def R1toR2(P):
(X, Y, Z, Ta, Tb) = P
return (
GFp2.add(X, Y),
GFp2.sub(Y, X),
GFp2.add(Z, Z),
GFp2.mul(GFp2.mul(GFp2.two, d), GFp2.mul(Ta, Tb))
)
def tau(P):
(X1, Y1, Z1) = P
A = GFp2.sqr(X1)
B = GFp2.sqr(Y1)
C = GFp2.add(A, B)
D = GFp2.sub(A, B)
X2 = GFp2.mul(GFp2.mul(GFp2.mul(ctau, X1), Y1), D)
Y2 = GFp2.neg(GFp2.mul(GFp2.add(GFp2.mul(GFp2.two, GFp2.sqr(Z1)), D), C))
Z2 = GFp2.mul(C, D)
return (X2, Y2, Z2)
def tau(P):
(X1, Y1, Z1) = P
A = GFp2.sqr(X1)
B = GFp2.sqr(Y1)
C = GFp2.add(A, B)
D = GFp2.sub(A, B)
X2 = GFp2.mul(GFp2.mul(GFp2.mul(ctau, X1), Y1), D)
Y2 = GFp2.neg(GFp2.mul(GFp2.add(GFp2.mul(GFp2.two, GFp2.sqr(Z1)), D), C))
Z2 = GFp2.mul(C, D)
return (X2, Y2, Z2)
def chi(P):
(X1, Y1, Z1) = P
A = GFp2.conj(X1)
B = GFp2.conj(Y1)
C = GFp2.sqr(GFp2.conj(Z1))
D = GFp2.sqr(A)
F = GFp2.sqr(B)
G = GFp2.mul(B, GFp2.add(D, GFp2.mul(cpsi2, C)))
H = GFp2.neg(GFp2.add(D, GFp2.mul(cpsi4, C)))
X2 = GFp2.mul(GFp2.mul(GFp2.mul(cpsi1, A), C), H)
Y2 = GFp2.mul(G, GFp2.add(D, GFp2.mul(cpsi3, C)))
Z2 = GFp2.mul(G, H)
return (X2, Y2, Z2)
def chi(P):
(X1, Y1, Z1) = P
A = GFp2.conj(X1)
B = GFp2.conj(Y1)
C = GFp2.sqr(GFp2.conj(Z1))
D = GFp2.sqr(A)
F = GFp2.sqr(B)
G = GFp2.mul(B, GFp2.add(D, GFp2.mul(cpsi2, C)))
H = GFp2.neg(GFp2.add(D, GFp2.mul(cpsi4, C)))
X2 = GFp2.mul(GFp2.mul(GFp2.mul(cpsi1, A), C), H)
Y2 = GFp2.mul(G, GFp2.add(D, GFp2.mul(cpsi3, C)))
Z2 = GFp2.mul(G, H)
return (X2, Y2, Z2)
def DBL(P):
(X1, Y1, Z1) = P[:3]
A = GFp2.sqr(X1)
B = GFp2.sqr(Y1)
C = GFp2.mul(GFp2.two, GFp2.sqr(Z1))
D = GFp2.add(A, B)
E = GFp2.sub(GFp2.sqr(GFp2.add(X1, Y1)), D)
F = GFp2.sub(B, A)
G = GFp2.sub(C, F)
X3 = GFp2.mul(E, G)
Y3 = GFp2.mul(D, F)
Z3 = GFp2.mul(F, G)
Ta3 = E
Tb3 = D
return (X3, Y3, Z3, Ta3, Tb3)
def DBL(P):
(X1, Y1, Z1) = P[:3]
A = GFp2.sqr(X1)
B = GFp2.sqr(Y1)
C = GFp2.mul(GFp2.two, GFp2.sqr(Z1))
D = GFp2.add(A, B)
E = GFp2.sub(GFp2.sqr(GFp2.add(X1, Y1)), D)
F = GFp2.sub(B, A)
G = GFp2.sub(C, F)
X3 = GFp2.mul(E, G)
Y3 = GFp2.mul(D, F)
Z3 = GFp2. mul(F, G)
Ta3 = E
Tb3 = D
return (X3, Y3, Z3, Ta3, Tb3)
def PointOnCurve(P):
(X, Y) = P
X2 = GFp2.sqr(X)
Y2 = GFp2.sqr(Y)
LHS = GFp2.sub(Y2, X2)
RHS = GFp2.add(GFp2.one, GFp2.mul(GFp2.mul(d, X2), Y2))
return LHS == RHS
def R2toR4(P):
(N, D, E, F) = P
return (
GFp2.sub(N, D),
GFp2.add(D, N),
E
)
def PointOnCurve(P):
(X, Y) = P
X2 = GFp2.sqr(X)
Y2 = GFp2.sqr(Y)
LHS = GFp2.sub(Y2, X2)
RHS = GFp2.add(GFp2.one, GFp2.mul(GFp2.mul(d, X2), Y2))
return LHS == RHS
def ADD_core(P, Q):
(N1, D1, E1, F1) = P
(N2, D2, Z2, T2) = Q
A = GFp2.mul(D1, D2)
B = GFp2.mul(N1, N2)
C = GFp2.mul(T2, F1)
D = GFp2.mul(Z2, E1)
E = GFp2.sub(B, A)
