Lines Matching +full:in2 +full:-
2 * Copyright (C) 2017 - This file is part of libecc project
7 * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
30 * prj_pt_init()). Returns 0 on success, -1 on error.
36 MUST_HAVE(((in != NULL) && (in->magic == PRJ_PT_MAGIC)), ret, err); in prj_pt_check_initialized()
37 ret = ec_shortw_crv_check_initialized(in->crv); in prj_pt_check_initialized()
45 * infinity. The function returns 0 on success, -1 on error.
55 ret = fp_init(&(in->X), curve->a.ctx); EG(ret, err); in prj_pt_init()
56 ret = fp_init(&(in->Y), curve->a.ctx); EG(ret, err); in prj_pt_init()
57 ret = fp_init(&(in->Z), curve->a.ctx); EG(ret, err); in prj_pt_init()
58 in->crv = curve; in prj_pt_init()
59 in->magic = PRJ_PT_MAGIC; in prj_pt_init()
67 * coordinates. The function returns 0 on success, -1 on error.
76 ret = fp_copy(&(in->X), xcoord); EG(ret, err); in prj_pt_init_from_coords()
77 ret = fp_copy(&(in->Y), ycoord); EG(ret, err); in prj_pt_init_from_coords()
78 ret = fp_copy(&(in->Z), zcoord); in prj_pt_init_from_coords()
86 * -1 on error. This is an error if passed point has not already been
91 if((in != NULL) && (in->magic == PRJ_PT_MAGIC) && (in->crv != NULL)){ in prj_pt_uninit()
92 in->crv = NULL; in prj_pt_uninit()
93 in->magic = WORD(0); in prj_pt_uninit()
95 fp_uninit(&(in->X)); in prj_pt_uninit()
96 fp_uninit(&(in->Y)); in prj_pt_uninit()
97 fp_uninit(&(in->Z)); in prj_pt_uninit()
106 * point is not the point at infinity. The function returns 0 on success, -1 on
114 ret = fp_iszero(&(in->Z), iszero); in prj_pt_iszero()
122 * returns 0 on success, -1 on error.
130 ret = fp_zero(&(out->X)); EG(ret, err); in prj_pt_zero()
131 ret = fp_one(&(out->Y)); EG(ret, err); in prj_pt_zero()
132 ret = fp_zero(&(out->Z)); in prj_pt_zero()
141 * The function returns 0 on success, -1 on error. 'on_curve' is not
158 ret = ec_shortw_crv_check_initialized(in->crv); EG(ret, err); in prj_pt_is_on_curve()
161 ret = fp_init(&X, in->X.ctx); EG(ret, err); in prj_pt_is_on_curve()
162 ret = fp_init(&Y, in->X.ctx); EG(ret, err); in prj_pt_is_on_curve()
163 ret = fp_init(&Z, in->X.ctx); EG(ret, err); in prj_pt_is_on_curve()
166 ret = fp_sqr(&X, &(in->X)); EG(ret, err); in prj_pt_is_on_curve()
167 ret = fp_mul(&X, &X, &(in->X)); EG(ret, err); in prj_pt_is_on_curve()
168 ret = fp_mul(&Z, &(in->X), &(in->crv->a)); EG(ret, err); in prj_pt_is_on_curve()
169 ret = fp_mul(&Y, &(in->crv->b), &(in->Z)); EG(ret, err); in prj_pt_is_on_curve()
171 ret = fp_mul(&Z, &Z, &(in->Z)); EG(ret, err); in prj_pt_is_on_curve()
172 ret = fp_mul(&Z, &Z, &(in->Z)); EG(ret, err); in prj_pt_is_on_curve()
176 ret = fp_sqr(&Y, &(in->Y)); EG(ret, err); in prj_pt_is_on_curve()
177 ret = fp_mul(&Y, &Y, &(in->Z)); EG(ret, err); in prj_pt_is_on_curve()
194 * the function. The function returns 0 on sucess, -1 on error.
