kris
/
sike_ifma
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
1 Cometer
1 Ramo
116 KiB
 
 
 
Ramo: master
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de 'master'
${ noResults }
sike_ifma/P751_ifma.c

818 linhas
33 KiB
Em bruto Ligação permanente Responsabilidade Histórico 

  1. #include <stdint.h>

  2. #include <string.h>

  3. 

  4. #define NWORDS_FIELD 15

  5. #define MAX_INT_POINTS_ALICE 8

  6. #define MAX_INT_POINTS_BOB 10

  7. 

  8. #define ALICE 0

  9. #define BOB 1

  10. #define OALICE_BITS 372

  11. #define OBOB_BITS 379

  12. 

  13. #define MAX_Alice 186

  14. #define MAX_Bob 239

  15. 

  16. #define NBITS_FIELD 751

  17. #define MAXBITS_FIELD 768

  18. #define FP2_ENCODED_BYTES 2 * ((NBITS_FIELD + 7) / 8)

  19. 

  20. typedef uint64_t felm_t[NWORDS_FIELD];

  21. typedef felm_t f2elm_t[2];

  22. 

  23. typedef struct

  24. {

  25.     f2elm_t X;

  26.     f2elm_t Z;

  27. } point_proj; // Point representation in projective XZ Montgomery coordinates.

  28. 

  29. typedef point_proj point_proj_t[1];

  30. 

  31. const uint64_t A_gen_ifma[5 * NWORDS_FIELD] = {

  32.     0x000ceab50ad8bc0d, 0x0005e457b1c2fc08, 0x000cd6e1d7d710f5, 0x000ae8738d92953d, 0x000a7ebee8a3418a, 0x0008345f03f46fba, 0x0007cfe2616c9a28, 0x000b4be50c8b9e16, 0x00039b6799643b2e, 0x000597a7ff9d56d5, 0x00021d410d97fe0a, 0x000a4a92a8f2ad52, 0x00054508e42abde4, 0x000ebf7d0178c137, 0x00000000004a0a75,

  33.     0x000d21582e4118ad, 0x0005df400ae6cc41, 0x000aec407c2ecb7c, 0x000de8e34b521432, 0x000761e2ab085167, 0x000bcaa6094b3c50, 0x000df9ddd71032cf, 0x00057d905265605f, 0x000f7dba2681f9d7, 0x0009e9732def416c, 0x0006f77956ce00ce, 0x000576fb3094772b, 0x000b2d166e2a949f, 0x0002f665c6588ea2, 0x0000000000337a25,

  34.     0x00026279148626cd, 0x0006b5baead56fe5, 0x000ab911fad60dc9, 0x000401e137d0bf07, 0x0004d3e925216196, 0x0005e4cd09a33740, 0x00069e4af733c538, 0x000d1169f6821367, 0x000c64ecfc721111, 0x000ba56507cd0dc7, 0x000995e4ae04dfad, 0x0007b992deeceab8, 0x0007bccd256aff1e, 0x000207f5fde1824c, 0x0000000000345cc7,

  35.     0x00041dffd19b3e7f, 0x000b48c18e0bb844, 0x000380584b4dea99, 0x0000692de648ad31, 0x000d72761b6dfaee, 0x0005c672c3058de6, 0x000cba26fdc22397, 0x000e15f9133d4bc3, 0x000d5ae123793466, 0x000bb494276e321d, 0x000c9c99fb74cd99, 0x0005da6e4fd03f75, 0x000b95feb24d0937, 0x000e6a307e03cd17, 0x000000000044ad2e,

  36.     0x0007f1ec71be8c36, 0x00053859b1ed78c1, 0x000529ff824d6df7, 0x000633a10839b2a8, 0x00003e9e25fdea79, 0x000a8054df1762fc, 0x000034c6467c4708, 0x000acb63530b60ec, 0x0000c6fc8c19bf71, 0x0005aca92467c3cb, 0x000d42050ba154a2, 0x000b4d5baa4ab074, 0x00044ba4962ac622, 0x0002bbf250aa70e6, 0x0000000000457f51};

  37. 

  38. const uint64_t B_gen_ifma[5 * NWORDS_FIELD] = {

  39.     0x0001ef867ab0bcb9, 0x0009a45c76cfb6d7, 0x0001f034a5fdd76e, 0x000038b1ee69194b, 0x000e7b18a7761f3f, 0x000a486a52c84cf6, 0x0005aa75466fcf01, 0x00044164f797233f, 0x000331aeaec77db1, 0x0005185f83d9a22f, 0x000e2d4dc94f5b17, 0x0000f7b3858b15a4, 0x000635ac44515c99, 0x000a5b14eaf4ee2e, 0x000000000048e907,

  40.     0x0004e7c075cc3a24, 0x00004aa430a49203, 0x00094c8677baf00b, 0x000b3aae0c9a755c, 0x000c4b064e9ebb08, 0x000dd04e826c661d, 0x00061f01b223684e, 0x000d43bc8a6360b6, 0x00008c633a79ab30, 0x0008e0092fbd6f39, 0x0002b9ba797337f8, 0x000fcb3252ddaf84, 0x000467ded2ca9dce, 0x0006117350e479f4, 0x00000000001ae9d1,

  41.     0x000ed7b96c4ab279, 0x000178486ef1a8c9, 0x000c2f4299429da5, 0x000aef4926f20cd5, 0x0003b2e2858b4716, 0x000bcc3cac3eeb68, 0x0003a600460dda2f, 0x00050e6650a24c9f, 0x0004cb60c61775f8, 0x00082b196ebc78b3, 0x000cc7fec8cce966, 0x000d9b778d801d65, 0x0005324630f74af3, 0x0009018193e7592e, 0x00000000003aef05,

  42.     0x00033769d0f314ef, 0x000e2659d11c0d67, 0x000d133f084c3086, 0x0005e23d5da27bcb, 0x0008ec9a8d586402, 0x000c781b3b645bf3, 0x000c9fb03ee6426d, 0x000ddc7bb40b83e3, 0x000bb7b4ab585e3a, 0x0006c2672e53eeaf, 0x0000397a1e62b655, 0x0004ac383daab923, 0x0008eb1ecdd2f39e, 0x000f1516da469247, 0x00000000003693cf,

  43.     0x0007d8f72bd956dc, 0x000e9934884ae37e, 0x0003c3edd2d504b3, 0x00005d14e7fa1ecb, 0x0007610ceb75d635, 0x000b4cac446b1112, 0x000c1f70caf255b4, 0x00057d3e324d2f36, 0x0006181c3bb1a700, 0x000db2f2916ccc40, 0x00021ee51d1c92f1, 0x000c07c22031c32a, 0x000e4310e5103473, 0x00069c1148de9ef5, 0x00000000004d1227};

  44. 

