/* Multiply P by e in group G1 */ public static ECP G1Mul(ECP P, BIG e) { ECP R; if (USE_GLV) { //P.affine(); R = new ECP(); R.Copy(P); int np, nn; ECP Q = new ECP(); Q.Copy(P); Q.Affine(); BIG q = new BIG(ROM.CURVE_Order); FP cru = new FP(new BIG(ROM.CURVE_Cru)); BIG t = new BIG(0); BIG[] u = Glv(e); Q.GetX().Mul(cru); np = u[0].NBits(); t.Copy(BIG.ModNeg(u[0], q)); nn = t.NBits(); if (nn < np) { u[0].Copy(t); R.Neg(); } np = u[1].NBits(); t.Copy(BIG.ModNeg(u[1], q)); nn = t.NBits(); if (nn < np) { u[1].Copy(t); Q.Neg(); } u[0].Norm(); u[1].Norm(); R = R.Mul2(u[0], Q, u[1]); } else { R = P.Mul(e); } return(R); }
/* r=x^n using XTR method on traces of FP12s */ public FP4 Xtr_Pow(BIG n) { FP4 a = new FP4(3); FP4 b = new FP4(this); FP4 c = new FP4(b); c.Xtr_D(); FP4 t = new FP4(0); FP4 r = new FP4(0); n.Norm(); int par = n.Parity(); BIG v = new BIG(n); v.FShr(1); if (par == 0) { v.Dec(1); v.Norm(); } int nb = v.NBits(); for (int i = nb - 1; i >= 0; i--) { if (v.Bit(i) != 1) { t.Copy(b); Conj(); c.Conj(); b.Xtr_A(a, this, c); Conj(); c.Copy(t); c.Xtr_D(); a.Xtr_D(); } else { t.Copy(a); t.Conj(); a.Copy(b); a.Xtr_D(); b.Xtr_A(c, this, t); c.Xtr_D(); } } if (par == 0) { r.Copy(c); } else { r.Copy(b); } r.Reduce(); return(r); }
/* Multiply P by e in group G2 */ public static ECP2 G2Mul(ECP2 P, BIG e) { ECP2 R; if (USE_GS_G2) { ECP2[] Q = new ECP2[4]; FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb)); if (ECP.SEXTIC_TWIST == ECP.M_TYPE) { f.Inverse(); f.Norm(); } BIG q = new BIG(ROM.CURVE_Order); BIG[] u = GS(e); BIG t = new BIG(0); int i, np, nn; //P.affine(); Q[0] = new ECP2(); Q[0].Copy(P); for (i = 1; i < 4; i++) { Q[i] = new ECP2(); Q[i].Copy(Q[i - 1]); Q[i].Frob(f); } for (i = 0; i < 4; i++) { np = u[i].NBits(); t.Copy(BIG.ModNeg(u[i], q)); nn = t.NBits(); if (nn < np) { u[i].Copy(t); Q[i].Neg(); } u[i].Norm(); //Q[i].affine(); } R = ECP2.Mul4(Q, u); } else { R = P.Mul(e); } return(R); }
/* this=this^e */ /* Note this is simple square and multiply, so not side-channel safe */ public FP12 Pow(BIG e) { Norm(); e.Norm(); BIG e3 = new BIG(e); e3.PMul(3); e3.Norm(); FP12 w = new FP12(this); int nb = e3.NBits(); for (int i = nb - 2; i >= 1; i--) { w.USqr(); int bt = e3.Bit(i) - e.Bit(i); if (bt == 1) { w.mul(this); } if (bt == -1) { Conj(); w.mul(this); Conj(); } } w.Reduce(); return(w); /* * BIG z=new BIG(e); * FP12 r=new FP12(1); * * while (true) * { * int bt=z.parity(); * z.fshr(1); * if (bt==1) r.mul(w); * if (z.iszilch()) break; * w.usqr(); * } * r.reduce(); * return r; */ }