F = GFp2.sub(D, C)
G = GFp2.add(D, C)
H = GFp2.add(B, A)
X3 = GFp2.mul(E, F)
Y3 = GFp2.mul(G, H)
Z3 = GFp2.mul(F, G)
Ta3 = E
Tb3 = H
return (X3, Y3, Z3, Ta3, Tb3)
def R1toR3(P):
(X, Y, Z, Ta, Tb) = P
return(
GFp2.add(X, Y),
GFp2.sub(Y, X),
Z,
GFp2.mul(Ta, Tb)
)
def ADD_core(P, Q):
(N1, D1, E1, F1) = P
(N2, D2, Z2, T2) = Q
A = GFp2.mul(D1, D2)
B = GFp2.mul(N1, N2)
C = GFp2.mul(T2, F1)
D = GFp2.mul(Z2, E1)
E = GFp2.sub(B, A)
F = GFp2.sub(D, C)
G = GFp2.add(D, C)
H = GFp2.add(B, A)
X3 = GFp2.mul(E, F)
Y3 = GFp2.mul(G, H)
Z3 = GFp2.mul(F, G)
Ta3 = E
Tb3 = H
return (X3, Y3, Z3, Ta3, Tb3)
def tau_dual(P):
(X1, Y1, Z1) = P
A = GFp2.sqr(X1)
B = GFp2.sqr(Y1)
C = GFp2.add(A, B)
Ta2 = GFp2.sub(B, A)
D = GFp2.sub(GFp2.mul(GFp2.two, GFp2.sqr(Z1)), Ta2)
Tb2 = GFp2.mul(GFp2.mul(ctaudual, X1), Y1)
X2 = GFp2.mul(Tb2, C)
Y2 = GFp2.mul(Ta2, D)
Z2 = GFp2.mul(C, D)
return (X2, Y2, Z2, Ta2, Tb2)
def tau_dual(P):
(X1, Y1, Z1) = P
A = GFp2.sqr(X1)
B = GFp2.sqr(Y1)
C = GFp2.add(A, B)
Ta2 = GFp2.sub(B, A)
D = GFp2.sub(GFp2.mul(GFp2.two, GFp2.sqr(Z1)), Ta2)
Tb2 = GFp2.mul(GFp2.mul(ctaudual, X1), Y1)
X2 = GFp2.mul(Tb2, C)
Y2 = GFp2.mul(Ta2, D)
Z2 = GFp2.mul(C, D)
return (X2, Y2, Z2, Ta2, Tb2)
def decode(B):
if len(B) != 32:
raise Exception("Malformed point: length {} != 32".format(len(B)))
if B[15] & 0x80 != 0x00:
raise Exception("Malformed point: reserved bit is not zero")
s = B[31] >> 7
B[31] &= 0x7F
y0 = GFp.fromLittleEndian(B[:16])
y1 = GFp.fromLittleEndian(B[16:])
if y0 >= p1271 or y1 >= p1271:
raise Exception("Malformed point: reserved bit is not zero")
y = (y0, y1)
y2 = GFp2.sqr(y)
(u0, u1) = GFp2.sub(y2, GFp2.one)
(v0, v1) = GFp2.add(GFp2.mul(d, y2), GFp2.one)
t0 = GFp.add(GFp.mul(u0, v0), GFp.mul(u1, v1))
t1 = GFp.sub(GFp.mul(u1, v0), GFp.mul(u0, v1))
t2 = GFp.add(GFp.sqr(v0), GFp.sqr(v1))
t3 = GFp.add(GFp.sqr(t0), GFp.sqr(t1))
t3 = GFp.mul(GFp.invsqrt(t3), t3)
t = GFp.mul(2, GFp.add(t0, t3))
if t == 0:
t = GFp.mul(GFp.two, GFp.sub(t0, t3))
a = GFp.invsqrt(GFp.mul(t, GFp.mul(t2, GFp.sqr(t2))))
b = GFp.mul(GFp.mul(a, t2), t)
x0 = GFp.mul(b, GFp.half)
x1 = GFp.mul(GFp.mul(a, t2), t1)
if t != GFp.mul(t2, GFp.sqr(b)):
x0, x1 = x1, x0
x = (x0, x1)
if sign(x) != s:
x = GFp2.neg(x)
if not PointOnCurve((x, y)):
x = GFp2.conj(x)
if not PointOnCurve((x, y)):
raise Exception("Point not on curve")
return (x, y)
def decode(B):
if len(B) != 32:
raise Exception("Malformed point: length {} != 32".format(len(B)))
if B[15] & 0x80 != 0x00:
raise Exception("Malformed point: reserved bit is not zero")
s = B[31] >> 7
B[31] &= 0x7F
y0 = GFp.fromLittleEndian(B[:16])