202 ret = prj_pt_init(out, in->crv); EG(ret, err); in prj_pt_copy()
204 ret = fp_copy(&(out->X), &(in->X)); EG(ret, err); in prj_pt_copy()
205 ret = fp_copy(&(out->Y), &(in->Y)); EG(ret, err); in prj_pt_copy()
206 ret = fp_copy(&(out->Z), &(in->Z)); in prj_pt_copy()
214 * is initialized by the function. The function returns 0 on success, -1 on
227 ret = aff_pt_init(out, in->crv); EG(ret, err); in prj_pt_to_aff()
229 ret = fp_inv(&(out->x), &(in->Z)); EG(ret, err); in prj_pt_to_aff()
230 ret = fp_mul(&(out->y), &(in->Y), &(out->x)); EG(ret, err); in prj_pt_to_aff()
231 ret = fp_mul(&(out->x), &(in->X), &(out->x)); in prj_pt_to_aff()
239 * point). The function returns 0 on success, -1 on error.
254 ret = fp_init(&tmp, (in->Z).ctx); EG(ret, err); in prj_pt_unique()
255 ret = fp_inv(&tmp, &(in->Z)); EG(ret, err1); in prj_pt_unique()
256 ret = fp_mul(&(out->Y), &(in->Y), &tmp); EG(ret, err1); in prj_pt_unique()
257 ret = fp_mul(&(out->X), &(in->X), &tmp); EG(ret, err1); in prj_pt_unique()
258 ret = fp_one(&(out->Z)); EG(ret, err1); in prj_pt_unique()
263 ret = prj_pt_init(out, in->crv); EG(ret, err); in prj_pt_unique()
264 ret = fp_inv(&(out->X), &(in->Z)); EG(ret, err); in prj_pt_unique()
265 ret = fp_mul(&(out->Y), &(in->Y), &(out->X)); EG(ret, err); in prj_pt_unique()
266 ret = fp_mul(&(out->X), &(in->X), &(out->X)); EG(ret, err); in prj_pt_unique()
267 ret = fp_one(&(out->Z)); EG(ret, err); in prj_pt_unique()
277 * initialized by the function. The function returns 0 on success, -1 on error.
289 ret = prj_pt_init(out, in->crv); EG(ret, err); in ec_shortw_aff_to_prj()
290 ret = fp_copy(&(out->X), &(in->x)); EG(ret, err); in ec_shortw_aff_to_prj()
291 ret = fp_copy(&(out->Y), &(in->y)); EG(ret, err); in ec_shortw_aff_to_prj()
292 ret = nn_one(&(out->Z).fp_val); /* Z = 1 */ in ec_shortw_aff_to_prj()
299 * Compare projective points 'in1' and 'in2'. On success, 'cmp' is set to
300 * the result of the comparison (0 if in1 == in2, !0 if in1 != in2). The
301 * function returns 0 on success, -1 on error.
