From 1fdd690c79d7ee1bfbca2fd042fa8c4f5343aa41 Mon Sep 17 00:00:00 2001 From: "Diego F. Aranha" Date: Sat, 28 Dec 2024 19:20:34 +0100 Subject: [PATCH] Simplify GLS interface. --- bench/bench_bn.c | 6 +- include/relic_ep.h | 4 +- src/bn/relic_bn_rec.c | 28 +++++--- src/ep/relic_ep_curve.c | 105 +++++++++++++++++------------ src/ep/relic_ep_mul.c | 135 +++++++++++++++----------------------- src/ep/relic_ep_mul_fix.c | 82 ++++++++++------------- src/ep/relic_ep_mul_sim.c | 55 +++------------- test/test_bn.c | 12 ++-- test/test_ep.c | 6 +- 9 files changed, 199 insertions(+), 234 deletions(-) diff --git a/bench/bench_bn.c b/bench/bench_bn.c index 85c36a03b..466e1d4e7 100644 --- a/bench/bench_bn.c +++ b/bench/bench_bn.c @@ -1000,9 +1000,11 @@ static void arith(void) { #if defined(WITH_EP) && defined(EP_ENDOM) && (EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP)) if (ep_param_set_any_endom() == RLC_OK) { + for (size_t i = 0; i < 3; i++) { + bn_copy(d[i], ep_curve_get_v1()[i]); + bn_copy(e[i], ep_curve_get_v2()[i]); + } BENCH_RUN("bn_rec_glv") { - ep_curve_get_v1(d); - ep_curve_get_v2(e); ep_curve_get_ord(c); bn_rand_mod(a, c); BENCH_ADD(bn_rec_glv(a, b, a, c, (const bn_t *)d, (const bn_t *)e)); diff --git a/include/relic_ep.h b/include/relic_ep.h index ffe8c41d5..821fb8b8f 100644 --- a/include/relic_ep.h +++ b/include/relic_ep.h @@ -540,12 +540,12 @@ dig_t *ep_curve_get_beta(void); /** * Returns the parameter V1 of the prime curve. */ -void ep_curve_get_v1(bn_t v[]); +const bn_t *ep_curve_get_v1(void); /** * Returns the parameter V2 of the prime curve. */ -void ep_curve_get_v2(bn_t v[]); +const bn_t *ep_curve_get_v2(void); /** * Returns a optimization identifier based on the a-coefficient of the curve. diff --git a/src/bn/relic_bn_rec.c b/src/bn/relic_bn_rec.c index 4e8bd7e07..69c46196f 100644 --- a/src/bn/relic_bn_rec.c +++ b/src/bn/relic_bn_rec.c @@ -30,6 +30,7 @@ */ #include "relic_core.h" +#include "relic_bn_low.h" /*============================================================================*/ /* Private definitions */ @@ -832,7 +833,7 @@ void bn_rec_glv(bn_t k0, bn_t k1, const bn_t k, const bn_t n, const bn_t *v1, const bn_t *v2) { bn_t t, b1, b2; int r1, r2; - size_t bits; + size_t bits = bn_bits(n), d = bits >> (RLC_DIG_LOG), b = bits % RLC_DIG; bn_null(b1); bn_null(b2); @@ -843,17 +844,26 @@ void bn_rec_glv(bn_t k0, bn_t k1, const bn_t k, const bn_t n, const bn_t *v1, bn_new(b2); bn_new(t); - bn_abs(t, k); - bits = bn_bits(n); - - bn_mul(b1, t, v1[0]); - r1 = bn_get_bit(b1, bits); - bn_rsh(b1, b1, bits + 1); + dv_zero(t->dp, RLC_BN_SIZE); + dv_copy(t->dp, k->dp, k->used); + + dv_zero(b1->dp, RLC_BN_SIZE); + dv_copy(b1->dp, v1[0]->dp, v1[0]->used); + b1->sign = v1[0]->sign; + b1->used = v1[0]->used; + + dv_zero(b2->dp, RLC_BN_SIZE); + t->used = k->used; + bn_mul(b1, b1, t); + r1 = (b1->dp[d] >> b) & (dig_t)1; + dv_rshd(b1->dp, b1->dp, RLC_BN_SIZE, d); + bn_rshb_low(b1->dp, b1->dp, RLC_BN_SIZE, b + 1); bn_add_dig(b1, b1, r1); bn_mul(b2, t, v2[0]); - r2 = bn_get_bit(b2, bits); - bn_rsh(b2, b2, bits + 1); + r2 = (b2->dp[d] >> b) & (dig_t)1; + dv_rshd(b2->dp, b2->dp, RLC_BN_SIZE, d); + bn_rshb_low(b2->dp, b2->dp, RLC_BN_SIZE, b + 1); bn_add_dig(b2, b2, r2); bn_mul(k0, b1, v1[1]); diff --git a/src/ep/relic_ep_curve.c b/src/ep/relic_ep_curve.c index 5c80e6fd2..ebb78d054 100644 --- a/src/ep/relic_ep_curve.c +++ b/src/ep/relic_ep_curve.c @@ -272,18 +272,12 @@ dig_t *ep_curve_get_beta(void) { return core_get()->beta; } -void ep_curve_get_v1(bn_t v[]) { - ctx_t *ctx = core_get(); - for (int i = 0; i < 3; i++) { - bn_copy(v[i], &(ctx->ep_v1[i])); - } +const bn_t *ep_curve_get_v1(void) { + return (const bn_t *)core_get()->ep_v1; } -void ep_curve_get_v2(bn_t v[]) { - ctx_t *ctx = core_get(); - for (int i = 0; i < 3; i++) { - bn_copy(v[i], &(ctx->ep_v2[i])); - } +const bn_t *ep_curve_get_v2(void) { + return (const bn_t *)core_get()->ep_v2; } #endif @@ -443,16 +437,20 @@ void ep_curve_set_endom(const fp_t a, const fp_t b, const ep_t g, const bn_t r, /* Precompute endomorphism constants. */ #if EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP) ep_t p, q; - bn_t m; + bn_t m, n, t; ep_null(p); ep_null(q); bn_null(m); + bn_null(n); + bn_null(t); RLC_TRY { ep_new(p); ep_new(q); bn_new(m); + bn_new(n); + bn_new(t); /* Check if [m]P = \psi(P). */ fp_copy(ctx->beta, beta); @@ -478,45 +476,70 @@ void ep_curve_set_endom(const fp_t a, const fp_t b, const ep_t g, const bn_t r, RLC_THROW(ERR_NO_VALID); } } - bn_gcd_ext_mid(&(ctx->ep_v1[1]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]), - &(ctx->ep_v2[2]), m, r); - /* m = (v1[1] * v2[2] - v1[2] * v2[1]) / 2. */ - bn_mul(&(ctx->ep_v1[0]), &(ctx->ep_v1[1]), &(ctx->ep_v2[2])); - bn_mul(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1])); - bn_sub(m, &(ctx->ep_v1[0]), &(ctx->ep_v2[0])); - bn_hlv(m, m); - /* v1[0] = round(v2[2] * 2^|n| / m). */ - bn_lsh(&(ctx->ep_v1[0]), &(ctx->ep_v2[2]), bits + 1); - if (bn_sign(&(ctx->ep_v1[0])) == RLC_POS) { - bn_add(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m); - } else { - bn_sub(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m); - } - bn_dbl(m, m); - bn_div(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m); - if (bn_sign(&ctx->ep_v1[0]) == RLC_NEG) { - bn_add_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1); - } - /* v2[0] = round(v1[2] * 2^|n| / m). */ - bn_lsh(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), bits + 1); - if (bn_sign(&(ctx->ep_v2[0])) == RLC_POS) { - bn_add(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m); - } else { - bn_sub(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m); - } - bn_div(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m); - if (bn_sign(&ctx->ep_v2[0]) == RLC_NEG) { + if (fp_is_zero(a)) { + /* Compute trace of Frobenius t = (p + 1) - n. */ + bn_mul(n, r, h); + bn_add_dig(t, &(ctx->prime), 1); + bn_sub(t, t, n); + /* c = (4q - t^2)/3. */ + bn_lsh(&(ctx->ep_v1[1]), &(ctx->prime), 2); + bn_sqr(&(ctx->ep_v1[0]), t); + bn_sub(&(ctx->ep_v1[1]), &(ctx->ep_v1[1]), &(ctx->ep_v1[0])); + bn_div_dig(&(ctx->ep_v1[1]), &(ctx->ep_v1[1]), 3); + /* v1 = ((t - c)/2 - 1, c), v2 = ((t + c)/2 + 1, 1 - (t - c)/2). */ + bn_sub(&(ctx->ep_v1[0]), t, &(ctx->ep_v1[1])); + bn_hlv(&(ctx->ep_v1[0]), &(ctx->ep_v1[0])); + bn_add(&(ctx->ep_v2[0]), t, &(ctx->ep_v1[1])); + bn_hlv(&(ctx->ep_v2[0]), &(ctx->ep_v2[0])); bn_add_dig(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), 1); + bn_neg(&(ctx->ep_v2[1]), &(ctx->ep_v1[0])); + bn_add_dig(&(ctx->ep_v2[1]), &(ctx->ep_v2[1]), 1); + bn_sub_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1); + bn_copy(&(ctx->ep_v1[2]), &(ctx->ep_v1[1])); + bn_copy(&(ctx->ep_v1[1]), &(ctx->ep_v1[0])); + bn_copy(&(ctx->ep_v2[2]), &(ctx->ep_v2[1])); + bn_copy(&(ctx->ep_v2[1]), &(ctx->ep_v2[0])); } - bn_neg(&(ctx->ep_v2[0]), &(ctx->ep_v2[0])); + bn_gcd_ext_mid(&(ctx->ep_v1[1]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1]), + &(ctx->ep_v2[2]), m, r); + /* m = (v1[1] * v2[2] - v1[2] * v2[1]) / 2. */ + bn_mul(&(ctx->ep_v1[0]), &(ctx->ep_v1[1]), &(ctx->ep_v2[2])); + bn_mul(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), &(ctx->ep_v2[1])); + bn_sub(m, &(ctx->ep_v1[0]), &(ctx->ep_v2[0])); + bn_hlv(m, m); + /* v1[0] = round(v2[2] * 2^|n| / m). */ + bn_lsh(&(ctx->ep_v1[0]), &(ctx->ep_v2[2]), bits + 1); + if (bn_sign(&(ctx->ep_v1[0])) == RLC_POS) { + bn_add(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m); + } else { + bn_sub(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m); + } + bn_dbl(m, m); + bn_div(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), m); + if (bn_sign(&ctx->ep_v1[0]) == RLC_NEG) { + bn_add_dig(&(ctx->ep_v1[0]), &(ctx->ep_v1[0]), 1); + } + /* v2[0] = round(v1[2] * 2^|n| / m). */ + bn_lsh(&(ctx->ep_v2[0]), &(ctx->ep_v1[2]), bits + 1); + if (bn_sign(&(ctx->ep_v2[0])) == RLC_POS) { + bn_add(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m); + } else { + bn_sub(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m); + } + bn_div(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), m); + if (bn_sign(&ctx->ep_v2[0]) == RLC_NEG) { + bn_add_dig(&(ctx->ep_v2[0]), &(ctx->ep_v2[0]), 1); + } + bn_neg(&(ctx->ep_v2[0]), &(ctx->ep_v2[0])); } RLC_CATCH_ANY { RLC_THROW(ERR_CAUGHT); } RLC_FINALLY { ep_free(p); ep_free(q); bn_free(m); + bn_free(n); + bn_free(t); } - #endif } diff --git a/src/ep/relic_ep_mul.c b/src/ep/relic_ep_mul.c index 5e554cfc5..692035db5 100644 --- a/src/ep/relic_ep_mul.c +++ b/src/ep/relic_ep_mul.c @@ -42,19 +42,19 @@ static void ep_mul_glv_imp(ep_t r, const ep_t p, const bn_t k) { int i, n0, n1, s0, s1; int8_t naf0[RLC_FP_BITS + 1], naf1[RLC_FP_BITS + 1], *t0, *t1; - bn_t n, _k, k0, k1, v1[3], v2[3]; + bn_t n, m, k0, k1; ep_t q, t[1 << (RLC_WIDTH - 2)]; size_t l, l0, l1; bn_null(n); - bn_null(_k); + bn_null(m); bn_null(k0); bn_null(k1); ep_null(q); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); bn_new(k0); bn_new(k1); ep_new(q); @@ -62,19 +62,10 @@ static void ep_mul_glv_imp(ep_t r, const ep_t p, const bn_t k) { ep_null(t[i]); ep_new(t[i]); } - for (i = 0; i < 3; i++) { - bn_null(v1[i]); - bn_null(v2[i]); - bn_new(v1[i]); - bn_new(v2[i]); - } ep_curve_get_ord(n); - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); - - bn_mod(_k, k, n); - bn_rec_glv(k0, k1, _k, n, (const bn_t *)v1, (const bn_t *)v2); + bn_mod(m, k, n); + bn_rec_glv(k0, k1, m, n, ep_curve_get_v1(), ep_curve_get_v2()); s0 = bn_sign(k0); s1 = bn_sign(k1); @@ -128,7 +119,7 @@ static void ep_mul_glv_imp(ep_t r, const ep_t p, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); bn_free(k0); bn_free(k1); bn_free(n) @@ -136,10 +127,6 @@ static void ep_mul_glv_imp(ep_t r, const ep_t p, const bn_t k) { for (i = 0; i < 1 << (RLC_WIDTH - 2); i++) { ep_free(t[i]); } - for (i = 0; i < 3; i++) { - bn_free(v1[i]); - bn_free(v2[i]); - } } } @@ -151,15 +138,15 @@ static void ep_mul_naf_imp(ep_t r, const ep_t p, const bn_t k) { /* Some of the supported prime curves have order > field. */ int8_t u, naf[RLC_FP_BITS + 2]; ep_t t[1 << (RLC_WIDTH - 2)]; - bn_t _k, n; + bn_t m, n; size_t l; bn_null(n); - bn_null(_k); + bn_null(m); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); /* Prepare the precomputation table. */ for (int i = 0; i < (1 << (RLC_WIDTH - 2)); i++) { ep_null(t[i]); @@ -167,14 +154,14 @@ static void ep_mul_naf_imp(ep_t r, const ep_t p, const bn_t k) { } ep_curve_get_ord(n); - bn_mod(_k, k, n); + bn_mod(m, k, n); /* Compute the precomputation table. */ ep_tab(t, p, RLC_WIDTH); /* Compute the w-NAF representation of k. */ l = RLC_FP_BITS + 2; - bn_rec_naf(naf, &l, _k, RLC_WIDTH); + bn_rec_naf(naf, &l, m, RLC_WIDTH); ep_set_infty(r); for (int i = l - 1; i >= 0; i--) { @@ -195,7 +182,7 @@ static void ep_mul_naf_imp(ep_t r, const ep_t p, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); /* Free the precomputation table. */ for (int i = 0; i < (1 << (RLC_WIDTH - 2)); i++) { ep_free(t[i]); @@ -211,21 +198,21 @@ static void ep_mul_naf_imp(ep_t r, const ep_t p, const bn_t k) { static void ep_mul_reg_glv(ep_t r, const ep_t p, const bn_t k) { int8_t reg[2][RLC_FP_BITS + 1], s[2], b[2], c0, c1, n0, n1; - bn_t n, _k[2], v1[3], v2[3]; + bn_t n, m[2]; ep_t q, t[1 << (RLC_WIDTH - 2)], u, w; size_t l; bn_null(n); - bn_null(_k[0]); - bn_null(_k[1]); + bn_null(m[0]); + bn_null(m[1]); ep_null(q); ep_null(u); ep_null(w); RLC_TRY { bn_new(n); - bn_new(_k[0]); - bn_new(_k[1]); + bn_new(m[0]); + bn_new(m[1]); ep_new(q); ep_new(u); ep_new(w); @@ -234,25 +221,15 @@ static void ep_mul_reg_glv(ep_t r, const ep_t p, const bn_t k) { ep_null(t[i]); ep_new(t[i]); } - for (size_t i = 0; i < 3; i++) { - bn_null(v1[i]); - bn_null(v2[i]); - bn_new(v1[i]); - bn_new(v2[i]); - } ep_curve_get_ord(n); - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); - - bn_mod(_k[0], k, n); - - bn_rec_glv(_k[0], _k[1], _k[0], n, (const bn_t *)v1, (const bn_t *)v2); + bn_mod(m[0], k, n); + bn_rec_glv(m[0], m[1], m[0], n, ep_curve_get_v1(), ep_curve_get_v2()); for (size_t i = 0; i < 2; i++) { - s[i] = bn_sign(_k[i]); - bn_abs(_k[i], _k[i]); - b[i] = bn_is_even(_k[i]); - _k[i]->dp[0] |= b[i]; + s[i] = bn_sign(m[i]); + bn_abs(m[i], m[i]); + b[i] = bn_is_even(m[i]); + m[i]->dp[0] |= b[i]; } ep_norm(t[0], p); @@ -261,9 +238,9 @@ static void ep_mul_reg_glv(ep_t r, const ep_t p, const bn_t k) { ep_tab(t, q, RLC_WIDTH); l = RLC_FP_BITS + 1; - bn_rec_reg(reg[0], &l, _k[0], bn_bits(n) >> 1, RLC_WIDTH); + bn_rec_reg(reg[0], &l, m[0], bn_bits(n) >> 1, RLC_WIDTH); l = RLC_FP_BITS + 1; - bn_rec_reg(reg[1], &l, _k[1], bn_bits(n) >> 1, RLC_WIDTH); + bn_rec_reg(reg[1], &l, m[1], bn_bits(n) >> 1, RLC_WIDTH); #if defined(EP_MIXED) fp_set_dig(u->z, 1); @@ -327,8 +304,8 @@ static void ep_mul_reg_glv(ep_t r, const ep_t p, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k[0]); - bn_free(_k[1]); + bn_free(m[0]); + bn_free(m[1]); bn_free(n); ep_free(q); ep_free(u); @@ -336,10 +313,6 @@ static void ep_mul_reg_glv(ep_t r, const ep_t p, const bn_t k) { for (size_t i = 0; i < 1 << (RLC_WIDTH - 2); i++) { ep_free(t[i]); } - for (size_t i = 0; i < 3; i++) { - bn_free(v1[i]); - bn_free(v2[i]); - } } } @@ -348,16 +321,16 @@ static void ep_mul_reg_glv(ep_t r, const ep_t p, const bn_t k) { #if defined(EP_PLAIN) || defined(EP_SUPER) static void ep_mul_reg_imp(ep_t r, const ep_t p, const bn_t k) { - bn_t _k; + bn_t m; int i, j, n; int8_t s, reg[1 + RLC_CEIL(RLC_FP_BITS + 1, RLC_WIDTH - 1)]; ep_t t[1 << (RLC_WIDTH - 2)], u, v; size_t l; - bn_null(_k); + bn_null(m); RLC_TRY { - bn_new(_k); + bn_new(m); ep_new(u); ep_new(v); /* Prepare the precomputation table. */ @@ -368,16 +341,16 @@ static void ep_mul_reg_imp(ep_t r, const ep_t p, const bn_t k) { /* Compute the precomputation table. */ ep_tab(t, p, RLC_WIDTH); - ep_curve_get_ord(_k); - n = bn_bits(_k); + ep_curve_get_ord(m); + n = bn_bits(m); /* Make a copy of the scalar for processing. */ - bn_abs(_k, k); - _k->dp[0] |= 1; + bn_abs(m, k); + m->dp[0] |= 1; /* Compute the regular w-NAF representation of k. */ l = RLC_CEIL(n, RLC_WIDTH - 1) + 1; - bn_rec_reg(reg, &l, _k, n, RLC_WIDTH); + bn_rec_reg(reg, &l, m, n, RLC_WIDTH); #if defined(EP_MIXED) fp_set_dig(u->z, 1); @@ -424,7 +397,7 @@ static void ep_mul_reg_imp(ep_t r, const ep_t p, const bn_t k) { for (i = 0; i < (1 << (RLC_WIDTH - 2)); i++) { ep_free(t[i]); } - bn_free(_k); + bn_free(m); ep_free(u); ep_free(v); } @@ -496,7 +469,7 @@ void ep_mul_basic(ep_t r, const ep_t p, const bn_t k) { #if EP_MUL == SLIDE || !defined(STRIP) void ep_mul_slide(ep_t r, const ep_t p, const bn_t k) { - bn_t _k, n; + bn_t m, n; ep_t t[1 << (RLC_WIDTH - 1)], q; uint8_t win[RLC_FP_BITS + 1]; size_t l; @@ -508,11 +481,11 @@ void ep_mul_slide(ep_t r, const ep_t p, const bn_t k) { ep_null(q); bn_null(n); - bn_null(_k); + bn_null(m); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); for (size_t i = 0; i < (1 << (RLC_WIDTH - 1)); i ++) { ep_null(t[i]); ep_new(t[i]); @@ -527,7 +500,7 @@ void ep_mul_slide(ep_t r, const ep_t p, const bn_t k) { #endif ep_curve_get_ord(n); - bn_mod(_k, k, n); + bn_mod(m, k, n); /* Create table. */ for (size_t i = 1; i < (1 << (RLC_WIDTH - 1)); i++) { @@ -540,7 +513,7 @@ void ep_mul_slide(ep_t r, const ep_t p, const bn_t k) { ep_set_infty(q); l = RLC_FP_BITS + 1; - bn_rec_slw(win, &l, _k, RLC_WIDTH); + bn_rec_slw(win, &l, m, RLC_WIDTH); for (size_t i = 0; i < l; i++) { if (win[i] == 0) { ep_dbl(q, q); @@ -559,7 +532,7 @@ void ep_mul_slide(ep_t r, const ep_t p, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); for (size_t i = 0; i < (1 << (RLC_WIDTH - 1)); i++) { ep_free(t[i]); } @@ -573,12 +546,12 @@ void ep_mul_slide(ep_t r, const ep_t p, const bn_t k) { void ep_mul_monty(ep_t r, const ep_t p, const bn_t k) { ep_t t[2]; - bn_t n, l, _k; + bn_t n, l, m; size_t bits; bn_null(n); bn_null(l); - bn_null(_k); + bn_null(m); ep_null(t[0]); ep_null(t[1]); @@ -590,15 +563,15 @@ void ep_mul_monty(ep_t r, const ep_t p, const bn_t k) { RLC_TRY { bn_new(n); bn_new(l); - bn_new(_k); + bn_new(m); ep_new(t[0]); ep_new(t[1]); ep_curve_get_ord(n); bits = bn_bits(n); - bn_mod(_k, k, n); - bn_abs(l, _k); + bn_mod(m, k, n); + bn_abs(l, m); bn_add(l, l, n); bn_add(n, l, n); dv_swap_sec(l->dp, n->dp, RLC_MAX(l->used, n->used), @@ -631,7 +604,7 @@ void ep_mul_monty(ep_t r, const ep_t p, const bn_t k) { RLC_FINALLY { bn_free(n); bn_free(l); - bn_free(_k); + bn_free(m); ep_free(t[1]); ep_free(t[0]); } @@ -710,12 +683,12 @@ void ep_mul_gen(ep_t r, const bn_t k) { void ep_mul_dig(ep_t r, const ep_t p, dig_t k) { ep_t t; - bn_t _k; + bn_t m; int8_t u, naf[RLC_DIG + 1]; size_t l; ep_null(t); - bn_null(_k); + bn_null(m); if (k == 0 || ep_is_infty(p)) { ep_set_infty(r); @@ -724,12 +697,12 @@ void ep_mul_dig(ep_t r, const ep_t p, dig_t k) { RLC_TRY { ep_new(t); - bn_new(_k); + bn_new(m); - bn_set_dig(_k, k); + bn_set_dig(m, k); l = RLC_DIG + 1; - bn_rec_naf(naf, &l, _k, 2); + bn_rec_naf(naf, &l, m, 2); ep_set_infty(t); for (int i = l - 1; i >= 0; i--) { @@ -750,6 +723,6 @@ void ep_mul_dig(ep_t r, const ep_t p, dig_t k) { } RLC_FINALLY { ep_free(t); - bn_free(_k); + bn_free(m); } } diff --git a/src/ep/relic_ep_mul_fix.c b/src/ep/relic_ep_mul_fix.c index cb7dcbe56..ba1d66722 