Cleanup and membership testing for FM18.

src/epx/relic_ep3_curve.c

@@ -109,7 +109,7 @@
 #define FM18_P768_Y1		"87A1EEC340AB26B14EBE6F2056CE339553090C95A0653432428B62FE34BCCA238F0D067B8E8F2345BC2F46DE68493C75C2ED07C5F2D9B29A6BF9FA730D1C78582819735D7FED671B03C359DECC81765A8A8E1DD16C87801FC3FC40176FB55C5C"
 #define FM18_P768_Y2		"DFE9CABA0A20C5FB26091329C60716EC027B828A173120F1AC7BAA5336E97348B26071A022DC0352074F0EA581F63632B6BBBBE9F06CE2762F66087D50D7DB9C96B0192E30F4406104F5D53DCC922A40AEA7600FD79AFB7E2A83350A4D0AD74A"
 #define FM18_P768_R			"FFFFFFF27FA00045F4380E5F9EE3795E88D88C72E7B408B61E4CA1FB2558E7C336F40FAAEC98807AF3600C06C0300001"
-#define FM18_P768_H			"FFFFFFBC7E20087CAA5905F0B82ABB93AF7E81A53882226042648999C855F369B72CECF33CAFCEE57D8E28C84A08805B59DE451E30AC535A4DD982BCD28F9915B40B200C183FEEB08DC7E199BD1C0BC98FB2653657500B21B5876AA05AA4870EF344801BFE0329F91259BB407D680660A83C30FD7B152124C532AE9C1834BB5967AA84FD428CC94EDE0BBF89981839AC28D48E78F22A4695C2C0CC996FFAF415B9B684B1B2427CAA3EE14D0B8463A431ACC81B81F156C21F6B157D8BE3DCB1E0459DE473AC6EFAF4BD9EBBC861C799A4F9EF7D445FB243587315E11A04E4BF85CBE901BA1273F2C229293D5102400004"
+#define FM18_P768_H			"FFFFFFBC7E20087CAA5905F0B82ABB93AF7E81A53882226042648999C855F369B72CECF33CAFCEE57D8E28C84A08805B59DE451E30AC535A4DD982BCD28F9915B40B200C183FEEB08DC7E199BD1C0BC98FB2653657500B21B5876AA05AA4870EF344801BFE0329F91259BB407D680660A83C30FD7B152124C532AE9C1834BB5967AA84FD428CC94EDE0BBF89981839AB28D48E93F2EA45539030933B28949C5EA287BBE39E92B7641ABED52EC449C1F8561BF845845AF977FFF07688C87D2320CF7D4DDBA602142190F32D2FCD0DFB975E2FF266BD2130ABC252AC90AFF19B742F92924F46054CE84DB1865E82A00003"
 /** @} */
 #endif
 

