Fixes to the formulas.

relic-toolkit · Mar 14, 2024 · 42143dd · 42143dd
1 parent a22aec2
commit 42143dd
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 111 deletions.
diff --git a/include/relic_core.h b/include/relic_core.h
@@ -278,7 +278,7 @@ typedef struct _ctx_t {
 	/** The distinguished non-square used by the mapping function */
 	fp_st ep_map_u;
 	/** Precomputed constants for hashing. */
-	fp_st ep_map_c[7];
+	fp_st ep_map_c[5];
 #ifdef EP_ENDOM
 	fp_st beta;
 #if EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP)

diff --git a/src/ep/relic_ep_curve.c b/src/ep/relic_ep_curve.c
@@ -91,8 +91,6 @@ static void ep_curve_set_map(void) {
 	dig_t *c2 = ctx->ep_map_c[2];
 	dig_t *c3 = ctx->ep_map_c[3];
 	dig_t *c4 = ctx->ep_map_c[4];
-	dig_t *c5 = ctx->ep_map_c[5];
-	dig_t *c6 = ctx->ep_map_c[6];
 
 	RLC_TRY {
 		bn_new(t);
@@ -173,47 +171,11 @@ static void ep_curve_set_map(void) {
 			fp_mul_dig(c3, c3, 4); /* c3 *= 4 */
 		}
 
-		/* if b = 0, precompute constants. */
-		if (ep_curve_opt_b() == RLC_ZERO) {
-			dig_t r = 0;
-
-			fp_set_dig(c4, -fp_prime_get_qnr());
-			fp_neg(c4, c4);
-
-			bn_read_raw(t, fp_prime_get(), RLC_FP_DIGS);
-			bn_sub_dig(t, t, 1);
-			bn_rsh(t, t, 2);
-			fp_exp(c5, c4, t);
-
-			bn_read_raw(t, fp_prime_get(), RLC_FP_DIGS);
-			if ((t->dp[0] & 0xF) == 5) {
-				/* n = (3p + 1)/16 */
-				bn_mul_dig(t, t, 3);
-				bn_add_dig(t, t, 1);
-				r = 1;
-			} else {
-				/* n = (p + 3)/16 */
-				bn_add_dig(t, t, 3);
-				r = 3;
-			}
-			bn_rsh(t, t, 4);
-			/* Compute d = 1/c^n. */
-			fp_exp(c4, c4, t);
-			fp_inv(c4, c4);
-			fp_exp_dig(c5, c5, r);
-			/* Compute 1/sqrt(-1) as well. */
-			fp_set_dig(c6, 1);
-			fp_neg(c6, c6);
-			fp_srt(c6, c6);
-		}
-
 		/* If a = 0, precompute and store a square root of -3. */
-		if (ep_curve_opt_a() == RLC_ZERO) {
-			fp_set_dig(c4, 3);
-			fp_neg(c4, c4);
-			if (!fp_srt(c4, c4)) {
-				RLC_THROW(ERR_NO_VALID);
-			}
+		fp_set_dig(c4, 3);
+		fp_neg(c4, c4);
+		if (!fp_srt(c4, c4)) {
+			RLC_THROW(ERR_NO_VALID);
 		}
 	}
 	RLC_CATCH_ANY {

diff --git a/src/ep/relic_ep_map.c b/src/ep/relic_ep_map.c
@@ -291,8 +291,6 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 		fp_copy(a, ep_curve_get_a());
 
 		if (ep_curve_opt_b() == RLC_ZERO) {
-			fp_set_dig(u, 1);
-			fp_set_dig(t, 2);
 			fp_sqr(a, u);
 			fp_sqr(b, a);
 			fp_mul(c, b, a);
@@ -309,10 +307,10 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 
 			fp_sqr(w, b);
 			fp_mul(y, v, a);
-			fp_add(y, y, d);
-			fp_add(y, y, d);
-			fp_add(y, y, d);
-			fp_add(y, y, d);
+			fp_add(y, y, c);
+			fp_add(y, y, c);
+			fp_add(y, y, c);
+			fp_add(y, y, c);
 			fp_mul(y, y, p->x);
 
 			fp_add(den[0], c, v);
@@ -330,69 +328,74 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 			fp_mul(den[2], den[2], b);
 			fp_mul(den[2], den[2], d);
 
