}
if (bt == -1)
{
Conj();
w.mul(this);
Conj();
}
}
w.Reduce();
return(w);
/*
* BIG z=new BIG(e);
* FP12 r=new FP12(1);
*
* while (true)
* {
* int bt=z.parity();
* z.fshr(1);
* if (bt==1) r.mul(w);
* if (z.iszilch()) break;
* w.usqr();
* }
* r.reduce();
* return r; */
}
/* f=f^e */
/* Note that this method requires a lot of RAM! Better to use compressed XTR method, see FP4.java */
public static FP12 GTPow(FP12 d, BIG e)
{
FP12 r;
if (USE_GS_GT)
{
FP12[] g = new FP12[4];
FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
BIG q = new BIG(ROM.CURVE_Order);
BIG t = new BIG(0);
int i, np, nn;
BIG[] u = GS(e);
g[0] = new FP12(d);
for (i = 1; i < 4; i++)
{
g[i] = new FP12(0);
g[i].Copy(g[i - 1]);
g[i].Frob(f);
}
for (i = 0; i < 4; i++)
{
np = u[i].NBits();
t.Copy(BIG.ModNeg(u[i], q));
nn = t.NBits();
if (nn < np)
{
u[i].Copy(t);
g[i].Conj();
}
u[i].Norm();
}
r = FP12.Pow4(g, u);
}
else
{
r = d.Pow(e);
}
return(r);
}
public FP Pow(BIG e)
{
sbyte[] w = new sbyte[1 + (BIG.NLEN * BIG.BASEBITS + 3) / 4];
FP[] tb = new FP[16];
BIG t = new BIG(e);
t.Norm();
int nb = 1 + (t.NBits() + 3) / 4;
for (int i = 0; i < nb; i++)
{
int lsbs = t.LastBits(4);
t.Dec(lsbs);
t.Norm();
w[i] = (sbyte)lsbs;
t.FShr(4);
}
tb[0] = new FP(1);
tb[1] = new FP(this);
for (int i = 2; i < 16; i++)
{
tb[i] = new FP(tb[i - 1]);
tb[i].Mul(this);
}
FP r = new FP(tb[w[nb - 1]]);
for (int i = nb - 2; i >= 0; i--)
{
r.Sqr();
r.Sqr();
r.Sqr();
r.Sqr();
r.Mul(tb[w[i]]);
}
r.Reduce();
return(r);
}
/* Optimal R-ate double pairing e(P,Q).e(R,S) */
public static FP12 Ate2(ECP2 P1, ECP Q1, ECP2 R1, ECP S1)
{
FP2 f;
BIG x = new BIG(ROM.CURVE_Bnx);
BIG n = new BIG(x);
ECP2 K = new ECP2();
FP12 lv;
int bt;
ECP2 P = new ECP2(P1);
ECP Q = new ECP(Q1);
P.Affine();
Q.Affine();
ECP2 R = new ECP2(R1);
ECP S = new ECP(S1);
R.Affine();
S.Affine();
if (ECP.CURVE_PAIRING_TYPE == ECP.BN)
{
f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
if (ECP.SEXTIC_TWIST == ECP.M_TYPE)
{
f.Inverse();
f.Norm();
}
n.PMul(6);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
n.Inc(2);
}
else
{
n.Dec(2);
}
}
else
{
n.Copy(x);
}
n.Norm();
BIG n3 = new BIG(n);
n3.PMul(3);
n3.Norm();
FP Qx = new FP(Q.GetX());
FP Qy = new FP(Q.GetY());
FP Sx = new FP(S.GetX());
FP Sy = new FP(S.GetY());
ECP2 A = new ECP2();
ECP2 B = new ECP2();
FP12 r = new FP12(1);
A.Copy(P);
B.Copy(R);
ECP2 MP = new ECP2();
MP.Copy(P);
MP.Neg();
ECP2 MR = new ECP2();
MR.Copy(R);
MR.Neg();
int nb = n3.NBits();
for (int i = nb - 2; i >= 1; i--)
{
r.Sqr();
lv = Line(A, A, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
lv = Line(B, B, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
bt = n3.Bit(i) - n.Bit(i); // bt=n.bit(i);