src/epx/relic_ep3_mul_cof.c

@@ -134,6 +134,7 @@ static void ep3_mul_cof_k18(ep3_t r, const ep3_t p) {
 		ep3_dbl(t4, t4);
 		/* r = [5u+18, u^3+3u^2+1, -3u^2-8u, -3u+1, -u^2-2, u^2+5u]. */
 		ep3_add(r, t4, t3);
+		ep3_norm(r, r);
 	} RLC_CATCH_ANY {
 		RLC_THROW(ERR_CAUGHT);
 	} RLC_FINALLY {
@@ -202,6 +203,86 @@ static void ep3_mul_cof_sg18(ep3_t r, const ep3_t p) {
 		ep3_dbl(t4, t0);
 		ep3_frb(t4, t4, 3);
 		ep3_sub(r, t3, t4);
+		ep3_norm(r, r);
+	} RLC_CATCH_ANY {
+		RLC_THROW(ERR_CAUGHT);
+	} RLC_FINALLY {
+		ep3_free(t0);
+		ep3_free(t1);
+		ep3_free(t2);
+		ep3_free(t3);
+		ep3_free(t4);
+		bn_free(x);
+	}
+}
+
+/**
+ * Multiplies a point by the cofactor in a Fotiadis-Mardindale curve.
+ *
+ * @param[out] r			- the result.
+ * @param[in] p				- the point to multiply.
+ */
+static void ep3_mul_cof_fm18(ep3_t r, const ep3_t p) {
+	ep3_t t0, t1, t2, t3, t4;
+	bn_t x;
+
+	ep3_null(t0);
+	ep3_null(t1);
+	ep3_null(t2);
+	ep3_null(t3);
+	ep3_null(t4);
+	bn_null(x);
+
+	RLC_TRY {
+		ep3_new(t0);
+		ep3_new(t1);
+		ep3_new(t2);
+		ep3_new(t3);
+		ep3_new(t4);
+		bn_new(x);
+
+		/* Vector computed by Guillevic's MAGMA script:
+		[2*x*(x+2)/3, x^3-(x+2)/3, -2*x^2*(x+2)/3, -x*(x^3+(x+2)/3), 2*(x+2)/3, x^2*(x^3+(x+2)/3)-1] */
+		fp_prime_get_par(x);
+
+		/* t0 = [(x+2)/3]P, t1 = [x]P. */
+		bn_add_dig(x, x, 2);
+		bn_div_dig(x, x, 3);
+		ep3_mul_basic(t0, p, x);
+		ep3_dbl(t1, t0);
+		ep3_add(t1, t1, t0);
+		ep3_dbl(t2, p);
+		ep3_sub(t1, t1, t2);
+
+		/* Compute t2 = [x*(x+2)/3]P, t1 = [3*x*(x+2)/3-2x]P = [x^2]P. */
+		fp_prime_get_par(x);
+		ep3_frb(t3, t0, 4);
+		ep3_mul_basic(t2, t0, x);
+		ep3_add(t3, t3, t2);
+		ep3_dbl(t4, t2);
+		ep3_add(t4, t4, t2);
+		ep3_dbl(t1, t1);
+		ep3_sub(t1, t4, t1);
+		ep3_norm(t1, t1);
+		/* Compute t2 = [x^2*(x+2)/3]P, */
+		ep3_mul_basic(t2, t2, x);
+		ep3_frb(t4, t2, 2);
+		ep3_sub(t3, t3, t4);
+		ep3_dbl(t3, t3);
+		ep3_mul_basic(t2, t1, x);
+		ep3_sub(t4, t2, t0);
+		ep3_frb(t4, t4, 1);
+		ep3_add(t3, t3, t4);
+		ep3_add(t4, t2, t0);
+		ep3_norm(t4, t4);
+		ep3_mul_basic(t2, t4, x);
+		ep3_frb(t4, t2, 3);
+		ep3_sub(t3, t3, t4);
+		ep3_mul_basic(t2, t2, x);
+		ep3_sub(t2, t2, p);
+		ep3_frb(t2, t2, 5);
+		ep3_add(t3, t3, t2);
+		ep3_norm(r, t3);
 	} RLC_CATCH_ANY {
 		RLC_THROW(ERR_CAUGHT);
 	} RLC_FINALLY {
@@ -231,6 +312,9 @@ void ep3_mul_cof(ep3_t r, const ep3_t p) {
 			case EP_SG18:
 				ep3_mul_cof_sg18(r, p);
 				break;
+			case EP_FM18:
+				ep3_mul_cof_fm18(r, p);
+				break;
 			default:
 				/* Now, multiply by cofactor to get the correct group. */
 				ep3_curve_get_cof(k);

src/pc/relic_pc_util.c

@@ -56,7 +56,7 @@ void gt_rand(gt_t a) {
 	pp_exp_k24(a, a);
 #elif FP_PRIME == 330 || FP_PRIME == 765 || FP_PRIME == 766
 	pp_exp_k16(a, a);
-#elif FP_PRIME == 508 || FP_PRIME == 638 && !defined(FP_QNRES)
+#elif FP_PRIME == 508 || FP_PRIME == 768 || FP_PRIME == 638 && !defined(FP_QNRES)
 	pp_exp_k18(a, a);
 #else
 	pp_exp_k12(a, a);
@@ -292,6 +292,7 @@ int g2_is_valid(const g2_t a) {
 		g2_new(v);
 		g2_new(w);
 
