/// <summary> /// Point addition over the curve /// </summary> private bool PointAdd( BigInteger.ModulusRing ring, ECPoint p1, ECPoint p2, out ECPoint p3) { if (p1 is ECPointAtInfinity) { p3 = p2; return true; } if (p2 is ECPointAtInfinity) { p3 = p1; return true; } if (p1.X == p2.X) { if (p1.Y == p2.Y) { return PointDouble(ring, p1, out p3); } else { p3 = new ECPointAtInfinity(); return true; } } // x3 = {(y2 - y1)/(x2 - x1)}^2 - (x1 + x2) // y3 = {(y2 - y1)/(x2 - x1)} * (x1 - x3) - y1 try { BigInteger x1 = p1.X; BigInteger y1 = p1.Y; BigInteger x2 = p2.X; BigInteger y2 = p2.Y; BigInteger lambda = ring.Multiply(ring.Difference(y2, y1), ring.Difference(x2, x1).ModInverse(p)); BigInteger x3 = ring.Difference(ring.Multiply(lambda, lambda), x1 + x2); BigInteger y3 = ring.Difference(ring.Multiply(lambda, ring.Difference(x1, x3)), y1); p3 = new ECPoint(x3, y3); return true; } catch (Exception) { p3 = null; return false; } }
/// <summary> /// Point dooubling over the curve /// </summary> private bool PointDouble( BigInteger.ModulusRing ring, ECPoint p1, out ECPoint p3) { if (p1 is ECPointAtInfinity) { p3 = p1; return true; } if (p1.Y == 0) { p3 = new ECPointAtInfinity(); return true; } // x3 = {(3 * x1^2 + a)/(2 * y1)}^2 - (2 * x1) // y3 = {(3 * x1^2 + a)/(2 * y1)} * (x1 - x3) - y1 try { BigInteger x1 = p1.X; BigInteger y1 = p1.Y; BigInteger x1_2 = ring.Multiply(x1, x1); BigInteger lambda = ring.Multiply(x1_2 + x1_2 + x1_2 + a, (y1 + y1).ModInverse(p)); BigInteger x3 = ring.Difference(ring.Multiply(lambda, lambda), x1 + x1); BigInteger y3 = ring.Difference(ring.Multiply(lambda, ring.Difference(x1, x3)), y1); p3 = new ECPoint(x3, y3); return true; } catch (Exception) { p3 = null; return false; } }
/// <summary> /// Point multiplication over the curve /// </summary> private bool PointMul( BigInteger.ModulusRing ring, ECPoint p1, BigInteger k, out ECPoint p2) { // // Uses Width-w NAF method // if (p1 is ECPointAtInfinity) { p2 = p1; return true; } const int W = 6; const uint TPW = 1u << W; // 2^W const uint TPWD = 1u << (W - 1); // 2^(W-1) // precompute point multiplication : {1 .. 2^(W-1)-1}P. // array is allocated for {0 .. 2^(W-1)-1}P, and only elements at the odd index are used. ECPoint[] precomp = new ECPoint[TPWD]; ECPoint[] precompNeg = new ECPoint[TPWD]; // -{1 .. 2^(W-1)-1}P; points are set on demand. { ECPoint t = p1; ECPoint t2; if (!PointDouble(ring, t, out t2)) { goto Failure; } for (uint i = 1; i < TPWD; i += 2) { if (i != 1) { if (!PointAdd(ring, t, t2, out t)) { goto Failure; } } precomp[i] = t; } } Stack<sbyte> precompIndex; { byte[] d = k.GetBytes(); int bitCount = k.BitCount(); int bitIndex = 0; int byteOffset = d.Length - 1; bool noMoreBits = false; uint bitBuffer = 0; const uint WMASK = (1u << W) - 1; precompIndex = new Stack<sbyte>(bitCount + 1); if (bitIndex < bitCount) { bitBuffer = (uint)(d[byteOffset] & WMASK); bitIndex += W; } else { noMoreBits = true; } while (!noMoreBits || bitBuffer != 0) { if ((bitBuffer & 1) != 0) { // bits % 2 == 1 uint m = bitBuffer & WMASK; // m = bits % TPW; if ((m & TPWD) != 0) { // test m >= 2^(W-1) // m is odd; thus // (2^(W-1) + 1) <= m <= (2^W - 1) sbyte index = (sbyte)((int)m - (int)TPW); // -2^(W-1)+1 .. -1 precompIndex.Push(index); bitBuffer = (bitBuffer & ~WMASK) + TPW; // bits -= m - 2^W // a carried bit by adding 2^W is retained in the bit buffer } else { // 1 <= m <= (2^(W-1) - 1) sbyte index = (sbyte)m; // odd index precompIndex.Push(index); bitBuffer = (bitBuffer & ~WMASK); // bits -= m } } else { precompIndex.Push(0); } // shift bits if (bitIndex < bitCount) { // load next bit into the bit buffer (add to the carried bits in the bit buffer) bitBuffer += (uint)((d[byteOffset - bitIndex / 8] >> (bitIndex % 8)) & 1) << W; ++bitIndex; } else { noMoreBits = true; } bitBuffer >>= 1; } } { ECPoint p = null; while (precompIndex.Count > 0) { if (p != null) { if (!PointDouble(ring, p, out p)) { goto Failure; } } ECPoint pre; int index = precompIndex.Pop(); if (index > 0) { pre = precomp[index]; } else if (index < 0) { pre = precompNeg[-index]; if (pre == null) { // on EC over Fp, P={x, y} and -P={x, -y} pre = precomp[-index]; if (!(pre is ECPointAtInfinity)) { pre = new ECPoint(pre.X, ring.Difference(0, pre.Y)); } precompNeg[-index] = pre; } } else { continue; } if (p != null) { if (!PointAdd(ring, p, pre, out p)) { goto Failure; } } else { p = pre; } } if (p == null) { // case of k = 0 goto Failure; } // succeeded p2 = p; return true; } Failure: p2 = null; return false; }