  45. const uint64_t One[NWORDS_FIELD] = {

  46.     0x00000000249ad67c, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0001f9800c542c00, 0x000b326488fe3b2a, 0x000e6176236db777, 0x000dd6e970232b83, 0x000d4d762277573f, 0x00054cd16c015f35, 0x0009fc72438c4fc7, 0x00000000001bf8f6};

  47. 

  48. const uint64_t Two[NWORDS_FIELD] = {

  49.     0x000000004935acf8, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0003f30018a85800, 0x000664c911fc7654, 0x000cc2ec46db6eef, 0x000badd2e0465707, 0x000a9aec44eeae7f, 0x000a99a2d802be6b, 0x0003f8e487189f8e, 0x000000000037f1ed};

  50. 

  51. // Fixed parameters for isogeny tree computation

  52. extern const unsigned int strat_Alice[MAX_Alice - 1];

  53. extern const unsigned int strat_Bob[MAX_Bob - 1];

  54. 

  55. void norm2red(uint64_t *res, const uint64_t *a);

  56. void red2norm(uint64_t out[12], const uint64_t in[15])

  57. {

  58.     out[0] = in[0] ^ in[1] << 52;

  59. 

  60.     out[1] = in[1] >> 12 ^ in[2] << 40;

  61.     out[2] = in[2] >> 24 ^ in[3] << 28;

  62.     out[3] = in[3] >> 36 ^ in[4] << 16;

  63.     out[4] = in[4] >> 48 ^ in[5] << 4 ^ in[6] << 56;

  64. 

  65.     out[5] = in[6] >> 8 ^ in[7] << 44;

  66.     out[6] = in[7] >> 20 ^ in[8] << 32;

  67.     out[7] = in[8] >> 32 ^ in[9] << 20;

  68.     out[8] = in[9] >> 44 ^ in[10] << 8 ^ in[11] << 60;

  69. 

  70.     out[9] = in[11] >> 4 ^ in[12] << 48;

  71.     out[10] = in[12] >> 16 ^ in[13] << 36;

  72.     out[11] = in[13] >> 28 ^ in[14] << 24;

  73. }

  74. 

  75. static void init_basis(const uint64_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR)

  76. { // Initialization of basis points

  77. 

  78.     memcpy(XP[0], &gen[0 * NWORDS_FIELD], sizeof(felm_t));

  79.     memcpy(XP[1], &gen[1 * NWORDS_FIELD], sizeof(felm_t));

  80. 

  81.     memcpy(XQ[0], &gen[2 * NWORDS_FIELD], sizeof(felm_t));

  82.     memset(XQ[1], 0, sizeof(felm_t));

  83. 

  84.     memcpy(XR[0], &gen[3 * NWORDS_FIELD], sizeof(felm_t));

  85.     memcpy(XR[1], &gen[4 * NWORDS_FIELD], sizeof(felm_t));

  86. }

  87. 

  88. void fp2_mul_ifma(f2elm_t res, const f2elm_t a, const f2elm_t b);

  89. void fp2_mul_ifma_x2(f2elm_t res1, const f2elm_t a1, const f2elm_t b1, f2elm_t res2, const f2elm_t a2, const f2elm_t b2);

  90. void fp2_sqr_ifma(f2elm_t res, const f2elm_t a);

  91. void fp2_add(f2elm_t res, const f2elm_t a, const f2elm_t b);

  92. void fp2_sub(f2elm_t res, const f2elm_t a, const f2elm_t b);

  93. 

  94. void fp2_swap(point_proj_t a, point_proj_t b, int swap);

  95. 

  96. void fp_mul_ifma(felm_t res, felm_t a, felm_t b);

  97. void fp_add(felm_t res, const felm_t a, const felm_t b);

  98. void fp_sub(felm_t res, const felm_t a, const felm_t b);

  99. 

  100. void to_mont_ifma(felm_t rp, const felm_t ap);

  101. void from_mont_ifma(felm_t rp, const felm_t ap);

  102. 

  103. void red2norm(uint64_t out[12], const felm_t in);

  104. 

  105. #define fp2mul_mont(a, b, r) fp2_mul_ifma(r, a, b)

  106. #define fp2sqr_mont(a, r) fp2_sqr_ifma(r, a)

  107. #define fp2add(a, b, r) fp2_add(r, a, b)

  108. #define fp2sub(a, b, r) fp2_sub(r, a, b)

  109. #define fp2correction

  110. 

  111. #define fpsqr_mont(a, r) fp_mul_ifma(r, a, a)

  112. #define fpmul_mont(a, b, r) fp_mul_ifma(r, a, b)

  113. 

  114. #define fpadd(a, b, r) fp_add(r, a, b)

  115. #define fpsub(a, b, r) fp_sub(r, a, b)

  116. 

  117. void fpinv_chain_mont(felm_t a)

  118. { // Chain to compute a^(p-3)/4 using Montgomery arithmetic.

  119.     unsigned int i, j;

  120.     felm_t t[27], tt;

  121. 

  122.     // Precomputed table

  123.     fpsqr_mont(a, tt);

  124.     fpmul_mont(a, tt, t[0]);

  125.     fpmul_mont(t[0], tt, t[1]);

  126.     fpmul_mont(t[1], tt, t[2]);

  127.     fpmul_mont(t[2], tt, t[3]);

  128.     fpmul_mont(t[3], tt, t[3]);

  129.     for (i = 3; i <= 8; i++)

  130.         fpmul_mont(t[i], tt, t[i + 1]);

  131.     fpmul_mont(t[9], tt, t[9]);

  132.     for (i = 9; i <= 20; i++)

  133.         fpmul_mont(t[i], tt, t[i + 1]);

  134.     fpmul_mont(t[21], tt, t[21]);

  135.     for (i = 21; i <= 24; i++)

  136.         fpmul_mont(t[i], tt, t[i + 1]);

  137.     fpmul_mont(t[25], tt, t[25]);

  138.     fpmul_mont(t[25], tt, t[26]);

  139. 

  140.     memcpy(tt, a, sizeof(felm_t));

  141.     for (i = 0; i < 6; i++)

  142.         fpsqr_mont(tt, tt);

  143.     fpmul_mont(t[20], tt, tt);

  144.     for (i = 0; i < 6; i++)

  145.         fpsqr_mont(tt, tt);

  146.     fpmul_mont(t[24], tt, tt);

  147.     for (i = 0; i < 6; i++)

  148.         fpsqr_mont(tt, tt);

  149.     fpmul_mont(t[11], tt, tt);

  150.     for (i = 0; i < 6; i++)

  151.         fpsqr_mont(tt, tt);

  152.     fpmul_mont(t[8], tt, tt);

  153.     for (i = 0; i < 8; i++)

  154.         fpsqr_mont(tt, tt);

  155.     fpmul_mont(t[2], tt, tt);

  156.     for (i = 0; i < 6; i++)

  157.         fpsqr_mont(tt, tt);

  158.     fpmul_mont(t[23], tt, tt);

  159.     for (i = 0; i < 6; i++)

  160.         fpsqr_mont(tt, tt);