y1 = GFp.fromLittleEndian(B[16:])
if y0 >= p1271 or y1 >= p1271:
raise Exception("Malformed point: reserved bit is not zero")
y = (y0, y1)
y2 = GFp2.sqr(y)
(u0, u1) = GFp2.sub(y2, GFp2.one)
(v0, v1) = GFp2.add(GFp2.mul(d, y2), GFp2.one)
t0 = GFp.add(GFp.mul(u0, v0), GFp.mul(u1, v1))
t1 = GFp.sub(GFp.mul(u1, v0), GFp.mul(u0, v1))
t2 = GFp.add(GFp.sqr(v0), GFp.sqr(v1))
t3 = GFp.add(GFp.sqr(t0), GFp.sqr(t1))
t3 = GFp.mul(GFp.invsqrt(t3), t3)
t = GFp.mul(2, GFp.add(t0, t3))
if t == 0:
t = GFp.mul(GFp.two, GFp.sub(t0, t3))
a = GFp.invsqrt(GFp.mul(t, GFp.mul(t2, GFp.sqr(t2))))
b = GFp.mul(GFp.mul(a, t2), t)
x0 = GFp.mul(b, GFp.half)
x1 = GFp.mul(GFp.mul(a, t2), t1)
if t != GFp.mul(t2, GFp.sqr(b)):
x0, x1 = x1, x0
x = (x0, x1)
if sign(x) != s:
x = GFp2.neg(x)
if not PointOnCurve((x, y)):
x = GFp2.conj(x)
if not PointOnCurve((x, y)):
raise Exception("Point not on curve")
return (x, y)
def upsilon(P):
(X1, Y1, Z1) = P
A = GFp2.mul(GFp2.mul(cphi0, X1), Y1)
B = GFp2.mul(Y1, Z1)
C = GFp2.sqr(Y1)
D = GFp2.sqr(Z1)
F = GFp2.sqr(D)
G = GFp2.sqr(B)
H = GFp2.sqr(C)
I = GFp2.mul(cphi1, B)
J = GFp2.add(C, GFp2.mul(cphi2, D))
K = GFp2.add(GFp2.add(GFp2.mul(cphi8, G), H), GFp2.mul(cphi9, F))
X2 = GFp2.mul(GFp2.add(I, J), GFp2.sub(I, J))
X2 = GFp2.conj(GFp2.mul(GFp2.mul(A, K), X2))
L = GFp2.add(C, GFp2.mul(cphi4, D))
M = GFp2.mul(cphi3, B)
N = GFp2.mul(GFp2.add(L, M), GFp2.sub(L, M))
Y2 = GFp2.add(GFp2.add(H, GFp2.mul(cphi6, G)), GFp2.mul(cphi7, F))
Y2 = GFp2.conj(GFp2.mul(GFp2.mul(GFp2.mul(cphi5, D), N), Y2))
Z2 = GFp2.conj(GFp2.mul(GFp2.mul(B, K), N))
return (X2, Y2, Z2)
def upsilon(P):
(X1, Y1, Z1) = P
A = GFp2.mul(GFp2.mul(cphi0, X1), Y1)
B = GFp2.mul(Y1, Z1)
C = GFp2.sqr(Y1)
D = GFp2.sqr(Z1)
F = GFp2.sqr(D)
G = GFp2.sqr(B)
H = GFp2.sqr(C)
I = GFp2.mul(cphi1, B)
J = GFp2.add(C, GFp2.mul(cphi2, D))
K = GFp2.add(GFp2.add(GFp2.mul(cphi8, G), H), GFp2.mul(cphi9, F))
X2 = GFp2.mul(GFp2.add(I, J), GFp2.sub(I, J))
X2 = GFp2.conj(GFp2.mul(GFp2.mul(A, K), X2))
L = GFp2.add(C, GFp2.mul(cphi4, D))
M = GFp2.mul(cphi3, B)
N = GFp2.mul(GFp2.add(L, M), GFp2.sub(L, M))
Y2 = GFp2.add(GFp2.add(H, GFp2.mul(cphi6, G)), GFp2.mul(cphi7, F))
Y2 = GFp2.conj(GFp2.mul(GFp2.mul(GFp2.mul(cphi5, D), N), Y2))
Z2 = GFp2.conj(GFp2.mul(GFp2.mul(B, K), N))
return (X2, Y2, Z2)
def R1toR2(P):
(X, Y, Z, Ta, Tb) = P
return (GFp2.add(X, Y), GFp2.sub(Y, X), GFp2.add(Z, Z),
GFp2.mul(GFp2.mul(GFp2.two, d), GFp2.mul(Ta, Tb)))
def R1toR3(P):
(X, Y, Z, Ta, Tb) = P
return (GFp2.add(X, Y), GFp2.sub(Y, X), Z, GFp2.mul(Ta, Tb))
def R2toR4(P):
(N, D, E, F) = P
return (GFp2.sub(N, D), GFp2.add(D, N), E)