303 int prj_pt_cmp(prj_pt_src_t in1, prj_pt_src_t in2, int *cmp) in prj_pt_cmp() argument
311 ret = prj_pt_check_initialized(in2); EG(ret, err); in prj_pt_cmp()
313 MUST_HAVE((in1->crv == in2->crv), ret, err); in prj_pt_cmp()
315 ret = fp_init(&X1, (in1->X).ctx); EG(ret, err); in prj_pt_cmp()
316 ret = fp_init(&X2, (in2->X).ctx); EG(ret, err); in prj_pt_cmp()
317 ret = fp_init(&Y1, (in1->Y).ctx); EG(ret, err); in prj_pt_cmp()
318 ret = fp_init(&Y2, (in2->Y).ctx); EG(ret, err); in prj_pt_cmp()
325 ret = fp_mul_monty(&X1, &(in1->X), &(in2->Z)); EG(ret, err); in prj_pt_cmp()
326 ret = fp_mul_monty(&X2, &(in2->X), &(in1->Z)); EG(ret, err); in prj_pt_cmp()
327 ret = fp_mul_monty(&Y1, &(in1->Y), &(in2->Z)); EG(ret, err); in prj_pt_cmp()
328 ret = fp_mul_monty(&Y2, &(in2->Y), &(in1->Z)); EG(ret, err); in prj_pt_cmp()
330 ret = fp_mul_monty(&X1, &(in1->X), &(in2->Z)); EG(ret, err); in prj_pt_cmp()
331 ret = fp_mul_monty(&X2, &(in2->X), &(in1->Z)); EG(ret, err); in prj_pt_cmp()
332 ret = fp_mul_monty(&Y1, &(in1->Y), &(in2->Z)); EG(ret, err); in prj_pt_cmp()
333 ret = fp_mul_monty(&Y2, &(in2->Y), &(in1->Z)); EG(ret, err); in prj_pt_cmp()
351 * NOTE: this internal functions assumes that upper layer have checked that in1 and in2
354 ATTRIBUTE_WARN_UNUSED_RET static inline int _prj_pt_eq_or_opp_X(prj_pt_src_t in1, prj_pt_src_t in2,… in _prj_pt_eq_or_opp_X() argument
365 ret = fp_init(&X1, (in1->X).ctx); EG(ret, err); in _prj_pt_eq_or_opp_X()
366 ret = fp_init(&X2, (in2->X).ctx); EG(ret, err); in _prj_pt_eq_or_opp_X()
367 ret = fp_mul_monty(&X1, &(in1->X), &(in2->Z)); EG(ret, err); in _prj_pt_eq_or_opp_X()
368 ret = fp_mul_monty(&X2, &(in2->X), &(in1->Z)); EG(ret, err); in _prj_pt_eq_or_opp_X()
379 * NOTE: this internal functions assumes that upper layer have checked that in1 and in2
382 ATTRIBUTE_WARN_UNUSED_RET static inline int _prj_pt_eq_or_opp_Y(prj_pt_src_t in1, prj_pt_src_t in2,… in _prj_pt_eq_or_opp_Y() argument
393 ret = fp_init(&Y1, (in1->Y).ctx); EG(ret, err); in _prj_pt_eq_or_opp_Y()
394 ret = fp_init(&Y2, (in2->Y).ctx); EG(ret, err); in _prj_pt_eq_or_opp_Y()
395 ret = fp_mul_monty(&Y1, &(in1->Y), &(in2->Z)); EG(ret, err); in _prj_pt_eq_or_opp_Y()
396 ret = fp_mul_monty(&Y2, &(in2->Y), &(in1->Z)); EG(ret, err); in _prj_pt_eq_or_opp_Y()
407 * The functions tests if given projective points 'in1' and 'in2' are equal or
410 * 0 on succes, -1 on error.
412 int prj_pt_eq_or_opp(prj_pt_src_t in1, prj_pt_src_t in2, int *eq_or_opp) in prj_pt_eq_or_opp() argument
417 ret = prj_pt_check_initialized(in2); EG(ret, err); in prj_pt_eq_or_opp()
418 MUST_HAVE((in1->crv == in2->crv), ret, err); in prj_pt_eq_or_opp()
421 ret = _prj_pt_eq_or_opp_X(in1, in2, &cmp); EG(ret, err); in prj_pt_eq_or_opp()
422 ret = _prj_pt_eq_or_opp_Y(in1, in2, &_eq_or_opp); in prj_pt_eq_or_opp()
433 * Returns 0 on success, -1 on failure.
442 ret = prj_pt_init(out, in->crv); EG(ret, err); in prj_pt_neg()
447 ret = fp_neg(&(out->Y), &(out->Y)); in prj_pt_neg()
460 * The function returns 0 on success, -1 on error.
