kris
/
csidh
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
3 Branches
50 KiB
 
 
 
 
Tree: 08d5c77d3a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '08d5c77d3a'
${ noResults }
csidh/reference/csidh-20180427-by-castryck-.../mont.c

189 lines
4.5 KiB
Raw Blame History 

  1. 

  2. #include <assert.h>

  3. 

  4. #include "mont.h"

  5. 

  6. void xDBLADD(proj *R, proj *S, proj const *P, proj const *Q, proj const *PQ, proj const *A24)

  7. {

  8.     fp tmp0, tmp1, tmp2;

  9. 

  10.     fp_add3(&tmp0, &P->x, &P->z);

  11.     fp_sub3(&tmp1, &P->x, &P->z);

  12.     fp_sq2(&R->x, &tmp0);

  13.     fp_sub3(&tmp2, &Q->x, &Q->z);

  14.     fp_add3(&S->x, &Q->x, &Q->z);

  15.     fp_mul2(&tmp0, &tmp2);

  16.     fp_sq2(&R->z, &tmp1);

  17.     fp_mul2(&tmp1, &S->x);

  18.     fp_sub3(&tmp2, &R->x, &R->z);

  19.     fp_mul2(&R->z, &A24->z);

  20.     fp_mul2(&R->x, &R->z);

  21.     fp_mul3(&S->x, &A24->x, &tmp2);

  22.     fp_sub3(&S->z, &tmp0, &tmp1);

  23.     fp_add2(&R->z, &S->x);

  24.     fp_add3(&S->x, &tmp0, &tmp1);

  25.     fp_mul2(&R->z, &tmp2);

  26.     fp_sq1(&S->z);

  27.     fp_sq1(&S->x);

  28.     fp_mul2(&S->z, &PQ->x);

  29.     fp_mul2(&S->x, &PQ->z);

  30. }

  31. 

  32. void xDBL(proj *Q, proj const *A, proj const *P)

  33. {

  34.     fp a, b, c;

  35.     fp_add3(&a, &P->x, &P->z);

  36.     fp_sq1(&a);

  37.     fp_sub3(&b, &P->x, &P->z);

  38.     fp_sq1(&b);

  39.     fp_sub3(&c, &a, &b);

  40.     fp_add2(&b, &b); fp_add2(&b, &b); /* multiplication by 4 */

  41.     fp_mul2(&b, &A->z);

  42.     fp_mul3(&Q->x, &a, &b);

  43.     fp_add3(&a, &A->z, &A->z); /* multiplication by 2 */

  44.     fp_add2(&a, &A->x);

  45.     fp_mul2(&a, &c);

  46.     fp_add2(&a, &b);

  47.     fp_mul3(&Q->z, &a, &c);

  48. }

  49. 

  50. void xADD(proj *S, proj const *P, proj const *Q, proj const *PQ)

  51. {

  52.     fp a, b, c, d;

  53.     fp_add3(&a, &P->x, &P->z);

  54.     fp_sub3(&b, &P->x, &P->z);

  55.     fp_add3(&c, &Q->x, &Q->z);

  56.     fp_sub3(&d, &Q->x, &Q->z);

  57.     fp_mul2(&a, &d);

  58.     fp_mul2(&b, &c);

  59.     fp_add3(&c, &a, &b);

  60.     fp_sub3(&d, &a, &b);

  61.     fp_sq1(&c);

  62.     fp_sq1(&d);

  63.     fp_mul3(&S->x, &PQ->z, &c);

  64.     fp_mul3(&S->z, &PQ->x, &d);

  65. }

  66. 

  67. /* Montgomery ladder. */

  68. /* P must not be the unique point of order 2. */

  69. /* not constant-time! */

  70. void xMUL(proj *Q, proj const *A, proj const *P, u512 const *k)

  71. {

  72.     proj R = *P;

  73.     proj A24;

  74.     const proj Pcopy = *P; /* in case Q = P */

  75. 

  76.     Q->x = fp_1;

  77.     Q->z = fp_0;

  78. 

  79.     fp_add3(&A24.x, &A->z, &A->z);

  80.     fp_add3(&A24.z, &A24.x, &A24.x);

  81.     fp_add2(&A24.x, &A->x);

  82. 

  83.     unsigned long i = 512;

  84.     while (--i && !u512_bit(k, i));

  85. 

  86.     do {

  87. 

  88.         bool bit = u512_bit(k, i);

  89. 

  90.         if (bit) { proj T = *Q; *Q = R; R = T; } /* not constant-time */

  91.         //fp_cswap(&Q->x, &R.x, bit);

  92.         //fp_cswap(&Q->z, &R.z, bit);

  93. 

