public FP4 ComPow(BIG e, BIG r)
{
FP12 g1 = new FP12(0);
FP12 g2 = new FP12(0);
FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
BIG q = new BIG(ROM.Modulus);
BIG m = new BIG(q);
m.Mod(r);
BIG a = new BIG(e);
a.Mod(m);
BIG b = new BIG(e);
b.Div(m);
g1.Copy(this);
g2.Copy(this);
FP4 c = g1.Trace();
if (b.IsZilch())
{
c = c.Xtr_Pow(e);
return(c);
}
g2.Frob(f);
FP4 cp = g2.Trace();
g1.Conj();
g2.mul(g1);
FP4 cpm1 = g2.Trace();
g2.mul(g1);
FP4 cpm2 = g2.Trace();
c = c.Xtr_Pow2(cp, cpm1, cpm2, a, b);
return(c);
}
/* Constant time select from pre-computed table */
public void Select(FP12[] g, int b)
{
int m = b >> 31;
int babs = (b ^ m) - m;
babs = (babs - 1) / 2;
CMove(g[0], Teq(babs, 0)); // conditional move
CMove(g[1], Teq(babs, 1));
CMove(g[2], Teq(babs, 2));
CMove(g[3], Teq(babs, 3));
CMove(g[4], Teq(babs, 4));
CMove(g[5], Teq(babs, 5));
CMove(g[6], Teq(babs, 6));
CMove(g[7], Teq(babs, 7));
FP12 invf = new FP12(this);
invf.Conj();
CMove(invf, (int)(m & 1));
}
/* final exponentiation - keep separate for multi-pairings and to avoid thrashing stack */
public static FP12 FExp(FP12 m)
{
FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
BIG x = new BIG(ROM.CURVE_Bnx);
FP12 r = new FP12(m);
/* Easy part of final exp */
FP12 lv = new FP12(r);
lv.Inverse();
r.Conj();
r.mul(lv);
lv.Copy(r);
r.Frob(f);
r.Frob(f);
r.mul(lv);
/* Hard part of final exp */
if (ECP.CURVE_PAIRING_TYPE == ECP.BN)
{
FP12 x0, x1, x2, x3, x4, x5;
lv.Copy(r);
lv.Frob(f);
x0 = new FP12(lv);
x0.Frob(f);
lv.mul(r);
x0.mul(lv);
x0.Frob(f);
x1 = new FP12(r);
x1.Conj();
x4 = r.Pow(x);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
x4.Conj();
}
x3 = new FP12(x4);
x3.Frob(f);
x2 = x4.Pow(x);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
x2.Conj();
}
x5 = new FP12(x2);
x5.Conj();
lv = x2.Pow(x);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
lv.Conj();
}
x2.Frob(f);
r.Copy(x2);
r.Conj();
x4.mul(r);
x2.Frob(f);
r.Copy(lv);
r.Frob(f);
lv.mul(r);
lv.USqr();
lv.mul(x4);
lv.mul(x5);
r.Copy(x3);
r.mul(x5);
r.mul(lv);
lv.mul(x2);
r.USqr();
r.mul(lv);
r.USqr();
lv.Copy(r);
lv.mul(x1);
r.mul(x0);
lv.USqr();
r.mul(lv);
r.Reduce();
}
else
{
FP12 y0, y1, y2, y3;
// Ghamman & Fouotsa Method
y0 = new FP12(r);
y0.USqr();
y1 = y0.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y1.Conj();
}
x.FShr(1);
y2 = y1.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y2.Conj();
}
x.FShl(1);
y3 = new FP12(r);
y3.Conj();
y1.mul(y3);
y1.Conj();
y1.mul(y2);
y2 = y1.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y2.Conj();
}
y3 = y2.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y3.Conj();
}
y1.Conj();
y3.mul(y1);
y1.Conj();
y1.Frob(f);
y1.Frob(f);
y1.Frob(f);
y2.Frob(f);
y2.Frob(f);
y1.mul(y2);
y2 = y3.Pow(x);
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
y2.Conj();
}
y2.mul(y0);
y2.mul(r);
y1.mul(y2);
y2.Copy(y3);
y2.Frob(f);
y1.mul(y2);
r.Copy(y1);
r.Reduce();
}
return(r);
}
/* Optimal R-ate double pairing e(P,Q).e(R,S) */
public static FP12 Ate2(ECP2 P1, ECP Q1, ECP2 R1, ECP S1)
{
FP2 f;
BIG x = new BIG(ROM.CURVE_Bnx);
BIG n = new BIG(x);
ECP2 K = new ECP2();
FP12 lv;
int bt;
ECP2 P = new ECP2(P1);
ECP Q = new ECP(Q1);
P.Affine();
Q.Affine();
ECP2 R = new ECP2(R1);
ECP S = new ECP(S1);
R.Affine();
S.Affine();
if (ECP.CURVE_PAIRING_TYPE == ECP.BN)
{
f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb));