  161.     fpmul_mont(t[2], tt, tt);

  162.     for (i = 0; i < 9; i++)

  163.         fpsqr_mont(tt, tt);

  164.     fpmul_mont(t[2], tt, tt);

  165.     for (i = 0; i < 10; i++)

  166.         fpsqr_mont(tt, tt);

  167.     fpmul_mont(t[15], tt, tt);

  168.     for (i = 0; i < 8; i++)

  169.         fpsqr_mont(tt, tt);

  170.     fpmul_mont(t[13], tt, tt);

  171.     for (i = 0; i < 8; i++)

  172.         fpsqr_mont(tt, tt);

  173.     fpmul_mont(t[26], tt, tt);

  174.     for (i = 0; i < 8; i++)

  175.         fpsqr_mont(tt, tt);

  176.     fpmul_mont(t[20], tt, tt);

  177.     for (i = 0; i < 6; i++)

  178.         fpsqr_mont(tt, tt);

  179.     fpmul_mont(t[11], tt, tt);

  180.     for (i = 0; i < 6; i++)

  181.         fpsqr_mont(tt, tt);

  182.     fpmul_mont(t[10], tt, tt);

  183.     for (i = 0; i < 6; i++)

  184.         fpsqr_mont(tt, tt);

  185.     fpmul_mont(t[14], tt, tt);

  186.     for (i = 0; i < 6; i++)

  187.         fpsqr_mont(tt, tt);

  188.     fpmul_mont(t[4], tt, tt);

  189.     for (i = 0; i < 10; i++)

  190.         fpsqr_mont(tt, tt);

  191.     fpmul_mont(t[18], tt, tt);

  192.     for (i = 0; i < 6; i++)

  193.         fpsqr_mont(tt, tt);

  194.     fpmul_mont(t[1], tt, tt);

  195.     for (i = 0; i < 7; i++)

  196.         fpsqr_mont(tt, tt);

  197.     fpmul_mont(t[22], tt, tt);

  198.     for (i = 0; i < 10; i++)

  199.         fpsqr_mont(tt, tt);

  200.     fpmul_mont(t[6], tt, tt);

  201.     for (i = 0; i < 7; i++)

  202.         fpsqr_mont(tt, tt);

  203.     fpmul_mont(t[24], tt, tt);

  204.     for (i = 0; i < 6; i++)

  205.         fpsqr_mont(tt, tt);

  206.     fpmul_mont(t[9], tt, tt);

  207.     for (i = 0; i < 8; i++)

  208.         fpsqr_mont(tt, tt);

  209.     fpmul_mont(t[18], tt, tt);

  210.     for (i = 0; i < 6; i++)

  211.         fpsqr_mont(tt, tt);

  212.     fpmul_mont(t[17], tt, tt);

  213.     for (i = 0; i < 8; i++)

  214.         fpsqr_mont(tt, tt);

  215.     fpmul_mont(a, tt, tt);

  216.     for (i = 0; i < 10; i++)

  217.         fpsqr_mont(tt, tt);

  218.     fpmul_mont(t[16], tt, tt);

  219.     for (i = 0; i < 6; i++)

  220.         fpsqr_mont(tt, tt);

  221.     fpmul_mont(t[7], tt, tt);

  222.     for (i = 0; i < 6; i++)

  223.         fpsqr_mont(tt, tt);

  224.     fpmul_mont(t[0], tt, tt);

  225.     for (i = 0; i < 7; i++)

  226.         fpsqr_mont(tt, tt);

  227.     fpmul_mont(t[12], tt, tt);

  228.     for (i = 0; i < 7; i++)

  229.         fpsqr_mont(tt, tt);

  230.     fpmul_mont(t[19], tt, tt);

  231.     for (i = 0; i < 6; i++)

  232.         fpsqr_mont(tt, tt);

  233.     fpmul_mont(t[22], tt, tt);

  234.     for (i = 0; i < 6; i++)

  235.         fpsqr_mont(tt, tt);

  236.     fpmul_mont(t[25], tt, tt);

  237.     for (i = 0; i < 7; i++)

  238.         fpsqr_mont(tt, tt);

  239.     fpmul_mont(t[2], tt, tt);

  240.     for (i = 0; i < 6; i++)

  241.         fpsqr_mont(tt, tt);

  242.     fpmul_mont(t[10], tt, tt);

  243.     for (i = 0; i < 7; i++)

  244.         fpsqr_mont(tt, tt);

  245.     fpmul_mont(t[22], tt, tt);

  246.     for (i = 0; i < 8; i++)

  247.         fpsqr_mont(tt, tt);

  248.     fpmul_mont(t[18], tt, tt);

  249.     for (i = 0; i < 6; i++)

  250.         fpsqr_mont(tt, tt);

  251.     fpmul_mont(t[4], tt, tt);

  252.     for (i = 0; i < 6; i++)

  253.         fpsqr_mont(tt, tt);

  254.     fpmul_mont(t[14], tt, tt);

  255.     for (i = 0; i < 7; i++)

  256.         fpsqr_mont(tt, tt);

  257.     fpmul_mont(t[13], tt, tt);

  258.     for (i = 0; i < 6; i++)

  259.         fpsqr_mont(tt, tt);

  260.     fpmul_mont(t[5], tt, tt);

  261.     for (i = 0; i < 6; i++)

  262.         fpsqr_mont(tt, tt);

  263.     fpmul_mont(t[23], tt, tt);

  264.     for (i = 0; i < 6; i++)

  265.         fpsqr_mont(tt, tt);

  266.     fpmul_mont(t[21], tt, tt);

  267.     for (i = 0; i < 6; i++)

  268.         fpsqr_mont(tt, tt);

  269.     fpmul_mont(t[2], tt, tt);

  270.     for (i = 0; i < 7; i++)

  271.         fpsqr_mont(tt, tt);

  272.     fpmul_mont(t[23], tt, tt);

  273.     for (i = 0; i < 8; i++)

  274.         fpsqr_mont(tt, tt);

  275.     fpmul_mont(t[12], tt, tt);

  276.     for (i = 0; i < 6; i++)

  277.         fpsqr_mont(tt, tt);

  278.     fpmul_mont(t[9], tt, tt);

  279.     for (i = 0; i < 6; i++)

  280.         fpsqr_mont(tt, tt);

  281.     fpmul_mont(t[3], tt, tt);

  282.     for (i = 0; i < 7; i++)

  283.         fpsqr_mont(tt, tt);

  284.     fpmul_mont(t[13], tt, tt);

  285.     for (i = 0; i < 7; i++)

  286.         fpsqr_mont(tt, tt);

  287.     fpmul_mont(t[17], tt, tt);

  288.     for (i = 0; i < 8; i++)

  289.         fpsqr_mont(tt, tt);

  290.     fpmul_mont(t[26], tt, tt);

  291.     for (i = 0; i < 8; i++)

  292.         fpsqr_mont(tt, tt);

  293.     fpmul_mont(t[5], tt, tt);

  294.     for (i = 0; i < 8; i++)

  295.         fpsqr_mont(tt, tt);

  296.     fpmul_mont(t[8], tt, tt);

  297.     for (i = 0; i < 6; i++)

  298.         fpsqr_mont(tt, tt);

  299.     fpmul_mont(t[2], tt, tt);

  300.     for (i = 0; i < 6; i++)

  301.         fpsqr_mont(tt, tt);

  302.     fpmul_mont(t[11], tt, tt);

  303.     for (i = 0; i < 7; i++)

  304.         fpsqr_mont(tt, tt);

  305.     fpmul_mont(t[20], tt, tt);

  306.     for (j = 0; j < 61; j++)

  307.     {

  308.         for (i = 0; i < 6; i++)

  309.             fpsqr_mont(tt, tt);

  310.         fpmul_mont(t[26], tt, tt);

  311.     }

  312.     memcpy(a, tt, sizeof(felm_t));

  313. }

  314. 