473 ctx = crv->a.ctx; in prj_pt_import_from_buf()
474 coord_len = (u16)BYTECEIL(ctx->p_bitlen); in prj_pt_import_from_buf()
477 ret = fp_init_from_buf(&(pt->X), ctx, pt_buf, coord_len); EG(ret, err); in prj_pt_import_from_buf()
478 ret = fp_init_from_buf(&(pt->Y), ctx, pt_buf + coord_len, coord_len); EG(ret, err); in prj_pt_import_from_buf()
479 ret = fp_init_from_buf(&(pt->Z), ctx, pt_buf + (2 * coord_len), coord_len); EG(ret, err); in prj_pt_import_from_buf()
482 pt->crv = crv; in prj_pt_import_from_buf()
485 pt->magic = PRJ_PT_MAGIC; in prj_pt_import_from_buf()
493 ret = -1; in prj_pt_import_from_buf()
509 * The function returns 0 on success, -1 on error.
522 ctx = crv->a.ctx; in prj_pt_import_from_aff_buf()
523 coord_len = (u16)BYTECEIL(ctx->p_bitlen); in prj_pt_import_from_aff_buf()
526 ret = fp_init_from_buf(&(pt->X), ctx, pt_buf, coord_len); EG(ret, err); in prj_pt_import_from_aff_buf()
527 ret = fp_init_from_buf(&(pt->Y), ctx, pt_buf + coord_len, coord_len); EG(ret, err); in prj_pt_import_from_aff_buf()
529 ret = fp_init(&(pt->Z), ctx); EG(ret, err); in prj_pt_import_from_aff_buf()
530 ret = fp_one(&(pt->Z)); EG(ret, err); in prj_pt_import_from_aff_buf()
533 pt->crv = crv; in prj_pt_import_from_aff_buf()
536 pt->magic = PRJ_PT_MAGIC; in prj_pt_import_from_aff_buf()
544 ret = -1; in prj_pt_import_from_aff_buf()
560 * The function returns 0 on success, -1 on error.
576 ctx = pt->crv->a.ctx; in prj_pt_export_to_buf()
577 coord_len = (u16)BYTECEIL(ctx->p_bitlen); in prj_pt_export_to_buf()
581 ret = fp_export_to_buf(pt_buf, coord_len, &(pt->X)); EG(ret, err); in prj_pt_export_to_buf()
582 ret = fp_export_to_buf(pt_buf + coord_len, coord_len, &(pt->Y)); EG(ret, err); in prj_pt_export_to_buf()
583 ret = fp_export_to_buf(pt_buf + (2 * coord_len), coord_len, &(pt->Z)); in prj_pt_export_to_buf()
598 * The function returns 0 on success, -1 on error.
633 * - in is initialized
634 * - in and out must not be aliased
636 * The function will initialize 'out'. The function returns 0 on success, -1
647 ret = prj_pt_init(out, in->crv); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
649 ret = fp_init(&XX, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
650 ret = fp_init(&ZZ, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
651 ret = fp_init(&w, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
652 ret = fp_init(&s, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
653 ret = fp_init(&ss, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
654 ret = fp_init(&sss, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
655 ret = fp_init(&R, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
656 ret = fp_init(&RR, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
657 ret = fp_init(&B, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
658 ret = fp_init(&h, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
661 ret = fp_sqr_monty(&XX, &(in->X)); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
664 ret = fp_sqr_monty(&ZZ, &(in->Z)); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
667 ret = fp_mul_monty(&w, &(in->crv->a_monty), &ZZ); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