  94.         xDBLADD(Q, &R, Q, &R, &Pcopy, &A24);

  95. 

  96.         if (bit) { proj T = *Q; *Q = R; R = T; } /* not constant-time */

  97.         //fp_cswap(&Q->x, &R.x, bit);

  98.         //fp_cswap(&Q->z, &R.z, bit);

  99. 

  100.     } while (i--);

  101. }

  102. 

  103. 

  104. /* computes the isogeny with kernel point K of order k */

  105. /* returns the new curve coefficient A and the image of P */

  106. /* (obviously) not constant time in k */

  107. void xISOG(proj *A, proj *P, proj const *K, uint64_t k)

  108. {

  109.     assert (k >= 3);

  110.     assert (k % 2 == 1);

  111. 

  112.     fp tmp0, tmp1;

  113.     fp T[4] = {K->z, K->x, K->x, K->z};

  114.     proj Q;

  115. 

  116.     fp_mul3(&Q.x,  &P->x, &K->x);

  117.     fp_mul3(&tmp0, &P->z, &K->z);

  118.     fp_sub2(&Q.x,  &tmp0);

  119. 

  120.     fp_mul3(&Q.z,  &P->x, &K->z);

  121.     fp_mul3(&tmp0, &P->z, &K->x);

  122.     fp_sub2(&Q.z,  &tmp0);

  123. 

  124.     proj M[3] = {*K};

  125.     xDBL(&M[1], A, K);

  126. 

  127.     for (uint64_t i = 1; i < k / 2; ++i) {

  128. 

  129.         if (i >= 2)

  130.             xADD(&M[i % 3], &M[(i - 1) % 3], K, &M[(i - 2) % 3]);

  131. 

  132.         fp_mul3(&tmp0, &M[i % 3].x, &T[0]);

  133.         fp_mul3(&tmp1, &M[i % 3].z, &T[1]);

  134.         fp_add3(&T[0], &tmp0, &tmp1);

  135. 

  136.         fp_mul2(&T[1], &M[i % 3].x);

  137. 

  138.         fp_mul3(&tmp0, &M[i % 3].z, &T[2]);

  139.         fp_mul3(&tmp1, &M[i % 3].x, &T[3]);

  140.         fp_add3(&T[2], &tmp0, &tmp1);

  141. 

  142.         fp_mul2(&T[3], &M[i % 3].z);

  143. 

  144. 

  145.         fp_mul3(&tmp0, &P->x, &M[i % 3].x);

  146.         fp_mul3(&tmp1, &P->z, &M[i % 3].z);

  147.         fp_sub2(&tmp0, &tmp1);

  148.         fp_mul2(&Q.x,  &tmp0);

  149. 

  150.         fp_mul3(&tmp0, &P->x, &M[i % 3].z);

  151.         fp_mul3(&tmp1, &P->z, &M[i % 3].x);

  152.         fp_sub2(&tmp0, &tmp1);

  153.         fp_mul2(&Q.z,  &tmp0);

  154.     }

  155. 

  156.     fp_mul2(&T[0], &T[1]);

  157.     fp_add2(&T[0], &T[0]); /* multiplication by 2 */

  158. 

  159.     fp_sq1(&T[1]);

  160. 

  161.     fp_mul2(&T[2], &T[3]);

  162.     fp_add2(&T[2], &T[2]); /* multiplication by 2 */

  163. 

  164.     fp_sq1(&T[3]);

  165. 

  166.     /* Ax := T[1] * T[3] * Ax - 3 * Az * (T[1] * T[2] - T[0] * T[3]) */

  167.     fp_mul3(&tmp0, &T[1], &T[2]);

  168.     fp_mul3(&tmp1, &T[0], &T[3]);

  169.     fp_sub2(&tmp0, &tmp1);

  170.     fp_mul2(&tmp0, &A->z);

  171.     fp_add3(&tmp1, &tmp0, &tmp0); fp_add2(&tmp0, &tmp1); /* multiplication by 3 */

  172. 

  173.     fp_mul3(&tmp1, &T[1], &T[3]);

  174.     fp_mul2(&tmp1, &A->x);

  175. 

  176.     fp_sub3(&A->x, &tmp1, &tmp0);

  177. 

  178.     /* Az := Az * T[3]^2 */

  179.     fp_sq1(&T[3]);

  180.     fp_mul2(&A->z, &T[3]);

  181. 

  182.     /* X := X * Xim^2, Z := Z * Zim^2 */

  183.     fp_sq1(&Q.x);

  184.     fp_sq1(&Q.z);

  185.     fp_mul2(&P->x, &Q.x);

  186.     fp_mul2(&P->z, &Q.z);

  187. }