/* f=f^e */ /* Note that this method requires a lot of RAM! Better to use compressed XTR method, see FP4.java */ public static FP12 GTPow(FP12 d, BIG e) { FP12 r; if (USE_GS_GT) { FP12[] g = new FP12[4]; FP2 f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb)); BIG q = new BIG(ROM.CURVE_Order); BIG t = new BIG(0); int i, np, nn; BIG[] u = GS(e); g[0] = new FP12(d); for (i = 1; i < 4; i++) { g[i] = new FP12(0); g[i].Copy(g[i - 1]); g[i].Frob(f); } for (i = 0; i < 4; i++) { np = u[i].NBits(); t.Copy(BIG.ModNeg(u[i], q)); nn = t.NBits(); if (nn < np) { u[i].Copy(t); g[i].Conj(); } u[i].Norm(); } r = FP12.Pow4(g, u); } else { r = d.Pow(e); } return(r); }
public FP Pow(BIG e) { sbyte[] w = new sbyte[1 + (BIG.NLEN * BIG.BASEBITS + 3) / 4]; FP[] tb = new FP[16]; BIG t = new BIG(e); t.Norm(); int nb = 1 + (t.NBits() + 3) / 4; for (int i = 0; i < nb; i++) { int lsbs = t.LastBits(4); t.Dec(lsbs); t.Norm(); w[i] = (sbyte)lsbs; t.FShr(4); } tb[0] = new FP(1); tb[1] = new FP(this); for (int i = 2; i < 16; i++) { tb[i] = new FP(tb[i - 1]); tb[i].Mul(this); } FP r = new FP(tb[w[nb - 1]]); for (int i = nb - 2; i >= 0; i--) { r.Sqr(); r.Sqr(); r.Sqr(); r.Sqr(); r.Mul(tb[w[i]]); } r.Reduce(); return(r); }
/* Optimal R-ate double pairing e(P,Q).e(R,S) */ public static FP12 Ate2(ECP2 P1, ECP Q1, ECP2 R1, ECP S1) { FP2 f; BIG x = new BIG(ROM.CURVE_Bnx); BIG n = new BIG(x); ECP2 K = new ECP2(); FP12 lv; int bt; ECP2 P = new ECP2(P1); ECP Q = new ECP(Q1); P.Affine(); Q.Affine(); ECP2 R = new ECP2(R1); ECP S = new ECP(S1); R.Affine(); S.Affine(); if (ECP.CURVE_PAIRING_TYPE == ECP.BN) { f = new FP2(new BIG(ROM.Fra), new BIG(ROM.Frb)); if (ECP.SEXTIC_TWIST == ECP.M_TYPE) { f.Inverse(); f.Norm(); } n.PMul(6); if (ECP.SIGN_OF_X == ECP.POSITIVEX) { n.Inc(2); } else { n.Dec(2); } } else { n.Copy(x); } n.Norm(); BIG n3 = new BIG(n); n3.PMul(3); n3.Norm(); FP Qx = new FP(Q.GetX()); FP Qy = new FP(Q.GetY()); FP Sx = new FP(S.GetX()); FP Sy = new FP(S.GetY()); ECP2 A = new ECP2(); ECP2 B = new ECP2(); FP12 r = new FP12(1); A.Copy(P); B.Copy(R); ECP2 MP = new ECP2(); MP.Copy(P); MP.Neg(); ECP2 MR = new ECP2(); MR.Copy(R); MR.Neg(); int nb = n3.NBits(); for (int i = nb - 2; i >= 1; i--) { r.Sqr(); lv = Line(A, A, Qx, Qy); r.SMul(lv, ECP.SEXTIC_TWIST); lv = Line(B, B, Sx, Sy); r.SMul(lv, ECP.SEXTIC_TWIST); bt = n3.Bit(i) - n.Bit(i); // bt=n.bit(i); if (bt == 1) { lv = Line(A, P, Qx, Qy); r.SMul(lv, ECP.SEXTIC_TWIST); lv = Line(B, R, Sx, Sy); r.SMul(lv, ECP.SEXTIC_TWIST); } if (bt == -1) { //P.neg(); lv = Line(A, MP, Qx, Qy); r.SMul(lv, ECP.SEXTIC_TWIST); //P.neg(); //R.neg(); lv = Line(B, MR, Sx, Sy); r.SMul(lv, ECP.SEXTIC_TWIST); //R.neg(); } } if (ECP.SIGN_OF_X == ECP.NEGATIVEX) { r.Conj(); } /* R-ate fixup required for BN curves */ if (ECP.CURVE_PAIRING_TYPE == ECP.BN) { if (ECP.SIGN_OF_X == ECP.NEGATIVEX) { // r.conj(); A.Neg(); B.Neg(); } K.Copy(P); K.Frob(f); lv = Line(A, K, Qx, Qy); r.SMul(lv, ECP.SEXTIC_TWIST); K.Frob(f); K.Neg(); lv = Line(A, K, Qx, Qy); r.SMul(lv, ECP.SEXTIC_TWIST); K.Copy(R); K.Frob(f); lv = Line(B, K, Sx, Sy); r.SMul(lv, ECP.SEXTIC_TWIST); K.Frob(f); K.Neg(); lv = Line(B, K, Sx, Sy); r.SMul(lv, ECP.SEXTIC_TWIST); } return(r); }
/* p=q0^u0.q1^u1.q2^u2.q3^u3 */ // Bos & Costello https://eprint.iacr.org/2013/458.pdf // Faz-Hernandez & Longa & Sanchez https://eprint.iacr.org/2013/158.pdf // Side channel attack secure public static FP12 Pow4(FP12[] q, BIG[] u) { int i, j, nb, pb; FP12[] g = new FP12[8]; FP12 r = new FP12(1); FP12 p = new FP12(0); BIG[] t = new BIG[4]; BIG mt = new BIG(0); sbyte[] w = new sbyte[BIG.NLEN * BIG.BASEBITS + 1]; sbyte[] s = new sbyte[BIG.NLEN * BIG.BASEBITS + 1]; for (i = 0; i < 4; i++) { t[i] = new BIG(u[i]); t[i].Norm(); } g[0] = new FP12(q[0]); // q[0] g[1] = new FP12(g[0]); g[1].mul(q[1]); // q[0].q[1] g[2] = new FP12(g[0]); g[2].mul(q[2]); // q[0].q[2] g[3] = new FP12(g[1]); g[3].mul(q[2]); // q[0].q[1].q[2] g[4] = new FP12(q[0]); g[4].mul(q[3]); // q[0].q[3] g[5] = new FP12(g[1]); g[5].mul(q[3]); // q[0].q[1].q[3] g[6] = new FP12(g[2]); g[6].mul(q[3]); // q[0].q[2].q[3] g[7] = new FP12(g[3]); g[7].mul(q[3]); // q[0].q[1].q[2].q[3] // Make it odd pb = 1 - t[0].Parity(); t[0].Inc(pb); t[0].Norm(); // Number of bits mt.Zero(); for (i = 0; i < 4; i++) { mt.Or(t[i]); } nb = 1 + mt.NBits(); // Sign pivot s[nb - 1] = 1; for (i = 0; i < nb - 1; i++) { t[0].FShr(1); s[i] = (sbyte)(2 * t[0].Parity() - 1); } // Recoded exponent for (i = 0; i < nb; i++) { w[i] = 0; int k = 1; for (j = 1; j < 4; j++) { sbyte bt = (sbyte)(s[i] * t[j].Parity()); t[j].FShr(1); t[j].Dec((int)(bt) >> 1); t[j].Norm(); w[i] += (sbyte)(bt * (sbyte)k); k *= 2; } } // Main loop p.Select(g, (int)(2 * w[nb - 1] + 1)); for (i = nb - 2; i >= 0; i--) { p.USqr(); r.Select(g, (int)(2 * w[i] + s[i])); p.mul(r); } // apply correction r.Copy(q[0]); r.Conj(); r.mul(p); p.CMove(r, pb); p.Reduce(); return(p); }