  315. void fpinv_mont(felm_t a)

  316. { // Field inversion using Montgomery arithmetic, a = a^(-1)*R mod p.

  317.     felm_t tt;

  318.     memcpy(tt, a, sizeof(felm_t));

  319.     fpinv_chain_mont(tt);

  320.     fpsqr_mont(tt, tt);

  321.     fpsqr_mont(tt, tt);

  322.     fpmul_mont(a, tt, a);

  323. }

  324. 

  325. void fp2inv_mont(f2elm_t a)

  326. { // GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2).

  327.     f2elm_t t1;

  328.     felm_t zero = {0};

  329.     fpsqr_mont(a[0], t1[0]);    // t10 = a0^2

  330.     fpsqr_mont(a[1], t1[1]);    // t11 = a1^2

  331.     fpadd(t1[0], t1[1], t1[0]); // t10 = a0^2+a1^2

  332.     fpinv_mont(t1[0]);          // t10 = (a0^2+a1^2)^-1

  333.     fp_sub(a[1], zero, a[1]);   // a = a0-i*a1

  334.     fpmul_mont(a[0], t1[0], a[0]);

  335.     fpmul_mont(a[1], t1[0], a[1]); // a = (a0-i*a1)*(a0^2+a1^2)^-1

  336. }

  337. 

  338. void inv_3_way_ifma(f2elm_t z1, f2elm_t z2, f2elm_t z3)

  339. { // 3-way simultaneous inversion

  340.     // Input:  z1,z2,z3

  341.     // Output: 1/z1,1/z2,1/z3 (override inputs).

  342.     f2elm_t t0, t1, t2, t3;

  343. 

  344.     fp2mul_mont(z1, z2, t0); // t0 = z1*z2

  345.     fp2mul_mont(z3, t0, t1); // t1 = z1*z2*z3

  346.     fp2inv_mont(t1);         // t1 = 1/(z1*z2*z3)

  347.     fp2mul_mont(z3, t1, t2); // t2 = 1/(z1*z2)

  348.     fp2_mul_ifma_x2(t3, t2, z2, z2, t2, z1);

  349.     //fp2mul_mont(t2, z2, t3); // t3 = 1/z1

  350.     //fp2mul_mont(t2, z1, z2); // z2 = 1/z2

  351.     fp2mul_mont(t0, t1, z3); // z3 = 1/z3

  352.     memcpy(z1, t3, sizeof(f2elm_t));

  353. }

  354. 

  355. void xDBLADD_ifma(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2elm_t A24)

  356. { // Simultaneous doubling and differential addition.

  357.     // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.

  358.     // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.

  359.     f2elm_t t0, t1, t2, t3;

  360. 

  361.     fp2add(P->X, P->Z, t0); // t0 = XP+ZP

  362.     fp2sub(P->X, P->Z, t1); // t1 = XP-ZP

  363. 

  364.     fp2_mul_ifma_x2(P->X, t0, t0, P->Z, t1, t1);

  365.     //fp2sqr_mont(t0, P->X); // XP = (XP+ZP)^2

  366.     //fp2sqr_mont(t1, P->Z); // ZP = (XP-ZP)^2

  367. 

  368.     fp2add(Q->X, Q->Z, t2); // XQ = XQ+ZQ

  369.     fp2sub(Q->X, Q->Z, t3); // t2 = XQ-ZQ

  370. 

  371.     fp2_mul_ifma_x2(t1, t1, t2, t0, t0, t3);

  372.     //fp2mul_mont(t2, t1, t1); // t1 = (XP-ZP)*(XQ+ZQ)

  373.     //fp2mul_mont(t3, t0, t0); // t0 = (XP+ZP)*(XQ-ZQ)

  374. 

  375.     fp2sub(P->X, P->Z, t2); // t2 = (XP+ZP)^2-(XP-ZP)^2

  376.     fp2sub(t0, t1, Q->Z);   // ZQ = (XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)

  377. 

  378.     fp2_mul_ifma_x2(P->X, P->X, P->Z, Q->X, A24, t2);

  379.     //fp2mul_mont(P->X, P->Z, P->X); // XP = (XP+ZP)^2*(XP-ZP)^2

  380.     //fp2mul_mont(t2, A24, Q->X);    // XQ = A24*[(XP+ZP)^2-(XP-ZP)^2]

  381. 

  382.     fp2add(Q->X, P->Z, P->Z); // ZP = A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2

  383.     fp2add(t0, t1, Q->X);     // XQ = (XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ)

  384. 

  385.     fp2_mul_ifma_x2(Q->Z, Q->Z, Q->Z, Q->X, Q->X, Q->X);

  386.     //fp2sqr_mont(Q->Z, Q->Z); // ZQ = [(XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)]^2

  387.     //fp2sqr_mont(Q->X, Q->X); // XQ = [(XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ)]^2

  388. 

  389.     fp2_mul_ifma_x2(P->Z, P->Z, t2, Q->Z, Q->Z, xPQ);

  390.     //fp2mul_mont(P->Z, t2, P->Z);  // ZP = [A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2]*[(XP+ZP)^2-(XP-ZP)^2]

  391.     //fp2mul_mont(Q->Z, xPQ, Q->Z); // ZQ = xPQ*[(XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)]^2

  392. }

  393. 

  394. static void LADDER3PT_ifma(const f2elm_t xP, const f2elm_t xQ, const f2elm_t xPQ, const uint64_t *m, const unsigned int AliceOrBob, point_proj_t R)

  395. {

  396.     point_proj_t R0 = {0}, R2 = {0};

  397.     const f2elm_t A24 = {

  398.         {0x00000000124d6b3e, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000fcc0062a1600, 0x000d9932447f1d95, 0x000f30bb11b6dbbb, 0x000eeb74b81195c1, 0x000ea6bb113bab9f, 0x000aa668b600af9a, 0x0004fe3921c627e3, 0x00000000000dfc7b},

  399.         {0}};

  400. 