100644 --- a/src/ep/relic_ep_mul_fix.c +++ b/src/ep/relic_ep_mul_fix.c @@ -95,35 +95,27 @@ static void ep_mul_fix_plain(ep_t r, const ep_t *t, const bn_t k) { */ static void ep_mul_combs_endom(ep_t r, const ep_t *t, const bn_t k) { int i, j, l, w0, w1, n0, n1, p0, p1, s0, s1; - bn_t n, _k, k0, k1, v1[3], v2[3]; + bn_t n, m, k0, k1; ep_t u; bn_null(n); - bn_null(_k); + bn_null(m); bn_null(k0); bn_null(k1); ep_null(u); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); bn_new(k0); bn_new(k1); ep_new(u); - for (i = 0; i < 3; i++) { - bn_null(v1[i]); - bn_null(v2[i]); - bn_new(v1[i]); - bn_new(v2[i]); - } ep_curve_get_ord(n); - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); l = RLC_CEIL(bn_bits(n), (2 * RLC_DEPTH)); - bn_mod(_k, k, n); - bn_rec_glv(k0, k1, _k, n, (const bn_t *)v1, (const bn_t *)v2); + bn_mod(m, k, n); + bn_rec_glv(k0, k1, m, n, ep_curve_get_v1(), ep_curve_get_v2()); s0 = bn_sign(k0); s1 = bn_sign(k1); bn_abs(k0, k0); @@ -181,14 +173,10 @@ static void ep_mul_combs_endom(ep_t r, const ep_t *t, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); bn_free(k0); bn_free(k1); ep_free(u); - for (i = 0; i < 3; i++) { - bn_free(v1[i]); - bn_free(v2[i]); - } } } @@ -205,27 +193,27 @@ static void ep_mul_combs_endom(ep_t r, const ep_t *t, const bn_t k) { */ static void ep_mul_combs_plain(ep_t r, const ep_t *t, const bn_t k) { int i, j, l, w, n0, p0, p1; - bn_t n, _k; + bn_t n, m; bn_null(n); - bn_null(_k); + bn_null(m); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); ep_curve_get_ord(n); l = RLC_CEIL(bn_bits(n), RLC_DEPTH); - bn_mod(_k, k, n); - n0 = bn_bits(_k); + bn_mod(m, k, n); + n0 = bn_bits(m); p0 = (RLC_DEPTH) * l - 1; w = 0; p1 = p0--; for (j = RLC_DEPTH - 1; j >= 0; j--, p1 -= l) { w = w << 1; - if (p1 < n0 && bn_get_bit(_k, p1)) { + if (p1 < n0 && bn_get_bit(m, p1)) { w = w | 1; } } @@ -238,7 +226,7 @@ static void ep_mul_combs_plain(ep_t r, const ep_t *t, const bn_t k) { p1 = p0--; for (j = RLC_DEPTH - 1; j >= 0; j--, p1 -= l) { w = w << 1; - if (p1 < n0 && bn_get_bit(_k, p1)) { + if (p1 < n0 && bn_get_bit(m, p1)) { w = w | 1; } } @@ -253,7 +241,7 @@ static void ep_mul_combs_plain(ep_t r, const ep_t *t, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); } } @@ -293,7 +281,7 @@ void ep_mul_pre_basic(ep_t *t, const ep_t p) { } void ep_mul_fix_basic(ep_t r, const ep_t *t, const bn_t k) { - bn_t n, _k; + bn_t n, m; if (bn_is_zero(k)) { ep_set_infty(r); @@ -301,18 +289,18 @@ void ep_mul_fix_basic(ep_t r, const ep_t *t, const bn_t k) { } bn_null(n); - bn_null(_k); + bn_null(m); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); ep_curve_get_ord(n); - bn_mod(_k, k, n); + bn_mod(m, k, n); ep_set_infty(r); - for (int i = 0; i < bn_bits(_k); i++) { - if (bn_get_bit(_k, i)) { + for (int i = 0; i < bn_bits(m); i++) { + if (bn_get_bit(m, i)) { ep_add(r, r, t[i]); } } @@ -321,7 +309,7 @@ void ep_mul_fix_basic(ep_t r, const ep_t *t, const bn_t k) { RLC_THROW(ERR_CAUGHT); } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); } } @@ -443,7 +431,7 @@ void ep_mul_pre_combd(ep_t *t, const ep_t p) { void ep_mul_fix_combd(ep_t r, const ep_t *t, const bn_t k) { int i, j, d, e, w0, w1, n0, p0, p1; - bn_t n, _k; + bn_t n, m; if (bn_is_zero(k)) { ep_set_infty(r); @@ -451,19 +439,19 @@ void ep_mul_fix_combd(ep_t r, const ep_t *t, const bn_t k) { } bn_null(n); - bn_null(_k); + bn_null(m); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); ep_curve_get_ord(n); d = RLC_CEIL(bn_bits(n), RLC_DEPTH); e = (d % 2 == 0 ? (d / 2) : (d / 2) + 1); - bn_mod(_k, k, n); + bn_mod(m, k, n); ep_set_infty(r); - n0 = bn_bits(_k); + n0 = bn_bits(m); p1 = (e - 1) + (RLC_DEPTH - 1) * d; for (i = e - 1; i >= 0; i--) { @@ -473,7 +461,7 @@ void ep_mul_fix_combd(ep_t r, const ep_t *t, const bn_t k) { p0 = p1; for (j = RLC_DEPTH - 1; j >= 0; j--, p0 -= d) { w0 = w0 << 1; - if (p0 < n0 && bn_get_bit(_k, p0)) { + if (p0 < n0 && bn_get_bit(m, p0)) { w0 = w0 | 1; } } @@ -482,7 +470,7 @@ void ep_mul_fix_combd(ep_t r, const ep_t *t, const bn_t k) { p0 = p1-- + e; for (j = RLC_DEPTH - 1; j >= 0; j--, p0 -= d) { w1 = w1 << 1; - if (i + e < d && p0 < n0 && bn_get_bit(_k, p0)) { + if (i + e < d && p0 < n0 && bn_get_bit(m, p0)) { w1 = w1 | 1; } } @@ -497,7 +485,7 @@ void ep_mul_fix_combd(ep_t r, const ep_t *t, const bn_t k) { } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); } } @@ -510,7 +498,7 @@ void ep_mul_pre_lwnaf(ep_t *t, const ep_t p) { } void ep_mul_fix_lwnaf(ep_t r, const ep_t *t, const bn_t k) { - bn_t n, _k; + bn_t n, m; if (bn_is_zero(k)) { ep_set_infty(r); @@ -518,20 +506,20 @@ void ep_mul_fix_lwnaf(ep_t r, const ep_t *t, const bn_t k) { } bn_null(n); - bn_null(_k); + bn_null(m); RLC_TRY { bn_new(n); - bn_new(_k); + bn_new(m); ep_curve_get_ord(n); - bn_mod(_k, k, n); - ep_mul_fix_plain(r, t, _k); + bn_mod(m, k, n); + ep_mul_fix_plain(r, t, m); } RLC_CATCH_ANY { RLC_THROW(ERR_CAUGHT); } RLC_FINALLY { bn_free(n); - bn_free(_k); + bn_free(m); } } diff --git a/src/ep/relic_ep_mul_sim.c b/src/ep/relic_ep_mul_sim.c index 9f6cacdb3..b8e22484b 100644 --- a/src/ep/relic_ep_mul_sim.c +++ b/src/ep/relic_ep_mul_sim.c @@ -58,7 +58,6 @@ static void ep_mul_sim_endom(ep_t r, const ep_t p, const bn_t k, const ep_t q, int8_t naf0[RLC_FP_BITS + 1], naf1[RLC_FP_BITS + 1], *t0, *t1, u; int8_t naf2[RLC_FP_BITS + 1], naf3[RLC_FP_BITS + 1], *t2, *t3; bn_t n, k0, k1, m0, m1; - bn_t v1[3], v2[3]; ep_t v; ep_t tab0[1 << (RLC_WIDTH - 2)]; ep_t tab1[1 << (RLC_WIDTH - 2)]; @@ -84,24 +83,14 @@ static void ep_mul_sim_endom(ep_t r, const ep_t p, const bn_t k, const ep_t q, bn_new(m1); ep_new(v); - for (i = 0; i < 3; i++) { - bn_null(v1[i]); - bn_null(v2[i]); - bn_new(v1[i]); - bn_new(v2[i]); - } - ep_curve_get_ord(n); - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); - - bn_rec_glv(k0, k1, k, n, (const bn_t *)v1, (const bn_t *)v2); + bn_rec_glv(k0, k1, k, n, ep_curve_get_v1(), ep_curve_get_v2()); sk0 = bn_sign(k0); sk1 = bn_sign(k1); bn_abs(k0, k0); bn_abs(k1, k1); - bn_rec_glv(m0, m1, m, n, (const bn_t *)v1, (const bn_t *)v2); + bn_rec_glv(m0, m1, m, n, ep_curve_get_v1(), ep_curve_get_v2()); sl0 = bn_sign(m0); sl1 = bn_sign(m1); bn_abs(m0, m0); @@ -247,10 +236,6 @@ static void ep_mul_sim_endom(ep_t r, const ep_t p, const bn_t k, const ep_t q, for (i = 0; i < 1 << (RLC_WIDTH - 2); i++) { ep_free(tab1[i]); } - for (i = 0; i < 3; i++) { - bn_free(v1[i]); - bn_free(v2[i]); - } } } @@ -266,7 +251,7 @@ static void ep_mul_sim_endom(ep_t r, const ep_t p, const bn_t k, const ep_t q, void ep_mul_sim_lot_endom(ep_t r, const ep_t p[], const bn_t k[], int n) { const int len = RLC_FP_BITS + 1; int i, j, m, sk; - bn_t _k[2], q, v1[3], v2[3]; + bn_t _k[2], q; int8_t ptr, *naf = RLC_ALLOCA(int8_t, 2 * n * len); size_t l, _l[2]; @@ -289,23 +274,15 @@ void ep_mul_sim_lot_endom(ep_t r, const ep_t p[], const bn_t k[], int n) { ep_new(_p[i]); } - for (i = 0; i < 