if (bt == 1)
{
lv = Line(A, P, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
lv = Line(B, R, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
}
if (bt == -1)
{
//P.neg();
lv = Line(A, MP, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
//P.neg();
//R.neg();
lv = Line(B, MR, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
//R.neg();
}
}
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
r.Conj();
}
/* R-ate fixup required for BN curves */
if (ECP.CURVE_PAIRING_TYPE == ECP.BN)
{
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
// r.conj();
A.Neg();
B.Neg();
}
K.Copy(P);
K.Frob(f);
lv = Line(A, K, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
K.Frob(f);
K.Neg();
lv = Line(A, K, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
K.Copy(R);
K.Frob(f);
lv = Line(B, K, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
K.Frob(f);
K.Neg();
lv = Line(B, K, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
}
return(r);
}
/* p=q0^u0.q1^u1.q2^u2.q3^u3 */
// Bos & Costello https://eprint.iacr.org/2013/458.pdf
// Faz-Hernandez & Longa & Sanchez https://eprint.iacr.org/2013/158.pdf
// Side channel attack secure
public static FP12 Pow4(FP12[] q, BIG[] u)
{
int i, j, nb, pb;
FP12[] g = new FP12[8];
FP12 r = new FP12(1);
FP12 p = new FP12(0);
BIG[] t = new BIG[4];
BIG mt = new BIG(0);
sbyte[] w = new sbyte[BIG.NLEN * BIG.BASEBITS + 1];
sbyte[] s = new sbyte[BIG.NLEN * BIG.BASEBITS + 1];
for (i = 0; i < 4; i++)
{
t[i] = new BIG(u[i]);
t[i].Norm();
}
g[0] = new FP12(q[0]); // q[0]
g[1] = new FP12(g[0]);
g[1].mul(q[1]); // q[0].q[1]
g[2] = new FP12(g[0]);
g[2].mul(q[2]); // q[0].q[2]
g[3] = new FP12(g[1]);
g[3].mul(q[2]); // q[0].q[1].q[2]
g[4] = new FP12(q[0]);
g[4].mul(q[3]); // q[0].q[3]
g[5] = new FP12(g[1]);
g[5].mul(q[3]); // q[0].q[1].q[3]
g[6] = new FP12(g[2]);
g[6].mul(q[3]); // q[0].q[2].q[3]
g[7] = new FP12(g[3]);
g[7].mul(q[3]); // q[0].q[1].q[2].q[3]
// Make it odd
pb = 1 - t[0].Parity();
t[0].Inc(pb);
t[0].Norm();
// Number of bits
mt.Zero();
for (i = 0; i < 4; i++)
{
mt.Or(t[i]);
}
nb = 1 + mt.NBits();
// Sign pivot
s[nb - 1] = 1;
for (i = 0; i < nb - 1; i++)
{
t[0].FShr(1);
s[i] = (sbyte)(2 * t[0].Parity() - 1);
}
// Recoded exponent
for (i = 0; i < nb; i++)
{
w[i] = 0;
int k = 1;
for (j = 1; j < 4; j++)
{
sbyte bt = (sbyte)(s[i] * t[j].Parity());
t[j].FShr(1);
t[j].Dec((int)(bt) >> 1);
t[j].Norm();
w[i] += (sbyte)(bt * (sbyte)k);
k *= 2;
}
}
// Main loop
p.Select(g, (int)(2 * w[nb - 1] + 1));
for (i = nb - 2; i >= 0; i--)
{
p.USqr();
r.Select(g, (int)(2 * w[i] + s[i]));
p.mul(r);
}
// apply correction
r.Copy(q[0]);
r.Conj();
r.mul(p);
p.CMove(r, pb);
p.Reduce();
return(p);
}
