Simplify GLS interface.

relic-toolkit · Dec 28, 2024 · 1fdd690 · 1fdd690
1 parent e8b1378
commit 1fdd690
Show file tree

Hide file tree

Showing 9 changed files with 199 additions and 234 deletions.
diff --git a/bench/bench_bn.c b/bench/bench_bn.c
@@ -1000,9 +1000,11 @@ static void arith(void) {
 
 #if defined(WITH_EP) && defined(EP_ENDOM) && (EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP))
 	if (ep_param_set_any_endom() == RLC_OK) {
+		for (size_t i = 0; i < 3; i++) {
+			bn_copy(d[i], ep_curve_get_v1()[i]);
+			bn_copy(e[i], ep_curve_get_v2()[i]);
+		}
 		BENCH_RUN("bn_rec_glv") {
-			ep_curve_get_v1(d);
-			ep_curve_get_v2(e);
 			ep_curve_get_ord(c);
 			bn_rand_mod(a, c);
 			BENCH_ADD(bn_rec_glv(a, b, a, c, (const bn_t *)d, (const bn_t *)e));

diff --git a/include/relic_ep.h b/include/relic_ep.h
@@ -540,12 +540,12 @@ dig_t *ep_curve_get_beta(void);
 /**
  * Returns the parameter V1 of the prime curve.
  */
-void ep_curve_get_v1(bn_t v[]);
+const bn_t *ep_curve_get_v1(void);
 
 /**
  * Returns the parameter V2 of the prime curve.
  */
-void ep_curve_get_v2(bn_t v[]);
+const bn_t *ep_curve_get_v2(void);
 
 /**
  * Returns a optimization identifier based on the a-coefficient of the curve.

diff --git a/src/bn/relic_bn_rec.c b/src/bn/relic_bn_rec.c
@@ -30,6 +30,7 @@
  */
 
 #include "relic_core.h"
+#include "relic_bn_low.h"
 
 /*============================================================================*/
 /* Private definitions                                                        */
@@ -832,7 +833,7 @@ void bn_rec_glv(bn_t k0, bn_t k1, const bn_t k, const bn_t n, const bn_t *v1,
 		const bn_t *v2) {
 	bn_t t, b1, b2;
 	int r1, r2;
-	size_t bits;
+	size_t bits = bn_bits(n), d = bits >> (RLC_DIG_LOG), b = bits % RLC_DIG;
 
 	bn_null(b1);
 	bn_null(b2);
@@ -843,17 +844,26 @@ void bn_rec_glv(bn_t k0, bn_t k1, const bn_t k, const bn_t n, const bn_t *v1,
 		bn_new(b2);
 		bn_new(t);
 
-		bn_abs(t, k);
-		bits = bn_bits(n);
-
-		bn_mul(b1, t, v1[0]);
-		r1 = bn_get_bit(b1, bits);
-		bn_rsh(b1, b1, bits + 1);
+		dv_zero(t->dp, RLC_BN_SIZE);
+		dv_copy(t->dp, k->dp, k->used);
+
+		dv_zero(b1->dp, RLC_BN_SIZE);
+		dv_copy(b1->dp, v1[0]->dp, v1[0]->used);
+		b1->sign = v1[0]->sign;
+		b1->used = v1[0]->used;
+
+		dv_zero(b2->dp, RLC_BN_SIZE);
+		t->used = k->used;
+		bn_mul(b1, b1, t);
+		r1 = (b1->dp[d] >> b) & (dig_t)1;
+		dv_rshd(b1->dp, b1->dp, RLC_BN_SIZE, d);
+		bn_rshb_low(b1->dp, b1->dp, RLC_BN_SIZE, b + 1);
 		bn_add_dig(b1, b1, r1);
 
 		bn_mul(b2, t, v2[0]);
-		r2 = bn_get_bit(b2, bits);
-		bn_rsh(b2, b2, bits + 1);
+		r2 = (b2->dp[d] >> b) & (dig_t)1;
+		dv_rshd(b2->dp, b2->dp, RLC_BN_SIZE, d);
+		bn_rshb_low(b2->dp, b2->dp, RLC_BN_SIZE, b + 1);
 		bn_add_dig(b2, b2, r2);
 
 		bn_mul(k0, b1, v1[1]);

diff --git a/src/ep/relic_ep_curve.c b/src/ep/relic_ep_curve.c
@@ -272,18 +272,12 @@ dig_t *ep_curve_get_beta(void) {
 	return core_get()->beta;
 }
 
-void ep_curve_get_v1(bn_t v[]) {
-	ctx_t *ctx = core_get();
-	for (int i = 0; i < 3; i++) {
-		bn_copy(v[i], &(ctx->ep_v1[i]));
-	}
+const bn_t *ep_curve_get_v1(void) {
+	return (const bn_t *)core_get()->ep_v1;
 }
 
-void ep_curve_get_v2(bn_t v[]) {
-	ctx_t *ctx = core_get();
-	for (int i = 0; i < 3; i++) {
-		bn_copy(v[i], &(ctx->ep_v2[i]));
-	}
+const bn_t *ep_curve_get_v2(void) {
+	return (const bn_t *)core_get()->ep_v2;
 }
 
 #endif
@@ -443,16 +437,20 @@ void ep_curve_set_endom(const fp_t a, const fp_t b, const ep_t g, const bn_t r,
 	/* Precompute endomorphism constants. */
 #if EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP)
 	ep_t p, q;
-	bn_t m;
+	bn_t m, n, t;
 
 	ep_null(p);
 	ep_null(q);
 	bn_null(m);
+	bn_null(n);
+	bn_null(t);
 