673 ret = fp_mul_monty(&s, &(in->Y), &(in->Z)); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
683 ret = fp_mul_monty(&R, &(in->Y), &s); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
688 /* B = (X1+R)²-XX-RR */ in __prj_pt_dbl_monty_no_cf()
689 ret = fp_add_monty(&R, &R, &(in->X)); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
694 /* h = w²-2*B */ in __prj_pt_dbl_monty_no_cf()
700 ret = fp_mul_monty(&(out->X), &h, &s); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
702 /* Y3 = w*(B-h)-2*RR */ in __prj_pt_dbl_monty_no_cf()
704 ret = fp_mul_monty(&(out->Y), &w, &B); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
705 ret = fp_sub_monty(&(out->Y), &(out->Y), &RR); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
706 ret = fp_sub_monty(&(out->Y), &(out->Y), &RR); EG(ret, err); in __prj_pt_dbl_monty_no_cf()
709 ret = fp_copy(&(out->Z), &sss); in __prj_pt_dbl_monty_no_cf()
730 * - in1 and in2 are initialized
731 * - in1 and in2 are on the same curve
732 * - in1/in2 and out must not be aliased
733 * - in1 and in2 must not be equal, opposite or have identical value
735 * The function will initialize 'out'. The function returns 0 on success, -1
740 prj_pt_src_t in2) in ___prj_pt_add_monty_no_cf() argument
747 ret = prj_pt_init(out, in1->crv); EG(ret, err); in ___prj_pt_add_monty_no_cf()
749 ret = fp_init(&Y1Z2, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
750 ret = fp_init(&X1Z2, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
751 ret = fp_init(&Z1Z2, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
752 ret = fp_init(&u, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
753 ret = fp_init(&uu, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
754 ret = fp_init(&v, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
755 ret = fp_init(&vv, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
756 ret = fp_init(&vvv, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
757 ret = fp_init(&R, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
758 ret = fp_init(&A, out->crv->a.ctx); EG(ret, err); in ___prj_pt_add_monty_no_cf()
761 ret = fp_mul_monty(&Y1Z2, &(in1->Y), &(in2->Z)); EG(ret, err); in ___prj_pt_add_monty_no_cf()
764 ret = fp_mul_monty(&X1Z2, &(in1->X), &(in2->Z)); EG(ret, err); in ___prj_pt_add_monty_no_cf()
767 ret = fp_mul_monty(&Z1Z2, &(in1->Z), &(in2->Z)); EG(ret, err); in ___prj_pt_add_monty_no_cf()
769 /* u = Y2*Z1-Y1Z2 */ in ___prj_pt_add_monty_no_cf()
770 ret = fp_mul_monty(&u, &(in2->Y), &(in1->Z)); EG(ret, err); in ___prj_pt_add_monty_no_cf()
776 /* v = X2*Z1-X1Z2 */ in ___prj_pt_add_monty_no_cf()
777 ret = fp_mul_monty(&v, &(in2->X), &(in1->Z)); EG(ret, err); in ___prj_pt_add_monty_no_cf()
789 /* A = uu*Z1Z2-vvv-2*R */ in ___prj_pt_add_monty_no_cf()
796 ret = fp_mul_monty(&(out->X), &v, &A); EG(ret, err); in ___prj_pt_add_monty_no_cf()
798 /* Y3 = u*(R-A)-vvv*Y1Z2 */ in ___prj_pt_add_monty_no_cf()
800 ret = fp_mul_monty(&(out->Y), &u, &R); EG(ret, err); in ___prj_pt_add_monty_no_cf()
802 ret = fp_sub_monty(&(out->Y), &(out->Y), &R); EG(ret, err); in ___prj_pt_add_monty_no_cf()
805 ret = fp_mul_monty(&(out->Z), &vvv, &Z1Z2); in ___prj_pt_add_monty_no_cf()
824 * where the inputs are zero or opposite. Returns 0 on success, -1 on error.
