diff --git a/src/epx/relic_ep2_mul.c b/src/epx/relic_ep2_mul.c index 3e9e95bb8..5533c5cb9 100644 --- a/src/epx/relic_ep2_mul.c +++ b/src/epx/relic_ep2_mul.c @@ -44,19 +44,19 @@ static void ep2_mul_gls_imp(ep2_t r, const ep2_t p, const bn_t k) { size_t l, _l[4]; bn_t n, _k[4], u; int8_t naf[4][RLC_FP_BITS + 1]; - ep2_t q[4], t[4][1 << (RLC_WIDTH - 2)]; + ep2_t q, t[4][1 << (RLC_WIDTH - 2)]; bn_null(n); bn_null(u); + ep2_null(q); RLC_TRY { bn_new(n); bn_new(u); + ep2_new(q); for (size_t i = 0; i < 4; i++) { bn_null(_k[i]); - ep2_null(q[i]); bn_new(_k[i]); - ep2_new(q[i]); for (size_t j = 0; j < (1 << (RLC_WIDTH - 2)); j++) { ep2_null(t[i][j]); ep2_new(t[i][j]); @@ -68,21 +68,17 @@ static void ep2_mul_gls_imp(ep2_t r, const ep2_t p, const bn_t k) { bn_mod(_k[0], k, n); bn_rec_frb(_k, 4, _k[0], u, n, ep_curve_is_pairf() == EP_BN); - ep2_norm(q[0], p); - ep2_frb(q[1], q[0], 1); - ep2_frb(q[2], q[1], 1); - ep2_frb(q[3], q[2], 1); - l = 0; for (size_t i = 0; i < 4; i++) { _l[i] = RLC_FP_BITS + 1; bn_rec_naf(naf[i], &_l[i], _k[i], RLC_WIDTH); l = RLC_MAX(l, _l[i]); if (i == 0) { + ep2_norm(q, p); if (bn_sign(_k[0]) == RLC_NEG) { - ep2_neg(q[0], q[0]); + ep2_neg(q, q); } - ep2_tab(t[0], q[0], RLC_WIDTH); + ep2_tab(t[0], q, RLC_WIDTH); } else { for (size_t j = 0; j < (1 << (RLC_WIDTH - 2)); j++) { ep2_frb(t[i][j], t[i - 1][j], 1); @@ -116,9 +112,9 @@ static void ep2_mul_gls_imp(ep2_t r, const ep2_t p, const bn_t k) { RLC_FINALLY { bn_free(n); bn_free(u); + ep2_free(q); for (size_t i = 0; i < 4; i++) { bn_free(_k[i]); - ep2_free(q[i]); for (size_t j = 0; j < (1 << (RLC_WIDTH - 2)); j++) { ep2_free(t[i][j]); } diff --git a/src/pc/relic_pc_exp.c b/src/pc/relic_pc_exp.c index 05d854385..22fc69fbf 100644 --- a/src/pc/relic_pc_exp.c +++ b/src/pc/relic_pc_exp.c @@ -114,21 +114,20 @@ static void gt_psi(gt_t c, const gt_t a) { * @param[in] b - the exponent. * @param[in] f - the maximum Frobenius power. */ -void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { - int8_t c0, n0, *reg = RLC_ALLOCA(int8_t, f * (RLC_FP_BITS + 1)); - int8_t *e = RLC_ALLOCA(int8_t, f), *s = RLC_ALLOCA(int8_t, f); - gt_t q, w, *t = RLC_ALLOCA(gt_t, f * RLC_GT_TABLE); +void gt_exp_gls_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { + int8_t *naf = RLC_ALLOCA(int8_t, f * (RLC_FP_BITS + 1)); + int8_t n0, *s = RLC_ALLOCA(int8_t, f); + gt_t q, *t = RLC_ALLOCA(gt_t, f * RLC_GT_TABLE); bn_t n, u, *_b = RLC_ALLOCA(bn_t, f); - size_t l, len, *_l = RLC_ALLOCA(size_t, f); + size_t l, *_l = RLC_ALLOCA(size_t, f); - if (reg == NULL || e == NULL || t == NULL || _b == NULL || _l == NULL) { + if (naf == NULL || t == NULL || _b == NULL || _l == NULL) { RLC_THROW(ERR_NO_MEMORY); return; } if (bn_is_zero(b)) { - RLC_FREE(reg); - RLC_FREE(e); + RLC_FREE(naf); RLC_FREE(s); RLC_FREE(t); RLC_FREE(_b); @@ -139,13 +138,11 @@ void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { bn_null(n); bn_null(u); gt_null(q); - gt_null(w); RLC_TRY { bn_new(n); bn_new(u); gt_new(q); - gt_new(w); for (size_t i = 0; i < f; i++) { bn_null(_b[i]); bn_new(_b[i]); @@ -171,16 +168,11 @@ void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { bn_rec_frb(_b, f, _b[0], u, n, ep_curve_is_pairf() == EP_BN); l = 0; - len = bn_bits(u) + (ep_curve_is_pairf() == EP_BN); gt_copy(t[0], a); for (size_t i = 0; i < f; i++) { s[i] = bn_sign(_b[i]); - bn_abs(_b[i], _b[i]); - e[i] = bn_is_even(_b[i]); - _b[i]->dp[0] |= e[i]; - _l[i] = RLC_FP_BITS + 1; - bn_rec_reg(reg + i * (RLC_FP_BITS + 1), &_l[i], _b[i], len, RLC_WIDTH); + bn_rec_naf(naf + i * (RLC_FP_BITS + 1), &_l[i], _b[i], RLC_WIDTH); l = RLC_MAX(l, _l[i]); /* Apply Frobenius before flipping sign to build table. */ if (i > 0) { @@ -188,48 +180,43 @@ void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { } } - for (size_t i = 0; i < f; i++) { - gt_inv(q, t[i * RLC_GT_TABLE]); - gt_copy_sec(q, t[i * RLC_GT_TABLE], s[i] == RLC_POS); - if (RLC_WIDTH > 2) { - gt_sqr(t[i * RLC_GT_TABLE], q); - gt_mul(t[i * RLC_GT_TABLE + 1], t[i * RLC_GT_TABLE], q); - for (size_t j = 2; j < RLC_GT_TABLE; j++) { - gt_mul(t[i * RLC_GT_TABLE + j], t[i * RLC_GT_TABLE + j - 1], - t[i * (RLC_GT_TABLE)]); + gt_copy(q, a); + if (s[0] == RLC_NEG) { + gt_inv(q, q); + } + if (RLC_WIDTH > 2) { + gt_sqr(t[0], q); + gt_mul(t[1], t[0], q); + for (size_t j = 2; j < RLC_GT_TABLE; j++) { + gt_mul(t[j], t[j - 1], t[0]); + } + } + gt_copy(t[0], q); + for (size_t i = 1; i < f; i++) { + for (size_t j = 0; j < RLC_GT_TABLE; j++) { + gt_frb(t[i * RLC_GT_TABLE + j], + t[(i - 1) * RLC_GT_TABLE + j], 1); + if (s[i] != s[i - 1]) { + gt_inv(t[i * RLC_GT_TABLE + j], t[i * RLC_GT_TABLE + j]); } } - gt_copy(t[i * RLC_GT_TABLE], q); } gt_set_unity(c); for (int j = l - 1; j >= 0; j--) { - for (size_t i = 0; i < RLC_WIDTH - 1; i++) { - gt_sqr(c, c); - } + gt_sqr(c, c); for (size_t i = 0; i < f; i++) { - n0 = reg[i * (RLC_FP_BITS + 1) + j]; - c0 = (n0 >> 7); - n0 = ((n0 ^ c0) - c0) >> 1; - - for (size_t m = 0; m < RLC_GT_TABLE; m++) { - gt_copy_sec(w, t[i * RLC_GT_TABLE + m], m == n0); + n0 = naf[i * (RLC_FP_BITS + 1) + j]; + if (n0 > 0) { + gt_mul(c, c, t[i * RLC_GT_TABLE + n0 / 2]); + } + if (n0 < 0) { + gt_inv(q, t[i * RLC_GT_TABLE - n0 / 2]); + gt_mul(c, c, q); } - - gt_inv(q, w); - gt_copy_sec(q, w, c0 == 