 	RLC_TRY {
 		ep_new(p);
 		ep_new(q);
 		bn_new(m);
+		bn_new(n);
+		bn_new(t);
 
 		/* Check if [m]P = \psi(P). */
 		fp_copy(ctx->beta, beta);
@@ -478,45 +476,70 @@ void ep_curve_set_endom(const fp_t a, const fp_t b, const ep_t g, const bn_t r,
 				RLC_THROW(ERR_NO_VALID);
 			}
 		}
-		bn_gcd_ext_mid(&(ctx->ep_v1[1]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]),
-				&(ctx->ep_v2[2]), m, r);
-		/* m = (v1[1] * v2[2] - v1[2] * v2[1]) / 2. */
-		bn_mul(&(ctx->ep_v1[0]), &(ctx->ep_v1[1]), &(ctx->ep_v2[2]));
-		bn_mul(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]));
-		bn_sub(m, &(ctx->ep_v1[0]), &(ctx->ep_v2[0]));
-		bn_hlv(m, m);
-		/* v1[0] = round(v2[2] * 2^|n| / m). */
-		bn_lsh(&(ctx->ep_v1[0]), &(ctx->ep_v2[2]), bits + 1);
-		if (bn_sign(&(ctx->ep_v1[0])) == RLC_POS) {
-			bn_add(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m);
-		} else {
-			bn_sub(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m);
-		}
-		bn_dbl(m, m);
-		bn_div(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m);
-		if (bn_sign(&ctx->ep_v1[0]) == RLC_NEG) {
-			bn_add_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1);
-		}
-		/* v2[0] = round(v1[2] * 2^|n| / m). */
-		bn_lsh(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), bits + 1);
-		if (bn_sign(&(ctx->ep_v2[0])) == RLC_POS) {
-			bn_add(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m);
-		} else {
-			bn_sub(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m);
-		}
-		bn_div(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m);
-		if (bn_sign(&ctx->ep_v2[0]) == RLC_NEG) {
+		if (fp_is_zero(a)) {
+			/* Compute trace of Frobenius t = (p + 1) - n. */
+			bn_mul(n, r, h);
+			bn_add_dig(t, &(ctx->prime), 1);
+			bn_sub(t, t, n);
+			/* c = (4q - t^2)/3. */
+			bn_lsh(&(ctx->ep_v1[1]), &(ctx->prime), 2);
+			bn_sqr(&(ctx->ep_v1[0]), t);
+			bn_sub(&(ctx->ep_v1[1]), &(ctx->ep_v1[1]), &(ctx->ep_v1[0]));
+			bn_div_dig(&(ctx->ep_v1[1]), &(ctx->ep_v1[1]), 3);
+			/* v1 = ((t - c)/2 - 1, c), v2 = ((t + c)/2 + 1, 1 - (t - c)/2). */
+			bn_sub(&(ctx->ep_v1[0]), t, &(ctx->ep_v1[1]));
+			bn_hlv(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]));
+			bn_add(&(ctx->ep_v2[0]), t, &(ctx->ep_v1[1]));
+			bn_hlv(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]));
 			bn_add_dig(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), 1);
+			bn_neg(&(ctx->ep_v2[1]), &(ctx->ep_v1[0]));
+			bn_add_dig(&(ctx->ep_v2[1]), &(ctx->ep_v2[1]), 1);
+			bn_sub_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1);
+			bn_copy(&(ctx->ep_v1[2]), &(ctx->ep_v1[1]));
+			bn_copy(&(ctx->ep_v1[1]), &(ctx->ep_v1[0]));
+			bn_copy(&(ctx->ep_v2[2]), &(ctx->ep_v2[1]));
+			bn_copy(&(ctx->ep_v2[1]), &(ctx->ep_v2[0]));
 		}
-		bn_neg(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]));
+			bn_gcd_ext_mid(&(ctx->ep_v1[1]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]),
+					&(ctx->ep_v2[2]), m, r);
+			/* m = (v1[1] * v2[2] - v1[2] * v2[1]) / 2. */
+			bn_mul(&(ctx->ep_v1[0]), &(ctx->ep_v1[1]), &(ctx->ep_v2[2]));
+			bn_mul(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]));
+			bn_sub(m, &(ctx->ep_v1[0]), &(ctx->ep_v2[0]));
+			bn_hlv(m, m);
+			/* v1[0] = round(v2[2] * 2^|n| / m). */
+			bn_lsh(&(ctx->ep_v1[0]), &(ctx->ep_v2[2]), bits + 1);
+			if (bn_sign(&(ctx->ep_v1[0])) == RLC_POS) {
+				bn_add(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m);
+			} else {
+				bn_sub(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m);
+			}
+			bn_dbl(m, m);
+			bn_div(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m);
+			if (bn_sign(&ctx->ep_v1[0]) == RLC_NEG) {
+				bn_add_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1);
+			}
+			/* v2[0] = round(v1[2] * 2^|n| / m). */
+			bn_lsh(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), bits + 1);
+			if (bn_sign(&(ctx->ep_v2[0])) == RLC_POS) {
+				bn_add(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m);
+			} else {
+				bn_sub(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m);
+			}
+			bn_div(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m);
+			if (bn_sign(&ctx->ep_v2[0]) == RLC_NEG) {
+				bn_add_dig(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), 1);
+			}
+			bn_neg(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]));
 	} RLC_CATCH_ANY {
 		RLC_THROW(ERR_CAUGHT);
 	} RLC_FINALLY {
 		ep_free(p);
 		ep_free(q);
 		bn_free(m);
+		bn_free(n);
+		bn_free(t);
 	}
-
 #endif
 }