3; i++) { - bn_null(v1[i]); - bn_null(v2[i]); - bn_new(v1[i]); - bn_new(v2[i]); - } - l = 0; ep_curve_get_ord(q); - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); for (i = 0; i < n; i++) { ep_norm(_p[2*i], p[i]); ep_psi(_p[2*i + 1], _p[2*i]); bn_mod(_k[0], k[i], q); sk = bn_sign(_k[0]); - bn_rec_glv(_k[0], _k[1], _k[0], q, (const bn_t *)v1, (const bn_t *)v2); + bn_rec_glv(_k[0], _k[1], _k[0], q, + ep_curve_get_v1(), ep_curve_get_v2()); if (sk == RLC_NEG) { bn_neg(_k[0], _k[0]); bn_neg(_k[1], _k[1]); @@ -346,10 +323,6 @@ void ep_mul_sim_lot_endom(ep_t r, const ep_t p[], const bn_t k[], int n) { } RLC_FREE(_p); RLC_FREE(naf); - for (i = 0; i < 3; i++) { - bn_free(v1[i]); - bn_free(v2[i]); - } } } else { const int w = RLC_MAX(2, util_bits_dig(n) - 2), c = (1 << (w - 2)); @@ -378,21 +351,14 @@ void ep_mul_sim_lot_endom(ep_t r, const ep_t p[], const bn_t k[], int n) { ep_set_infty(_p[i*c + j]); } } - for (i = 0; i < 3; i++) { - bn_null(v1[i]); - bn_null(v2[i]); - bn_new(v1[i]); - bn_new(v2[i]); - } l = 0; ep_curve_get_ord(q); - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); for (i = 0; i < n; i++) { bn_mod(_k[0], k[i], q); sk = bn_sign(_k[0]); - bn_rec_glv(_k[0], _k[1], _k[0], q, (const bn_t *)v1, (const bn_t *)v2); + bn_rec_glv(_k[0], _k[1], _k[0], q, + ep_curve_get_v1(), ep_curve_get_v2()); if (sk == RLC_NEG) { bn_neg(_k[0], _k[0]); bn_neg(_k[1], _k[1]); @@ -420,7 +386,8 @@ void ep_mul_sim_lot_endom(ep_t r, const ep_t p[], const bn_t k[], int n) { ptr = -ptr; ep_neg(t, t); } - ep_add(_p[m*c + (ptr >> 1)], _p[m*c + (ptr >> 1)], t); + ptr >>= 1; + ep_add(_p[m*c + ptr], _p[m*c + ptr], t); } } } @@ -462,10 +429,6 @@ void ep_mul_sim_lot_endom(ep_t r, const ep_t p[], const bn_t k[], int n) { } RLC_FREE(_p); RLC_FREE(naf); - for (i = 0; i < 3; i++) { - bn_free(v1[i]); - bn_free(v2[i]); - } } } } diff --git a/test/test_bn.c b/test/test_bn.c index f15f6883d..8c4e4c7fc 100644 --- a/test/test_bn.c +++ b/test/test_bn.c @@ -2243,8 +2243,10 @@ static int recoding(void) { #if defined(WITH_EP) && defined(EP_ENDOM) && (EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP)) TEST_CASE("glv recoding is correct") { if (ep_param_set_any_endom() == RLC_OK) { - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); + for (size_t i = 0; i < 3; i++) { + bn_copy(v1[i], ep_curve_get_v1()[i]); + bn_copy(v2[i], ep_curve_get_v2()[i]); + } ep_curve_get_ord(b); bn_rand_mod(a, b); bn_rec_glv(b, c, a, b, (const bn_t *)v1, (const bn_t *)v2); @@ -2286,8 +2288,10 @@ static int recoding(void) { size_t l = RLC_BN_BITS; int8_t ptr[2 * RLC_BN_BITS] = { 0 }; if (ep_param_set_any_endom() == RLC_OK) { - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); + for (size_t i = 0; i < 3; i++) { + bn_copy(v1[i], ep_curve_get_v1()[i]); + bn_copy(v2[i], ep_curve_get_v2()[i]); + } ep_curve_get_ord(b); bn_rand_mod(a, b); bn_rec_glv(b, c, a, b, (const bn_t *)v1, (const bn_t *)v2); diff --git a/test/test_ep.c b/test/test_ep.c index 63952a3a5..391943a84 100644 --- a/test/test_ep.c +++ b/test/test_ep.c @@ -499,8 +499,10 @@ static int endomorphism(void) { #if defined(EP_ENDOM) if (ep_curve_is_endom()) { /* Recover lambda parameter. */ - ep_curve_get_v1(v1); - ep_curve_get_v2(v2); + for (size_t i = 0; i < 3; i++) { + bn_copy(v1[i], ep_curve_get_v1()[i]); + bn_copy(v2[i], ep_curve_get_v2()[i]); + } ep_curve_get_ord(v2[0]); if (bn_cmp_dig(v1[2], 1) == RLC_EQ) { bn_gcd_ext(v1[0], v2[1], NULL, v1[1], v2[0]);