  401.     uint64_t mask;

  402.     int i, nbits, bit, swap, prevbit = 0;

  403. 

  404.     if (AliceOrBob == ALICE)

  405.     {

  406.         nbits = OALICE_BITS;

  407.     }

  408.     else

  409.     {

  410.         nbits = OBOB_BITS;

  411.     }

  412. 

  413.     // Initializing points

  414.     memcpy(R0->X, xQ, sizeof(f2elm_t));

  415.     memcpy(R0->Z[0], One, sizeof(felm_t));

  416. 

  417.     memcpy(R2->X, xPQ, sizeof(f2elm_t));

  418.     memcpy(R2->Z[0], One, sizeof(felm_t));

  419. 

  420.     memcpy(R->X, xP, sizeof(f2elm_t));

  421.     memcpy(R->Z[0], One, sizeof(felm_t));

  422.     memset(R->Z[1], 0, sizeof(felm_t));

  423. 

  424.     // Main loop

  425.     for (i = 0; i < nbits; i++)

  426.     {

  427.         bit = (m[i >> 6] >> (i & (64 - 1))) & 1;

  428.         swap = bit ^ prevbit;

  429.         prevbit = bit;

  430.         fp2_swap(R, R2, swap);

  431. 

  432.         xDBLADD_ifma(R0, R2, R->X, A24);

  433.         fp2_mul_ifma(R2->X, R->Z, R2->X);

  434.     }

  435. }

  436. 

  437. static void xDBL_ifma(const point_proj_t P, point_proj_t Q, const f2elm_t A24plus, const f2elm_t C24)

  438. { // Doubling of a Montgomery point in projective coordinates (X:Z).

  439.     // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C.

  440.     // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).

  441.     f2elm_t t0, t1, t2;

  442. 

  443.     fp2sub(P->X, P->Z, t0); // t0 = X1-Z1

  444.     fp2add(P->X, P->Z, t1); // t1 = X1+Z1

  445. 

  446.     fp2_mul_ifma_x2(t0, t0, t0, t1, t1, t1);

  447.     //fp2sqr_mont(t0, t0); // t0 = (X1-Z1)^2

  448.     //fp2sqr_mont(t1, t1); // t1 = (X1+Z1)^2

  449. 

  450.     fp2sub(t1, t0, t2); // t1 = (X1+Z1)^2-(X1-Z1)^2

  451. 

  452.     fp2_mul_ifma_x2(Q->Z, t0, C24, t0, t2, A24plus);

  453.     //fp2mul_mont(C24, t0, Q->Z);   // Z2 = C24*(X1-Z1)^2

  454.     //fp2mul_mont(A24plus, t2, t0); // t0 = A24plus*[(X1+Z1)^2-(X1-Z1)^2]

  455. 

  456.     fp2add(Q->Z, t0, t0); // Z2 = A24plus*[(X1+Z1)^2-(X1-Z1)^2] + C24*(X1-Z1)^2

  457. 

  458.     fp2_mul_ifma_x2(Q->X, Q->Z, t1, Q->Z, t2, t0);

  459.     //fp2mul_mont(t1, Q->Z, Q->X); // X2 = C24*(X1-Z1)^2*(X1+Z1)^2

  460.     //fp2mul_mont(t0, t2, Q->Z);   // Z2 = [A24plus*[(X1+Z1)^2-(X1-Z1)^2] + C24*(X1-Z1)^2]*[(X1+Z1)^2-(X1-Z1)^2]

  461. }

  462. 

  463. static void xDBLe_ifma(const point_proj_t P, point_proj_t Q, const f2elm_t A24plus, const f2elm_t C24, const int e)

  464. { // Computes [2^e](X:Z) on Montgomery curve with projective constant via e repeated doublings.

  465.     // Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A+2C and 4C.

  466.     // Output: projective Montgomery x-coordinates Q <- (2^e)*P.

  467.     int i;

  468. 

  469.     memcpy(Q, P, sizeof(point_proj));

  470. 

  471.     for (i = 0; i < e; i++)

  472.     {

  473.         xDBL_ifma(Q, Q, A24plus, C24);

  474.     }

  475. }

  476. 

  477. static void xTPL_ifma(const point_proj_t P, point_proj_t Q, const f2elm_t A24minus, const f2elm_t A24plus)

  478. { // Tripling of a Montgomery point in projective coordinates (X:Z).

  479.     // Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constants A24plus = A+2C and A24minus = A-2C.

  480.     // Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3).

  481.     f2elm_t t0, t1, t2, t3, t4, t5, t6, t7, t8;

  482. 

  483.     fp2sub(P->X, P->Z, t0); // t0 = X-Z

  484.     fp2add(P->X, P->Z, t1); // t1 = X+Z

  485.     fp2_mul_ifma_x2(t2, t0, t0, t3, t1, t1);

  486.     //fp2sqr_mont(t0, t2);           // t2 = (X-Z)^2

  487.     //fp2sqr_mont(t1, t3);           // t3 = (X+Z)^2

  488.     fp2_mul_ifma_x2(t5, A24plus, t3, t6, A24minus, t2);

  489.     //fp2mul_mont(t3, A24plus, t5);  // t5 = A24plus*(X+Z)^2

  490.     //fp2mul_mont(A24minus, t2, t6); // t6 = A24minus*(X-Z)^2

  491.     fp2_mul_ifma_x2(t7, t3, t5, t8, t2, t6);

  492.     //fp2mul_mont(t3, t5, t7); // t3 = A24plus*(X+Z)^3

  493.     //fp2mul_mont(t2, t6, t8); // t2 = A24minus*(X-Z)^3

  494.     fp2add(t0, t1, t4);      // t4 = 2*X

  495.     fp2sub(t1, t0, t0);      // t0 = 2*Z

  496.     fp2sqr_mont(t4, t1);     // t1 = 4*X^2

  497.     fp2sub(t1, t3, t1);      // t1 = 4*X^2 - (X+Z)^2

  498.     fp2sub(t1, t2, t1);      // t1 = 4*X^2 - (X+Z)^2 - (X-Z)^2

  499.     fp2sub(t8, t7, t7);      // t3 = A24minus*(X-Z)^3 - coeff*(X+Z)^3

  500.     fp2sub(t5, t6, t8);      // t2 = A24plus*(X+Z)^2 - A24minus*(X-Z)^2

  501.     fp2mul_mont(t1, t8, t1); // t1 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2]

  502.     fp2add(t7, t1, t8);      // t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^3 - coeff*(X+Z)^3

  503.     fp2sub(t7, t1, t1);      // t1 = A24minus*(X-Z)^3 - A24plus*(X+Z)^3 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2]

  504.     fp2_mul_ifma_x2(t8, t8, t8, t1, t1, t1);

  505.     //fp2sqr_mont(t8, t8); // t2 = t2^2

  506.     //fp2sqr_mont(t1, t1); // t1 = t1^2

  507.     fp2_mul_ifma_x2(Q->X, t4, t8, Q->Z, t1, t0);

  508.     //fp2mul_mont(t4, t8, Q->X); // X3 = 2*X*t2

  509.     //fp2mul_mont(t0, t1, Q->Z); // Z3 = 2*Z*t1

  510. }

  511. 

