def precomp(GV): nb, n3, n = lbits() P = GV.copy() A = P.copy() MP = -P T = [] for i in range(nb - 2, 0, -1): AA, BB, CC = dbl(A) T.append(pack(AA, BB, CC)) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: AA, BB, CC = add(A, P) T.append(pack(AA, BB, CC)) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: AA, BB, CC = add(A, MP) T.append(pack(AA, BB, CC)) if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A AA, BB, CC = add(A, KA) T.append(pack(AA, BB, CC)) KA.frobenius() KA = -KA AA, BB, CC = add(A, KA) T.append(pack(AA, BB, CC)) return T
def mul(P, a, Q, b): # double multiplication a*P+b*Q # P.affine() # Q.affine() if a < 0: a = -a P = -P if b < 0: b = -b Q = -Q R = ECp() ia = a.bit_length() ib = b.bit_length() k = ia if (ib > ia): k = ib k = curve.r.bit_length() W = P.copy() W.add(Q) # W.affine() for i in range(k - 1, -1, -1): R.dbl() if (big.bit(a, i) == 1): if (big.bit(b, i) == 1): R.add(W) else: R.add(P) else: if (big.bit(b, i) == 1): R.add(Q) return R
def another_pc(r, T, QV): if QV.isinf(): return nb, n3, n = lbits() Q = QV.copy() Q.affine() Qx, Qy = Q.getxy() j = 0 for i in range(nb - 2, 0, -1): lv = unpack(T[j], Qx, Qy) j += 1 if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv2 = unpack(T[j], Qx, Qy) j += 1 lv.smul(lv2) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv2 = unpack(T[j], Qx, Qy) j += 1 lv.smul(lv2) r[i] *= lv if curve.PairingFriendly == BN: lv = unpack(T[j], Qx, Qy) j += 1 lv2 = unpack(T[j], Qx, Qy) lv.smul(lv2) r[0] *= lv
def another(r, P1, Q1): if Q1.isinf(): return nb, n3, n = lbits() P = P1.copy() Q = Q1.copy() P.affine() Q.affine() A = P.copy() Qx, Qy = Q.getxy() for i in range(nb - 2, 0, -1): lv = g(A, A, Qx, Qy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv2 = g(A, P, Qx, Qy) lv.smul(lv2) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv2 = g(A, -P, Qx, Qy) lv.smul(lv2) r[i] *= lv if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A lv = g(A, KA, Qx, Qy) KA.frobenius() KA = -KA lv2 = g(A, KA, Qx, Qy) lv.smul(lv2) r[0] *= lv
def another(r,P1,Q1) : nb,n3,n=lbits() P = P1.copy() Q = Q1.copy() P.affine() Q.affine() A = P.copy() Qx, Qy = Q.getxy() for i in range(nb - 2, 0, -1): lv=g(A, A, Qx, Qy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv2 = g(A, P, Qx, Qy) lv.smul(lv2) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv2 = g(A, -P, Qx, Qy) lv.smul(lv2) r[i] *= lv if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A lv = g(A, KA, Qx, Qy) KA.frobenius() KA = -KA lv2 = g(A, KA, Qx, Qy) lv.smul(lv2) r[0] *= lv
def double_miller(P, Q, U, V): x = curve.x if curve.PairingFriendly == BN: n = 6 * x if curve.SignOfX == POSITIVEX: n += 2 else: n -= 2 else: n = x n3 = 3 * n P.norm() A = P.copy() Qx, Qy = Q.getxy() U.norm() B = U.copy() Wx, Wy = V.getxy() nb = n3.bit_length() r = Fp12.one() # miller loop for i in range(nb - 2, 0, -1): r.sqr() r *= g(A, A, Qx, Qy) r *= g(B, B, Wx, Wy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: r *= g(A, P, Qx, Qy) r *= g(B, U, Wx, Wy) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: r *= g(A, -P, Qx, Qy) r *= g(B, -U, Wx, Wy) # adjustment if curve.SignOfX == NEGATIVEX: r.conj() if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A B = -B r *= g(A, KA, Qx, Qy) KA.frobenius() KA = -KA r *= g(A, KA, Qx, Qy) KB = U.copy() KB.frobenius() r *= g(B, KB, Wx, Wy) KB.frobenius() KB = -KB r *= g(B, KB, Wx, Wy) return r