0); - gt_mul(c, c, q); - } } - - for (size_t i = 0; i < f; i++) { - /* Tables are built with points already negated, so no need here. */ - gt_inv(q, t[i * RLC_GT_TABLE]); - gt_mul(q, c, q); - gt_copy_sec(c, q, e[i]); - } } RLC_CATCH_ANY { RLC_THROW(ERR_CAUGHT); @@ -238,15 +225,13 @@ void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { bn_free(n); bn_free(u); gt_free(q); - gt_free(w); for (size_t i = 0; i < f; i++) { bn_free(_b[i]); for (size_t j = 0; j < RLC_GT_TABLE; j++) { gt_free(t[i * RLC_GT_TABLE + j]); } } - RLC_FREE(reg); - RLC_FREE(e); + RLC_FREE(naf); RLC_FREE(s); RLC_FREE(t); RLC_FREE(_b); @@ -254,11 +239,6 @@ void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { } } -/** - * Size of a precomputation table using the double-table comb method. - */ -#define RLC_GT_TABLE (1 << (RLC_WIDTH - 2)) - /** * Exponentiates an element from G_T in constant time. * @@ -267,20 +247,21 @@ void gt_exp_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { * @param[in] b - the exponent. * @param[in] f - the maximum Frobenius power. */ -void gt_exp_gls_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { - int8_t *naf = RLC_ALLOCA(int8_t, f * (RLC_FP_BITS + 1)); - int8_t n0, *s = RLC_ALLOCA(int8_t, f); - gt_t q, *t = RLC_ALLOCA(gt_t, f * RLC_GT_TABLE); +void gt_exp_reg_gls(gt_t c, const gt_t a, const bn_t b, size_t f) { + int8_t c0, n0, *reg = RLC_ALLOCA(int8_t, f * (RLC_FP_BITS + 1)); + int8_t *e = RLC_ALLOCA(int8_t, f), *s = RLC_ALLOCA(int8_t, f); + gt_t q, w, *t = RLC_ALLOCA(gt_t, f * RLC_GT_TABLE); bn_t n, u, *_b = RLC_ALLOCA(bn_t, f); - size_t l, *_l = RLC_ALLOCA(size_t, f); + size_t l, len, *_l = RLC_ALLOCA(size_t, f); - if (naf == NULL || t == NULL || _b == NULL || _l == NULL) { + if (reg == NULL || e == NULL || t == NULL || _b == NULL || _l == NULL) { RLC_THROW(ERR_NO_MEMORY); return; } if (bn_is_zero(b)) { - RLC_FREE(naf); + RLC_FREE(reg); + RLC_FREE(e); RLC_FREE(s); RLC_FREE(t); RLC_FREE(_b); @@ -291,11 +272,13 @@ void gt_exp_gls_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { bn_null(n); bn_null(u); gt_null(q); + gt_null(w); RLC_TRY { bn_new(n); bn_new(u); gt_new(q); + gt_new(w); for (size_t i = 0; i < f; i++) { bn_null(_b[i]); bn_new(_b[i]); @@ -321,49 +304,66 @@ void gt_exp_gls_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { bn_rec_frb(_b, f, _b[0], u, n, ep_curve_is_pairf() == EP_BN); l = 0; - gt_copy(t[0], a); + len = bn_bits(u) + (ep_curve_is_pairf() == EP_BN); for (size_t i = 0; i < f; i++) { s[i] = bn_sign(_b[i]); - bn_abs(_b[i], _b[i]); + e[i] = bn_is_even(_b[i]); + _b[i]->dp[0] |= e[i]; _l[i] = RLC_FP_BITS + 1; - bn_rec_naf(naf + i * (RLC_FP_BITS + 