  512. void xTPLe_ifma(const point_proj_t P, point_proj_t Q, const f2elm_t A24minus, const f2elm_t A24plus, const int e)

  513. { // Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings.

  514.     // Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A24plus = A+2C and A24minus = A-2C.

  515.     // Output: projective Montgomery x-coordinates Q <- (3^e)*P.

  516.     int i;

  517. 

  518.     memcpy(Q, P, sizeof(point_proj));

  519. 

  520.     for (i = 0; i < e; i++)

  521.     {

  522.         xTPL_ifma(Q, Q, A24minus, A24plus);

  523.     }

  524. }

  525. 

  526. static void get_4_isog_ifma(const point_proj_t P, f2elm_t A24plus, f2elm_t C24, f2elm_t *coeff)

  527. { // Computes the corresponding 4-isogeny of a projective Montgomery point (X4:Z4) of order 4.

  528.     // Input:  projective point of order four P = (X4:Z4).

  529.     // Output: the 4-isogenous Montgomery curve with projective coefficients A+2C/4C and the 3 coefficients

  530.     //         that are used to evaluate the isogeny at a point in eval_4_isog().

  531. 

  532.     fp2sub(P->X, P->Z, coeff[1]); // coeff[1] = X4-Z4

  533.     fp2add(P->X, P->Z, coeff[2]); // coeff[2] = X4+Z4

  534. 

  535.     fp2_mul_ifma_x2(coeff[0], P->Z, P->Z, A24plus, P->X, P->X);

  536.     //fp2sqr_mont(P->Z, coeff[0]); // coeff[0] = Z4^2

  537.     //fp2sqr_mont(P->X, A24plus);  // A24plus = X4^2

  538. 

  539.     fp2add(coeff[0], coeff[0], coeff[0]); // coeff[0] = 2*Z4^2

  540.     fp2add(A24plus, A24plus, A24plus);    // A24plus = 2*X4^2

  541. 

  542.     fp2_mul_ifma_x2(C24, coeff[0], coeff[0], A24plus, A24plus, A24plus);

  543.     //fp2sqr_mont(coeff[0], C24);    // C24 = 4*Z4^4

  544.     //fp2sqr_mont(A24plus, A24plus); // A24plus = 4*X4^4

  545. 

  546.     fp2add(coeff[0], coeff[0], coeff[0]); // coeff[0] = 4*Z4^2

  547. }

  548. 

  549. static void eval_4_isog_ifma(point_proj_t P, f2elm_t *coeff)

  550. { // Evaluates the isogeny at the point (X:Z) in the domain of the isogeny, given a 4-isogeny phi defined

  551.     // by the 3 coefficients in coeff (computed in the function get_4_isog()).

  552.     // Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z).

  553.     // Output: the projective point P = phi(P) = (X:Z) in the codomain.

  554.     f2elm_t t0, t1, t2;

  555. 

  556.     fp2add(P->X, P->Z, t0); // t0 = X+Z

  557.     fp2sub(P->X, P->Z, t1); // t1 = X-Z

  558. 

  559.     fp2_mul_ifma_x2(P->X, t0, coeff[1], t0, t0, t1);

  560.     //fp2mul_mont(t0, coeff[1], P->X); // X = (X+Z)*coeff[1]

  561.     //fp2mul_mont(t0, t1, t0);             // t0 = (X+Z)*(X-Z)

  562. 

  563.     fp2_mul_ifma_x2(P->Z, coeff[2], t1, t0, coeff[0], t0);

  564.     //fp2mul_mont(t1, coeff[2], P->Z); // Z = (X-Z)*coeff[2]

  565.     //fp2mul_mont(t0, coeff[0], t0);   // t0 = coeff[0]*(X+Z)*(X-Z)

  566. 

  567.     fp2add(P->X, P->Z, t1);   // t1 = (X-Z)*coeff[2] + (X+Z)*coeff[1]

  568.     fp2sub(P->X, P->Z, P->Z); // Z = (X-Z)*coeff[2] - (X+Z)*coeff[1]

  569. 

  570.     fp2_mul_ifma_x2(t1, t1, t1, P->Z, P->Z, P->Z);

  571.     //fp2sqr_mont(t1, t1);     // t1 = [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2

  572.     //fp2sqr_mont(P->Z, P->Z); // Z = [(X-Z)*coeff[2] - (X+Z)*coeff[1]]^2

  573. 

  574.     fp2add(t1, t0, P->X); // X = coeff[0]*(X+Z)*(X-Z) + [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2

  575.     fp2sub(P->Z, t0, t0); // t0 = [(X-Z)*coeff[2] - (X+Z)*coeff[1]]^2 - coeff[0]*(X+Z)*(X-Z)

  576. 

  577.     fp2_mul_ifma_x2(P->X, P->X, t1, P->Z, P->Z, t0);

  578.     //fp2mul_mont(P->X, t1, P->X); // Xfinal

  579.     //fp2mul_mont(P->Z, t0, P->Z); // Zfinal

  580. }

  581. 

  582. static void get_3_isog_ifma(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus, f2elm_t *coeff)

  583. { // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3.

  584.     // Input:  projective point of order three P = (X3:Z3).

  585.     // Output: the 3-isogenous Montgomery curve with projective coefficient A/C.

  586.     f2elm_t t0, t1, t2, t3, t4, t5;

  587. 

  588.     fp2sub(P->X, P->Z, coeff[0]); // coeff0 = X-Z

  589.     fp2add(P->X, P->Z, coeff[1]); // coeff1 = X+Z

  590.     fp2_mul_ifma_x2(t0, coeff[0], coeff[0], t1, coeff[1], coeff[1]);

  591.     //fp2sqr_mont(coeff[0], t0);      // t0 = (X-Z)^2

  592.     //fp2sqr_mont(coeff[1], t1);      // t1 = (X+Z)^2

  593.     fp2add(t0, t1, t2);             // t2 = (X+Z)^2 + (X-Z)^2

  594.     fp2add(coeff[0], coeff[1], t3); // t3 = 2*X

  595.     fp2sqr_mont(t3, t3);            // t3 = 4*X^2

  596.     fp2sub(t3, t2, t3);             // t3 = 4*X^2 - (X+Z)^2 - (X-Z)^2

  597.     fp2add(t1, t3, t2);             // t2 = 4*X^2 - (X-Z)^2

  598.     fp2add(t3, t0, t3);             // t3 = 4*X^2 - (X+Z)^2

  599.     fp2add(t0, t3, t4);             // t4 = 4*X^2 - (X+Z)^2 + (X-Z)^2

  600.     fp2add(t4, t4, t4);             // t4 = 2(4*X^2 - (X+Z)^2 + (X-Z)^2)