def __rmul__(self, other): # use NAF b = other b3 = 3 * b self.norm() mself = -self R = ECp2() for i in range(b3.bit_length() - 1, 0, -1): R.dbl() if big.bit(b3, i) == 1 and big.bit(b, i) == 0: R.add(self) if big.bit(b3, i) == 0 and big.bit(b, i) == 1: R.add(mself) return R
def __rmul__(self, other): # use NAF b = other b3 = 3 * b k = b3.bit_length() #k = curve.r.bit_length()+2 # self.affine() mself = -self R = ECp2() for i in range(k - 1, 0, -1): R.dbl() if big.bit(b3, i) == 1 and big.bit(b, i) == 0: R.add(self) if big.bit(b3, i) == 0 and big.bit(b, i) == 1: R.add(mself) return R
def getxs(self): # return tuple integer x and LSB of y if self.isinf(): return (0, 0) self.norm() if curve.CurveType == MONTGOMERY: return (self.x.int(), 0) return (self.x.int(), big.bit(self.y.int(), 0))
def pow(self, other): # unitary only e = other e3 = e * 3 k = e3.bit_length() x = self.copy() r = self.copy() for i in range(k - 2, 0, -1): r.usqr() if big.bit(e3, i) == 1 and big.bit(e, i) == 0: r *= x if big.bit(e3, i) == 0 and big.bit(e, i) == 1: x.conj() r *= x x.conj() return r
def miller(P1, Q1): x = curve.x if curve.PairingFriendly == BN: n = 6 * x if curve.SignOfX == POSITIVEX: n += 2 else: n -= 2 else: n = x n3 = 3 * n P = P1.copy() Q = Q1.copy() P.affine() Q.affine() A = P.copy() Qx, Qy = Q.getxy() nb = n3.bit_length() r = Fp12.one() # miller loop for i in range(nb - 2, 0, -1): r.sqr() r *= g(A, A, Qx, Qy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: r *= g(A, P, Qx, Qy) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: r *= g(A, -P, Qx, Qy) # adjustment if curve.SignOfX == NEGATIVEX: r.conj() if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A r *= g(A, KA, Qx, Qy) KA.frobenius() KA = -KA r *= g(A, KA, Qx, Qy) return r
def getxs(self): # return tuple integer x and LSB of y W = self.copy() if W.isinf(): return (0, 0) W.affine() if curve.CurveType == MONTGOMERY: return (W.x.int(), 0) return (W.x.int(), big.bit(W.y.int(), 0))
def ate(P1, Q1): if Q1.isinf(): return Fp12.one() nb, n3, n = lbits() P = P1.copy() Q = Q1.copy() P.affine() Q.affine() A = P.copy() Qx, Qy = Q.getxy() r = Fp12.one() # miller loop for i in range(nb - 2, 0, -1): r.sqr() lv = g(A, A, Qx, Qy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv2 = g(A, P, Qx, Qy) lv.smul(lv2) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv2 = g(A, -P, Qx, Qy) lv.smul(lv2) r *= lv # adjustment if curve.SignOfX == NEGATIVEX: r.conj() if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A lv = g(A, KA, Qx, Qy) KA.frobenius() KA = -KA lv2 = g(A, KA, Qx, Qy) lv.smul(lv2) r *= lv return r
def __rmul__(self, other): # use NAF R = ECp() if curve.CurveType == MONTGOMERY: e = other D = ECp() R0 = self.copy() R1 = self.copy() R1.dbl() D = self.copy() D.affine() nb = e.bit_length() # nb=curve.r.bit_length() for i in range(nb - 2, -1, -1): b = big.bit(e, i) R = R1.copy() R.dadd(R0, D) if b == 1: R0, R1 = R1, R0 R1 = R.copy() R0.dbl() if b == 1: R0, R1 = R1, R0 R = R0.copy() else: b = other b3 = 3 * b k = b3.bit_length() # k=curve.r.bit_length()+2; mself = -self for i in range(k - 1, 0, -1): R.dbl() if big.bit(b3, i) == 1 and big.bit(b, i) == 0: R.add(self) if big.bit(b3, i) == 0 and big.bit(b, i) == 1: R.add(mself) R.affine() return R