+		fp_prime_get_par(n);
 		switch (ep_curve_is_pairf()) {
 #if defined(EP_ENDOM) && !defined(STRIP)
 			/* Formulas from "Co-factor clearing and subgroup membership
@@ -319,7 +320,6 @@ int g2_is_valid(const g2_t a) {
 			 * https://eprint.iacr.org/2022/348.pdf */
 			case EP_BN:
 				/*Check that [z+1]P+[z]\psi(P)+[z]\psi^2(P)=[2z]\psi^3(P)*/
-				fp_prime_get_par(n);
 				g2_mul_any(u, a, n);
 				g2_frb(v, u, 1);
 				g2_add(u, u, a);
@@ -333,7 +333,6 @@ int g2_is_valid(const g2_t a) {
 			/* If u is even, check that [u*p^3]P = P
 			 * else check [p^5]P = [u]P. */
 			case EP_N16:
-				fp_prime_get_par(n);
 				g2_mul_any(u, a, n);
 				if (bn_is_even(n)) {
 					g2_frb(v, u, 3);
@@ -348,7 +347,6 @@ int g2_is_valid(const g2_t a) {
 			 * https://eprint.iacr.org/2022/348.pdf
 			 * Paper has u = 45 mod 70, we ran their code for u = 25 mod 70. */
 			case EP_K16:
-				fp_prime_get_par(n);
 				bn_mod_dig(&rem, n, 70);
 				if (rem == 45) {
 					bn_neg(n, n);
@@ -400,14 +398,12 @@ int g2_is_valid(const g2_t a) {
 				break;
 			case EP_FM16:
 				/* Check that u*Q == psi(Q). */
-				fp_prime_get_par(n);
 				g2_mul_any(u, a, n);
 				g2_frb(v, a, 1);
 				r = g2_on_curve(a) && (g2_cmp(u, v) == RLC_EQ);
 				break;
 			case EP_K18:
 				/* Check that P + u*psi2P + 2*psi3P == \mathcal{O}. */
-				fp_prime_get_par(n);
 				g2_frb(u, a, 2);
 				g2_frb(v, u, 1);
 				g2_dbl(v, v);
@@ -416,9 +412,15 @@ int g2_is_valid(const g2_t a) {
 				g2_neg(u, v);
 				r = g2_on_curve(a) && (g2_cmp(u, a) == RLC_EQ);
 				break;
+			case EP_FM18:
+				/* Check that Q == -u*\psi^2(Q). */
+				bn_neg(n, n);
+				g2_mul_any(u, a, n);
+				g2_frb(u, u, 2);
+				r = g2_on_curve(a) && (g2_cmp(u, a) == RLC_EQ);
+				break;
 			case EP_SG18:
 				/* Check that 3u*P + 2\psi^2(P) == \psi^5P] and [3]P \eq O. */
-				fp_prime_get_par(n);
 				bn_mul_dig(n, n, 3);
 				g2_mul_any(u, a, n);
 				r = g2_is_infty(a) == 0;
@@ -611,6 +613,14 @@ int gt_is_valid(const gt_t a) {
 				r = (gt_cmp(u, a) == RLC_EQ);
 				r &= fp18_test_cyc((void *)a);
 				break;
+			case EP_FM18:
+				/* Check that Q == -u*\psi^2(Q). */
+				bn_neg(n, n);
+				gt_exp(u, a, n);
+				gt_frb(u, u, 2);
+				r = (gt_cmp(u, a) == RLC_EQ);
+				r &= fp18_test_cyc((void *)a);
+				break;
 			case EP_SG18:
 				/* Check that 3u*P + 2\psi^2(P) == \psi^5P] and [3]P \eq O. */
 				fp_prime_get_par(n);