  601.     fp2add(t1, t4, t4);             // t4 = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2

  602.     fp2add(t1, t2, t5);             // t4 = 4*X^2 + (X+Z)^2 - (X-Z)^2

  603.     fp2add(t5, t5, t5);             // t4 = 2(4*X^2 + (X+Z)^2 - (X-Z)^2)

  604.     fp2add(t0, t5, t5);             // t4 = 8*X^2 + 2*(X+Z)^2 - (X-Z)^2

  605.     fp2_mul_ifma_x2(A24minus, t2, t4, t5, t5, t3);

  606.     // fp2mul_mont(t2, t4, A24minus);  // A24minus = [4*X^2 - (X-Z)^2]*[8*X^2 - (X+Z)^2 + 2*(X-Z)^2]

  607.     // fp2mul_mont(t3, t5, t5);        // t4 = [4*X^2 - (X+Z)^2]*[8*X^2 + 2*(X+Z)^2 - (X-Z)^2]

  608.     fp2sub(t5, A24minus, t0);      // t0 = [4*X^2 - (X+Z)^2]*[8*X^2 + 2*(X+Z)^2 - (X-Z)^2] - [4*X^2 - (X-Z)^2]*[8*X^2 - (X+Z)^2 + 2*(X-Z)^2]

  609.     fp2add(A24minus, t0, A24plus); // A24plus = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2

  610. }

  611. 

  612. static void eval_3_isog_ifma(point_proj_t Q, const f2elm_t *coeff)

  613. { // Computes the 3-isogeny R=phi(X:Z), given projective point (X3:Z3) of order 3 on a Montgomery curve and

  614.     // a point P with 2 coefficients in coeff (computed in the function get_3_isog()).

  615.     // Inputs: projective points P = (X3:Z3) and Q = (X:Z).

  616.     // Output: the projective point Q <- phi(Q) = (X3:Z3).

  617.     f2elm_t t0, t1, t2;

  618. 

  619.     fp2add(Q->X, Q->Z, t0); // t0 = X+Z

  620.     fp2sub(Q->X, Q->Z, t1); // t1 = X-Z

  621.     fp2_mul_ifma_x2(t0, t0, coeff[0], t1, t1, coeff[1]);

  622.     //fp2mul_mont(t0, coeff[0], t0); // t0 = coeff0*(X+Z)

  623.     //fp2mul_mont(t1, coeff[1], t1); // t1 = coeff1*(X-Z)

  624.     fp2add(t0, t1, t2); // t2 = coeff0*(X-Z) + coeff1*(X+Z)

  625.     fp2sub(t1, t0, t0); // t0 = coeff0*(X-Z) - coeff1*(X+Z)

  626.     fp2_mul_ifma_x2(t2, t2, t2, t0, t0, t0);

  627.     //fp2sqr_mont(t2, t2);         // t2 = [coeff0*(X-Z) + coeff1*(X+Z)]^2

  628.     //fp2sqr_mont(t0, t0);         // t1 = [coeff0*(X-Z) - coeff1*(X+Z)]^2

  629.     fp2_mul_ifma_x2(Q->X, Q->X, t2, Q->Z, Q->Z, t0);

  630.     //fp2mul_mont(Q->X, t2, Q->X); // X3final = X*[coeff0*(X-Z) + coeff1*(X+Z)]^2

  631.     //fp2mul_mont(Q->Z, t0, Q->Z); // Z3final = Z*[coeff0*(X-Z) - coeff1*(X+Z)]^2

  632. }

  633. 

  634. static void fp2_encode(const f2elm_t x, unsigned char *enc)

  635. { // Conversion of GF(p^2) element from Montgomery to standard representation, and encoding by removing leading 0 bytes

  636.     unsigned int i;

  637.     f2elm_t tt;

  638.     uint64_t t[12 * 2];

  639. 

  640.     from_mont_ifma(tt[0], x[0]);

  641.     from_mont_ifma(tt[1], x[1]);

  642. 

  643.     red2norm(t, tt[0]);

  644.     red2norm(&t[12], tt[1]);

  645. 

  646.     for (i = 0; i < FP2_ENCODED_BYTES / 2; i++)

  647.     {

  648.         enc[i] = ((unsigned char *)t)[i];

  649.         enc[i + FP2_ENCODED_BYTES / 2] = ((unsigned char *)t)[i + MAXBITS_FIELD / 8];

  650.     }

  651. }

  652. 

  653. static void fp2_decode(const unsigned char *enc, f2elm_t x)

  654. {

  655.     unsigned int i;

  656.     uint64_t t[12 * 2];

  657. 

  658.     memset(x, 0, sizeof(f2elm_t));

  659.     for (i = 0; i < FP2_ENCODED_BYTES / 2; i++)

  660.     {

  661.         ((unsigned char *)t)[i] = enc[i];

  662.         ((unsigned char *)t)[i + MAXBITS_FIELD / 8] = enc[i + FP2_ENCODED_BYTES / 2];

  663.     }

  664. 

  665.     norm2red(x[0], t);

  666.     norm2red(x[1], &t[12]);

  667.     to_mont_ifma(x[0], x[0]);

  668.     to_mont_ifma(x[1], x[1]);

  669. }

  670. 

  671. int EphemeralKeyGeneration_A_ifma(const unsigned char *PrivateKeyA, unsigned char *PublicKeyA)

  672. { // Alice's ephemeral public key generation

  673.     // Input:  a private key PrivateKeyA in the range [0, 2^eA - 1].

  674.     // Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.

  675.     point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_ALICE];

  676.     f2elm_t XPA, XQA, XRA, coeff[3];

  677.     unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0;

  678. 

  679.     f2elm_t C24 = {

  680.         {0x000000004935acf8, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0003f30018a85800, 0x000664c911fc7654, 0x000cc2ec46db6eef, 0x000badd2e0465707, 0x000a9aec44eeae7f, 0x000a99a2d802be6b, 0x0003f8e487189f8e, 0x000000000037f1ed},

  681.         {0}};

  682. 

  683.     f2elm_t A24plus = {

  684.         {0x00000000249ad67c, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0001f9800c542c00, 0x000b326488fe3b2a, 0x000e6176236db777, 0x000dd6e970232b83, 0x000d4d762277573f, 0x00054cd16c015f35, 0x0009fc72438c4fc7, 0x00000000001bf8f6},

  685.         {0}};

  686. 

  687.     // Initialize basis points

  688.     init_basis(A_gen_ifma, XPA, XQA, XRA);

  689.     init_basis(B_gen_ifma, phiP->X, phiQ->X, phiR->X);

  690.     memcpy(phiP->Z, One, sizeof(felm_t));

  691.     memcpy(phiQ->Z, One, sizeof(felm_t));

  692.     memcpy(phiR->Z, One, sizeof(felm_t));

  693. 