def __rmul__(self, other): # use NAF R = ECp() if curve.CurveType == MONTGOMERY: e = other D = ECp() R0 = self.copy() R1 = self.copy() R1.dbl() D = self.copy() D.affine() nb = e.bit_length() #nb=curve.r.bit_length() for i in range(nb - 2, -1, -1): b = big.bit(e, i) R = R1.copy() R.dadd(R0, D) if b == 1: R0, R1 = R1, R0 R1 = R.copy() R0.dbl() if b == 1: R0, R1 = R1, R0 R = R0.copy() else: b = other b3 = 3 * b k = b3.bit_length() #k=curve.r.bit_length()+2; mself = -self for i in range(k - 1, 0, -1): R.dbl() if big.bit(b3, i) == 1 and big.bit(b, i) == 0: R.add(self) if big.bit(b3, i) == 0 and big.bit(b, i) == 1: R.add(mself) R.affine() return R
def ate(P1, Q1): nb,n3,n=lbits() P = P1.copy() Q = Q1.copy() P.affine() Q.affine() A = P.copy() Qx, Qy = Q.getxy() r = Fp12.one() # miller loop for i in range(nb - 2, 0, -1): r.sqr() lv=g(A, A, Qx, Qy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv2 = g(A, P, Qx, Qy) lv.smul(lv2) if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv2 = g(A, -P, Qx, Qy) lv.smul(lv2) r *= lv # adjustment if curve.SignOfX == NEGATIVEX: r.conj() if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A lv = g(A, KA, Qx, Qy) KA.frobenius() KA = -KA lv2 = g(A, KA, Qx, Qy) lv.smul(lv2) r *= lv return r
def set(self, x, s=0): # set point from x and LSB of y mx = Fp(x) rhs = RHS(mx) if rhs.qr() != 1: return False self.x = mx self.z = Fp(1) if curve.CurveType != MONTGOMERY: self.y = rhs.sqrt() if big.bit(self.y.int(), 0) != s: self.y = -self.y return True
def set(self, x, s=0): # set point from x and LSB of y mx = Fp(x) rhs = RHS(mx) if rhs.jacobi() != 1: return False self.x = mx self.z = Fp(1) if curve.CurveType != MONTGOMERY: self.y = rhs.sqrt() if big.bit(self.y.int(), 0) != s: self.y = -self.y return True
def double_ate(P1, Q1, U1, V1): if Q1.isinf(): return ate(U1, V1) if V1.isinf(): return ate(P1, Q1) nb, n3, n = lbits() P = P1.copy() Q = Q1.copy() U = U1.copy() V = V1.copy() P.affine() Q.affine() U.affine() V.affine() A = P.copy() Qx, Qy = Q.getxy() B = U.copy() Wx, Wy = V.getxy() r = Fp12.one() # miller loop for i in range(nb - 2, 0, -1): r.sqr() lv = g(A, A, Qx, Qy) lv2 = g(B, B, Wx, Wy) lv.smul(lv2) r *= lv #r *= g(A, A, Qx, Qy) #r *= g(B, B, Wx, Wy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv = g(A, P, Qx, Qy) lv2 = g(B, U, Wx, Wy) lv.smul(lv2) r *= lv if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv = g(A, -P, Qx, Qy) lv2 = g(B, -U, Wx, Wy) lv.smul(lv2) r *= lv # adjustment if curve.SignOfX == NEGATIVEX: r.conj() if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A B = -B lv = g(A, KA, Qx, Qy) KA.frobenius() KA = -KA lv2 = g(A, KA, Qx, Qy) lv.smul(lv2) r *= lv KB = U.copy() KB.frobenius() lv = g(B, KB, Wx, Wy) KB.frobenius() KB = -KB lv2 = g(B, KB, Wx, Wy) lv.smul(lv2) r *= lv return r
def double_ate(P1, Q1, U1, V1): nb,n3,n=lbits() P = P1.copy() Q = Q1.copy() U = U1.copy() V = V1.copy() P.affine() Q.affine() U.affine() V.affine() A = P.copy() Qx, Qy = Q.getxy() B = U.copy() Wx, Wy = V.getxy() r = Fp12.one() # miller loop for i in range(nb - 2, 0, -1): r.sqr() lv = g(A, A, Qx, Qy) lv2 = g(B, B, Wx, Wy) lv.smul(lv2) r *= lv #r *= g(A, A, Qx, Qy) #r *= g(B, B, Wx, Wy) if big.bit(n3, i) == 1 and big.bit(n, i) == 0: lv = g(A, P, Qx, Qy) lv2 = g(B, U, Wx, Wy) lv.smul(lv2) r *= lv if big.bit(n3, i) == 0 and big.bit(n, i) == 1: lv = g(A, -P, Qx, Qy) lv2 = g(B, -U, Wx, Wy) lv.smul(lv2) r *= lv # adjustment if curve.SignOfX == NEGATIVEX: r.conj() if curve.PairingFriendly == BN: KA = P.copy() KA.frobenius() if curve.SignOfX == NEGATIVEX: A = -A B = -B lv = g(A, KA, Qx, Qy) KA.frobenius() KA = -KA lv2 = g(A, KA, Qx, Qy) lv.smul(lv2) r *= lv KB = U.copy() KB.frobenius() lv = g(B, KB, Wx, Wy) KB.frobenius() KB = -KB lv2 = g(B, KB, Wx, Wy) lv.smul(lv2) r *= lv return r