1), &_l[i], _b[i], RLC_WIDTH); + bn_rec_reg(reg + i * (RLC_FP_BITS + 1), &_l[i], _b[i], len, RLC_WIDTH); l = RLC_MAX(l, _l[i]); - /* Apply Frobenius before flipping sign to build table. */ - if (i > 0) { - gt_psi(t[i * RLC_GT_TABLE], t[(i - 1) * RLC_GT_TABLE]); - } } - for (size_t i = 0; i < f; i++) { - gt_inv(q, t[i * RLC_GT_TABLE]); - gt_copy_sec(q, t[i * RLC_GT_TABLE], s[i] == RLC_POS); - if (RLC_WIDTH > 2) { - gt_sqr(t[i * RLC_GT_TABLE], q); - gt_mul(t[i * RLC_GT_TABLE + 1], t[i * RLC_GT_TABLE], q); - for (size_t j = 2; j < RLC_GT_TABLE; j++) { - gt_mul(t[i * RLC_GT_TABLE + j], t[i * RLC_GT_TABLE + j - 1], - t[i * (RLC_GT_TABLE)]); + gt_copy(t[0], a); + gt_inv(q, t[0]); + gt_copy_sec(q, t[0], s[0] == RLC_POS); + if (RLC_WIDTH > 2) { + gt_sqr(t[0], q); + gt_mul(t[1], t[0], q); + for (size_t j = 2; j < RLC_GT_TABLE; j++) { + gt_mul(t[j], t[j - 1], t[0]); + } + } + gt_copy(t[0], q); + for (size_t i = 1; i < f; i++) { + for (size_t j = 0; j < RLC_GT_TABLE; j++) { + gt_frb(t[i * RLC_GT_TABLE + j], + t[(i - 1) * RLC_GT_TABLE + j], 1); + if (s[i] != s[i - 1]) { + gt_inv(t[i * RLC_GT_TABLE + j], t[i * RLC_GT_TABLE + j]); } } - gt_copy(t[i * RLC_GT_TABLE], q); } gt_set_unity(c); for (int j = l - 1; j >= 0; j--) { - gt_sqr(c, c); + for (size_t i = 0; i < RLC_WIDTH - 1; i++) { + gt_sqr(c, c); + } for (size_t i = 0; i < f; i++) { - n0 = naf[i * (RLC_FP_BITS + 1) + j]; - if (n0 > 0) { - gt_mul(c, c, t[i * RLC_GT_TABLE + n0 / 2]); - } - if (n0 < 0) { - gt_inv(q, t[i * RLC_GT_TABLE - n0 / 2]); - gt_mul(c, c, q); + n0 = reg[i * (RLC_FP_BITS + 1) + j]; + c0 = (n0 >> 7); + n0 = ((n0 ^ c0) - c0) >> 1; + + for (size_t m = 0; m < RLC_GT_TABLE; m++) { + gt_copy_sec(w, t[i * RLC_GT_TABLE + m], m == n0); } + + gt_inv(q, w); + gt_copy_sec(q, w, c0 == 0); + gt_mul(c, c, q); + } } + + for (size_t i = 0; i < f; i++) { + /* Tables are built with points already negated, so no need here. */ + gt_inv(q, t[i * RLC_GT_TABLE]); + gt_mul(q, c, q); + gt_copy_sec(c, q, e[i]); + } } RLC_CATCH_ANY { RLC_THROW(ERR_CAUGHT); @@ -372,13 +372,15 @@ void gt_exp_gls_imp(gt_t c, const gt_t a, const bn_t b, size_t f) { bn_free(n); bn_free(u); gt_free(q); + gt_free(w); for (size_t i = 0; i < f; i++) { bn_free(_b[i]); for (size_t j = 0; j < RLC_GT_TABLE; j++) { gt_free(t[i * RLC_GT_TABLE + j]); } } - RLC_FREE(naf); + RLC_FREE(reg); + RLC_FREE(e); RLC_FREE(s); RLC_FREE(t); RLC_FREE(_b); @@ -522,7 +524,7 @@ void gt_exp_sec(gt_t c, const gt_t a, const bn_t b) { } #if FP_PRIME <= 1536 - gt_exp_imp(c, a, b, ep_curve_frdim()); + gt_exp_reg_gls(c, a, b, ep_curve_frdim()); #else RLC_CAT(RLC_GT_LOWER, exp_monty)(c, a, b); #endif