if (ECP.SEXTIC_TWIST == ECP.M_TYPE)
{
f.Inverse();
f.Norm();
}
n.PMul(6);
if (ECP.SIGN_OF_X == ECP.POSITIVEX)
{
n.Inc(2);
}
else
{
n.Dec(2);
}
}
else
{
n.Copy(x);
}
n.Norm();
BIG n3 = new BIG(n);
n3.PMul(3);
n3.Norm();
FP Qx = new FP(Q.GetX());
FP Qy = new FP(Q.GetY());
FP Sx = new FP(S.GetX());
FP Sy = new FP(S.GetY());
ECP2 A = new ECP2();
ECP2 B = new ECP2();
FP12 r = new FP12(1);
A.Copy(P);
B.Copy(R);
ECP2 MP = new ECP2();
MP.Copy(P);
MP.Neg();
ECP2 MR = new ECP2();
MR.Copy(R);
MR.Neg();
int nb = n3.NBits();
for (int i = nb - 2; i >= 1; i--)
{
r.Sqr();
lv = Line(A, A, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
lv = Line(B, B, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
bt = n3.Bit(i) - n.Bit(i); // bt=n.bit(i);
if (bt == 1)
{
lv = Line(A, P, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
lv = Line(B, R, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
}
if (bt == -1)
{
//P.neg();
lv = Line(A, MP, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
//P.neg();
//R.neg();
lv = Line(B, MR, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
//R.neg();
}
}
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
r.Conj();
}
/* R-ate fixup required for BN curves */
if (ECP.CURVE_PAIRING_TYPE == ECP.BN)
{
if (ECP.SIGN_OF_X == ECP.NEGATIVEX)
{
// r.conj();
A.Neg();
B.Neg();
}
K.Copy(P);
K.Frob(f);
lv = Line(A, K, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
K.Frob(f);
K.Neg();
lv = Line(A, K, Qx, Qy);
r.SMul(lv, ECP.SEXTIC_TWIST);
K.Copy(R);
K.Frob(f);
lv = Line(B, K, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
K.Frob(f);
K.Neg();
lv = Line(B, K, Sx, Sy);
r.SMul(lv, ECP.SEXTIC_TWIST);
}
return(r);
}
/* p=q0^u0.q1^u1.q2^u2.q3^u3 */
// Bos & Costello https://eprint.iacr.org/2013/458.pdf
// Faz-Hernandez & Longa & Sanchez https://eprint.iacr.org/2013/158.pdf
// Side channel attack secure
public static FP12 Pow4(FP12[] q, BIG[] u)
{
int i, j, nb, pb;
FP12[] g = new FP12[8];
FP12 r = new FP12(1);
FP12 p = new FP12(0);
BIG[] t = new BIG[4];
BIG mt = new BIG(0);
sbyte[] w = new sbyte[BIG.NLEN * BIG.BASEBITS + 1];
sbyte[] s = new sbyte[BIG.NLEN * BIG.BASEBITS + 1];
for (i = 0; i < 4; i++)
{
t[i] = new BIG(u[i]);
t[i].Norm();
}
g[0] = new FP12(q[0]); // q[0]
g[1] = new FP12(g[0]);
g[1].mul(q[1]); // q[0].q[1]
g[2] = new FP12(g[0]);
g[2].mul(q[2]); // q[0].q[2]
g[3] = new FP12(g[1]);
g[3].mul(q[2]); // q[0].q[1].q[2]
g[4] = new FP12(q[0]);
g[4].mul(q[3]); // q[0].q[3]
g[5] = new FP12(g[1]);
g[5].mul(q[3]); // q[0].q[1].q[3]
g[6] = new FP12(g[2]);
g[6].mul(q[3]); // q[0].q[2].q[3]
g[7] = new FP12(g[3]);
g[7].mul(q[3]); // q[0].q[1].q[2].q[3]
// Make it odd
pb = 1 - t[0].Parity();
t[0].Inc(pb);
t[0].Norm();
// Number of bits
mt.Zero();
for (i = 0; i < 4; i++)
{
mt.Or(t[i]);
}
nb = 1 + mt.NBits();
// Sign pivot
s[nb - 1] = 1;
for (i = 0; i < nb - 1; i++)
{
t[0].FShr(1);
s[i] = (sbyte)(2 * t[0].Parity() - 1);
}
// Recoded exponent
for (i = 0; i < nb; i++)
{
w[i] = 0;
int k = 1;
for (j = 1; j < 4; j++)
{
sbyte bt = (sbyte)(s[i] * t[j].Parity());
t[j].FShr(1);
t[j].Dec((int)(bt) >> 1);
t[j].Norm();
w[i] += (sbyte)(bt * (sbyte)k);
k *= 2;
}
}
// Main loop
p.Select(g, (int)(2 * w[nb - 1] + 1));
for (i = nb - 2; i >= 0; i--)
{
p.USqr();
r.Select(g, (int)(2 * w[i] + s[i]));
p.mul(r);
}
// apply correction
r.Copy(q[0]);
r.Conj();
r.mul(p);
p.CMove(r, pb);
p.Reduce();
return(p);
}