def mult_sliding_window(m: int,
Q: JacPoint,
ec: CurveGroup,
w: int = 4) -> JacPoint:
"""Scalar multiplication using "sliding window".
It has the benefit that the pre-computation stage
is roughly half as complex as the normal windowed method.
It is not constant time.
For 256-bit scalars choose w=4 or w=5.
The input point is assumed to be on curve and
the m coefficient is assumed to have been reduced mod n
if appropriate (e.g. cyclic groups of order n).
"""
if m < 0:
raise BTClibValueError(f"negative m: {hex(m)}")
# a number cannot be written in basis 1 (ie w=0)
if w <= 0:
raise BTClibValueError(f"non positive w: {w}")
k = w - 1
p = pow(2, k)
# at each step one of the points in T will be added
P = Q
for _ in range(k):
P = ec.double_jac(P)
T = [P]
for i in range(1, p):
T.append(ec.add_jac(T[i - 1], Q))
digits = convert_number_to_base(m, 2)
R = INFJ
i = 0
while i < len(digits):
if digits[i] == 0:
R = ec.double_jac(R)
i += 1
else:
j = len(digits) - i if (len(digits) - i) < w else w
t = digits[i]
for a in range(1, j):
t = 2 * t + digits[i + a]
if j < w:
for b in range(i, (i + j)):
R = ec.double_jac(R)
if digits[b] == 1:
R = ec.add_jac(R, Q)
return R
for _ in range(w):
R = ec.double_jac(R)
R = ec.add_jac(R, T[t - p])
i += j
return R
def mult_w_NAF(m: int, Q: JacPoint, ec: CurveGroup, w: int = 4) -> JacPoint:
"""Scalar multiplication in Jacobian coordinates using wNAF.
This implementation uses the same method called "w-ary non-adjacent form" (wNAF)
we make use of the fact that point subtraction is as easy as point addition to perform fewer operations compared to sliding-window
In fact, on Weierstrass curves, known P, -P can be computed on the fly.
The input point is assumed to be on curve and
the m coefficient is assumed to have been reduced mod n
if appropriate (e.g. cyclic groups of order n).
'right-to-left' method.
FIXME:
- Make it constant time (if necessary)
- Try to avoid exception in negation for w=1
"""
if m < 0:
raise BTClibValueError(f"negative m: {hex(m)}")
# a number cannot be written in basis 1 (ie w=0)
if w <= 0:
raise BTClibValueError(f"non positive w: {w}")
M = wNAF_of_m(m, w)
p = len(M)
b = pow(2, w)
Q2 = ec.double_jac(Q)
T = [Q]
for i in range(1, (b // 4)):
T.append(ec.add_jac(T[i - 1], Q2))
for i in range((b // 4), (b // 2)):
T.append(ec.negate_jac(T[i - (b // 4)]))
R = INFJ
for j in range(p - 1, -1, -1):
R = ec.double_jac(R)
if M[j] != 0:
if M[j] > 0:
# It adds the element jQ
R = ec.add_jac(R, T[(M[j] - 1) // 2])
else:
# In this case it adds the opposite, ie -jQ
if w != 1:
R = ec.add_jac(R, T[(b // 4) - ((M[j] + 1) // 2)])
else:
# Case w=1 must be studied on its own for now
R = R = ec.add_jac(R, T[1])
return R