-			fp_inv_sim(den, den, 3);
-			fp_dbl(a, a);
-			fp_dbl(a, a);
-			fp_dbl(a, a);
-			fp_dbl(a, a);
-			fp_add(y1, a, v);
-			fp_dbl(y1, y1);
-			fp_dbl(y1, y1);
-			fp_add(y1, y1, w);
-			fp_mul(z1, y, p->x);
-			fp_add(x1, x1, z1);
-			fp_add(y1, y1, y);
-			fp_add(z1, a, b);
-			fp_add(z1, z1, b);
-			fp_add(z1, z1, b);
-			fp_add(z1, z1, b);
-			fp_dbl(t, z1);
-			fp_add(z1, z1, t);
-			fp_add(z1, z1, c);
-			fp_sub(z1, z1, v);
-			fp_mul(z1, z1, v);
-			fp_dbl(a, a);
-			fp_dbl(a, a);
-			fp_dbl(a, a);
-			fp_add(a, a, w);
-			fp_mul(u, a, b);
-			fp_sub(z1, u, z1);
-			fp_set_dig(d, 64);
-			fp_sqr(d, d);
-			fp_add(z1, z1, d);
-
-			fp_mul(x1, x1, den[0]);
-			fp_mul(y1, y1, den[1]);
-			fp_mul(z1, z1, den[2]);
-
-			fp_sqr(t, x1);
-			fp_add_dig(t, t, 1);
-			fp_mul(t, t, x1);
-			fp_sqr(u, y1);
-			fp_add_dig(u, u, 1);
-			fp_mul(u, u, y1);
-			fp_sqr(v, z1);
-			fp_add_dig(v, v, 1);
-			fp_mul(v, v, z1);
-
-			int c2 = fp_is_sqr(u);
-			int c3 = fp_is_sqr(v);
-
-			dv_swap_cond(t, u, RLC_FP_DIGS, c2);
-			dv_swap_cond(x1, y1, RLC_FP_DIGS, c2);
-			dv_swap_cond(t, v, RLC_FP_DIGS, c3);
-			dv_swap_cond(x1, z1, RLC_FP_DIGS, c3);
-
-			if (!fp_srt(t, t)) {
-				RLC_THROW(ERR_NO_VALID);
-			}
-			fp_neg(u, t);
-			dv_swap_cond(t, u, RLC_FP_DIGS, fp_is_even(t) ^ s);
+			if (fp_is_zero(den[0]) || fp_is_zero(den[1]) || fp_is_zero(den[2])) {
+				ep_set_infty(p);
+			} else {
+				fp_inv_sim(den, den, 3);
+				fp_dbl(a, a);
+				fp_dbl(a, a);
+				fp_dbl(a, a);
+				fp_dbl(a, a);
+				fp_add(y1, a, v);
+				fp_dbl(y1, y1);
+				fp_dbl(y1, y1);
+				fp_add(y1, y1, w);
+				fp_mul(z1, y, p->x);
+				fp_add(x1, y1, z1);
+				fp_add(y1, y1, y);
+
+				fp_add(z1, a, b);
+				fp_add(z1, z1, b);
+				fp_add(z1, z1, b);
+				fp_add(z1, z1, b);
+				fp_dbl(t, z1);
+				fp_add(z1, z1, t);
+				fp_sub(z1, c, z1);
+				fp_sub(z1, z1, v);
+				fp_mul(z1, z1, v);
+				fp_dbl(a, a);
+				fp_dbl(a, a);
+				fp_dbl(a, a);
+				fp_add(a, a, w);
+				fp_mul(u, a, b);
+				fp_sub(z1, u, z1);
+				fp_set_dig(d, 64);
+				fp_sqr(d, d);
+				fp_add(z1, z1, d);
+
+				fp_mul(x1, x1, den[0]);
+				fp_mul(y1, y1, den[1]);
+				fp_mul(z1, z1, den[2]);
+
+				fp_sqr(t, x1);
+				fp_add_dig(t, t, 1);
+				fp_mul(t, t, x1);
+				fp_sqr(u, y1);
+				fp_add_dig(u, u, 1);
+				fp_mul(u, u, y1);
+				fp_sqr(v, z1);
+				fp_add_dig(v, v, 1);
+				fp_mul(v, v, z1);
 
-			fp_copy(p->x, x1);
-			fp_copy(p->y, t);
-			fp_set_dig(p->z, 1);
-			p->coord = BASIC;
+				int c2 = fp_is_sqr(u);
+				int c3 = fp_is_sqr(v);
+
+				dv_swap_cond(t, u, RLC_FP_DIGS, c2);
+				dv_swap_cond(x1, y1, RLC_FP_DIGS, c2);
+				dv_swap_cond(t, v, RLC_FP_DIGS, c3);
+				dv_swap_cond(x1, z1, RLC_FP_DIGS, c3);
+
+				if (!fp_srt(t, t)) {
+					RLC_THROW(ERR_NO_VALID);
+				}
+				fp_neg(u, t);
+				dv_swap_cond(t, u, RLC_FP_DIGS, fp_is_even(t) ^ s);
+
+				fp_copy(p->x, x1);
+				fp_copy(p->y, t);
+				fp_set_dig(p->z, 1);
+				p->coord = BASIC;
+			}
 		} else {
 			/* This is the SwiftEC case per se. */
 			if (ep_curve_opt_a() != RLC_ZERO) {