826 …RN_UNUSED_RET static int __prj_pt_add_monty_no_cf(prj_pt_t out, prj_pt_src_t in1, prj_pt_src_t in2) in __prj_pt_add_monty_no_cf() argument
831 ret = prj_pt_check_initialized(in2); EG(ret, err); in __prj_pt_add_monty_no_cf()
832 MUST_HAVE((in1->crv == in2->crv), ret, err); in __prj_pt_add_monty_no_cf()
836 /* in1 at infinity, output in2 in all cases */ in __prj_pt_add_monty_no_cf()
837 ret = prj_pt_init(out, in2->crv); EG(ret, err); in __prj_pt_add_monty_no_cf()
838 ret = prj_pt_copy(out, in2); EG(ret, err); in __prj_pt_add_monty_no_cf()
840 /* in1 not at infinity, output in2 */ in __prj_pt_add_monty_no_cf()
841 ret = prj_pt_iszero(in2, &iszero); EG(ret, err); in __prj_pt_add_monty_no_cf()
843 /* in2 at infinity, output in1 */ in __prj_pt_add_monty_no_cf()
844 ret = prj_pt_init(out, in1->crv); EG(ret, err); in __prj_pt_add_monty_no_cf()
847 /* enither in1, nor in2 at infinity */ in __prj_pt_add_monty_no_cf()
850 * The following test which guarantees in1 and in2 are not in __prj_pt_add_monty_no_cf()
856 ret = prj_pt_eq_or_opp(in1, in2, &eq_or_opp); EG(ret, err); in __prj_pt_add_monty_no_cf()
858 /* in1 and in2 are either equal or opposite */ in __prj_pt_add_monty_no_cf()
859 ret = prj_pt_cmp(in1, in2, &cmp); EG(ret, err); in __prj_pt_add_monty_no_cf()
861 /* in1 == in2 => doubling w/o cf */ in __prj_pt_add_monty_no_cf()
864 /* in1 == -in2 => output zero (point at infinity) */ in __prj_pt_add_monty_no_cf()
865 ret = prj_pt_init(out, in1->crv); EG(ret, err); in __prj_pt_add_monty_no_cf()
870 * in1 and in2 are neither 0, nor equal or in __prj_pt_add_monty_no_cf()
874 ret = ___prj_pt_add_monty_no_cf(out, in1, in2); EG(ret, err); in __prj_pt_add_monty_no_cf()
890 * http://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective.html#doubling-dbl-2007-bl
898 ret = prj_pt_init(out, in->crv); EG(ret, err); in __prj_pt_dbl_monty_cf()
900 ret = fp_init(&t0, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_cf()
901 ret = fp_init(&t1, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_cf()
902 ret = fp_init(&t2, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_cf()
903 ret = fp_init(&t3, out->crv->a.ctx); EG(ret, err); in __prj_pt_dbl_monty_cf()
905 ret = fp_mul_monty(&t0, &in->X, &in->X); EG(ret, err); in __prj_pt_dbl_monty_cf()
906 ret = fp_mul_monty(&t1, &in->Y, &in->Y); EG(ret, err); in __prj_pt_dbl_monty_cf()
907 ret = fp_mul_monty(&t2, &in->Z, &in->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
908 ret = fp_mul_monty(&t3, &in->X, &in->Y); EG(ret, err); in __prj_pt_dbl_monty_cf()
911 ret = fp_mul_monty(&out->Z, &in->X, &in->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
912 ret = fp_add_monty(&out->Z, &out->Z, &out->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
913 ret = fp_mul_monty(&out->X, &in->crv->a_monty, &out->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
914 ret = fp_mul_monty(&out->Y, &in->crv->b3_monty, &t2); EG(ret, err); in __prj_pt_dbl_monty_cf()