  694.     // Retrieve kernel point

  695.     LADDER3PT_ifma(XPA, XQA, XRA, (uint64_t *)PrivateKeyA, ALICE, R);

  696. 

  697.     // Traverse tree

  698.     index = 0;

  699.     for (row = 1; row < MAX_Alice; row++)

  700.     {

  701.         while (index < MAX_Alice - row)

  702.         {

  703.             memcpy(pts[npts]->X, R->X, sizeof(f2elm_t));

  704.             memcpy(pts[npts]->Z, R->Z, sizeof(f2elm_t));

  705.             pts_index[npts++] = index;

  706.             m = strat_Alice[ii++];

  707.             xDBLe_ifma(R, R, A24plus, C24, (int)(2 * m));

  708.             index += m;

  709.         }

  710.         get_4_isog_ifma(R, A24plus, C24, coeff);

  711. 

  712.         for (i = 0; i < npts; i++)

  713.         {

  714.             eval_4_isog_ifma(pts[i], coeff);

  715.         }

  716.         eval_4_isog_ifma(phiP, coeff);

  717.         eval_4_isog_ifma(phiQ, coeff);

  718.         eval_4_isog_ifma(phiR, coeff);

  719. 

  720.         memcpy(R->X, pts[npts - 1]->X, sizeof(f2elm_t));

  721.         memcpy(R->Z, pts[npts - 1]->Z, sizeof(f2elm_t));

  722.         index = pts_index[npts - 1];

  723.         npts -= 1;

  724.     }

  725. 

  726.     get_4_isog_ifma(R, A24plus, C24, coeff);

  727.     eval_4_isog_ifma(phiP, coeff);

  728.     eval_4_isog_ifma(phiQ, coeff);

  729.     eval_4_isog_ifma(phiR, coeff);

  730. 

  731.     inv_3_way_ifma(phiP->Z, phiQ->Z, phiR->Z);

  732.     fp2_mul_ifma_x2(phiP->X, phiP->X, phiP->Z, phiQ->X, phiQ->X, phiQ->Z);

  733.     //fp2mul_mont(phiP->X, phiP->Z, phiP->X);

  734.     //fp2mul_mont(phiQ->X, phiQ->Z, phiQ->X);

  735.     fp2mul_mont(phiR->X, phiR->Z, phiR->X);

  736. 

  737.     // Format public key

  738.     fp2_encode(phiP->X, PublicKeyA);

  739.     fp2_encode(phiQ->X, PublicKeyA + FP2_ENCODED_BYTES);

  740.     fp2_encode(phiR->X, PublicKeyA + 2 * FP2_ENCODED_BYTES);

  741. 

  742.     return 0;

  743. }

  744. 

  745. int EphemeralKeyGeneration_B_ifma(const unsigned char *PrivateKeyB, unsigned char *PublicKeyB)

  746. { // Bob's ephemeral public key generation

  747.     // Input:  a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1].

  748.     // Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.

  749.     point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_BOB];

  750.     f2elm_t XPB, XQB, XRB, coeff[3], A = {0};

  751.     unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;

  752. 

  753.     f2elm_t A24plus = {{0x000000004935acf8, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0003f30018a85800, 0x000664c911fc7654, 0x000cc2ec46db6eef, 0x000badd2e0465707, 0x000a9aec44eeae7f, 0x000a99a2d802be6b, 0x0003f8e487189f8e, 0x000000000037f1ed},

  754.                        {0}};

  755. 

  756.     f2elm_t A24minus = {{0x000fffffb6ca5307, 0x000fffffffffffff, 0x000fffffffffffff, 0x000fffffffffffff, 0x000fffffffffffff, 0x000fffffffffffff, 0x000fffffffffffff, 0x0000ac8771e692ff, 0x000167add1f02031, 0x000aaabd12d63250, 0x000ca0c5879094e0, 0x0000b5598636c600, 0x0004fe180463c6f7, 0x0000268d39c8897b, 0x000000000037f3e8},

  757.                         {0}};

  758. 

  759.     uint64_t temp[12];

  760.     uint64_t ifma_temp[15];

  761.     // Initialize basis points

  762.     init_basis(B_gen_ifma, XPB, XQB, XRB);

  763.     init_basis(A_gen_ifma, phiP->X, phiQ->X, phiR->X);

  764.     memcpy(phiP->Z, One, sizeof(felm_t));

  765.     memcpy(phiQ->Z, One, sizeof(felm_t));

  766.     memcpy(phiR->Z, One, sizeof(felm_t));

  767. 

  768.     // Retrieve kernel point

  769.     LADDER3PT_ifma(XPB, XQB, XRB, (uint64_t *)PrivateKeyB, BOB, R);

  770. 

  771.     // Traverse tree

  772.     index = 0;

  773.     for (row = 1; row < MAX_Bob; row++)

  774.     {

  775.         while (index < MAX_Bob - row)

  776.         {

  777.             memcpy(pts[npts]->X, R->X, sizeof(f2elm_t));

  778.             memcpy(pts[npts]->Z, R->Z, sizeof(f2elm_t));

  779.             pts_index[npts++] = index;

  780.             m = strat_Bob[ii++];

  781.             xTPLe_ifma(R, R, A24minus, A24plus, (int)m);

  782.             index += m;

  783.         }

  784.         get_3_isog_ifma(R, A24minus, A24plus, coeff);

  785. 

  786.         for (i = 0; i < npts; i++)

  787.         {

  788.             eval_3_isog_ifma(pts[i], coeff);

  789.         }

  790.         eval_3_isog_ifma(phiP, coeff);

  791.         eval_3_isog_ifma(phiQ, coeff);

  792.         eval_3_isog_ifma(phiR, coeff);

  793. 

  794.         memcpy(R->X, pts[npts - 1]->X, sizeof(f2elm_t));

  795.         memcpy(R->Z, pts[npts - 1]->Z, sizeof(f2elm_t));

  796. 

  797.         index = pts_index[npts - 1];

  798.         npts -= 1;

  799.     }

  800. 

  801.     get_3_isog_ifma(R, A24minus, A24plus, coeff);

  802.     eval_3_isog_ifma(phiP, coeff);

  803.     eval_3_isog_ifma(phiQ, coeff);

  804.     eval_3_isog_ifma(phiR, coeff);

  805. 

  806.     inv_3_way_ifma(phiP->Z, phiQ->Z, phiR->Z);

  807.     fp2mul_mont(phiP->X, phiP->Z, phiP->X);

  808.     fp2mul_mont(phiQ->X, phiQ->Z, phiQ->X);

  809.     fp2mul_mont(phiR->X, phiR->Z, phiR->X);

  810. 

  811.     // Format public key

  812.     fp2_encode(phiP->X, PublicKeyB);

  813.     fp2_encode(phiQ->X, PublicKeyB + FP2_ENCODED_BYTES);

  814.     fp2_encode(phiR->X, PublicKeyB + 2 * FP2_ENCODED_BYTES);

  815. 

  816.     return 0;

  817. }