915 ret = fp_add_monty(&out->Y, &out->X, &out->Y); EG(ret, err); in __prj_pt_dbl_monty_cf()
917 ret = fp_sub_monty(&out->X, &t1, &out->Y); EG(ret, err); in __prj_pt_dbl_monty_cf()
918 ret = fp_add_monty(&out->Y, &t1, &out->Y); EG(ret, err); in __prj_pt_dbl_monty_cf()
919 ret = fp_mul_monty(&out->Y, &out->X, &out->Y); EG(ret, err); in __prj_pt_dbl_monty_cf()
920 ret = fp_mul_monty(&out->X, &t3, &out->X); EG(ret, err); in __prj_pt_dbl_monty_cf()
921 ret = fp_mul_monty(&out->Z, &in->crv->b3_monty, &out->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
923 ret = fp_mul_monty(&t2, &in->crv->a_monty, &t2); EG(ret, err); in __prj_pt_dbl_monty_cf()
925 ret = fp_mul_monty(&t3, &in->crv->a_monty, &t3); EG(ret, err); in __prj_pt_dbl_monty_cf()
926 ret = fp_add_monty(&t3, &t3, &out->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
927 ret = fp_add_monty(&out->Z, &t0, &t0); EG(ret, err); in __prj_pt_dbl_monty_cf()
929 ret = fp_add_monty(&t0, &out->Z, &t0); EG(ret, err); in __prj_pt_dbl_monty_cf()
932 ret = fp_add_monty(&out->Y, &out->Y, &t0); EG(ret, err); in __prj_pt_dbl_monty_cf()
933 ret = fp_mul_monty(&t2, &in->Y, &in->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
937 ret = fp_sub_monty(&out->X, &out->X, &t0); EG(ret, err); in __prj_pt_dbl_monty_cf()
938 ret = fp_mul_monty(&out->Z, &t2, &t1); EG(ret, err); in __prj_pt_dbl_monty_cf()
939 ret = fp_add_monty(&out->Z, &out->Z, &out->Z); EG(ret, err); in __prj_pt_dbl_monty_cf()
941 ret = fp_add_monty(&out->Z, &out->Z, &out->Z); in __prj_pt_dbl_monty_cf()
955 * http://www.hyperelliptic.org/EFD/g1p/auto-shortw-projective.html#addition-add-1998-cmo-2
962 * - in1 and in2 are initialized
963 * - in1 and in2 are on the same curve
964 * - in1/in2 and out must not be aliased
965 * - in1 and in2 must not be an "exceptional" pair, i.e. (in1-in2) is not a point
968 * The function will initialize 'out'. The function returns 0 on success, -1
973 prj_pt_src_t in2) in __prj_pt_add_monty_cf() argument
981 ret = prj_pt_init(out, in1->crv); EG(ret, err); in __prj_pt_add_monty_cf()
983 ret = fp_init(&t0, out->crv->a.ctx); EG(ret, err); in __prj_pt_add_monty_cf()
984 ret = fp_init(&t1, out->crv->a.ctx); EG(ret, err); in __prj_pt_add_monty_cf()
985 ret = fp_init(&t2, out->crv->a.ctx); EG(ret, err); in __prj_pt_add_monty_cf()
986 ret = fp_init(&t3, out->crv->a.ctx); EG(ret, err); in __prj_pt_add_monty_cf()
987 ret = fp_init(&t4, out->crv->a.ctx); EG(ret, err); in __prj_pt_add_monty_cf()
988 ret = fp_init(&t5, out->crv->a.ctx); EG(ret, err); in __prj_pt_add_monty_cf()
990 ret = fp_mul_monty(&t0, &in1->X, &in2->X); EG(ret, err); in __prj_pt_add_monty_cf()
991 ret = fp_mul_monty(&t1, &in1->Y, &in2->Y); EG(ret, err); in __prj_pt_add_monty_cf()
992 ret = fp_mul_monty(&t2, &in1->Z, &in2->Z); EG(ret, err); in __prj_pt_add_monty_cf()
993 ret = fp_add_monty(&t3, &in1->X, &in1->Y); EG(ret, err); in __prj_pt_add_monty_cf()
994 ret = fp_add_monty(&t4, &in2->X, &in2->Y); EG(ret, err); in __prj_pt_add_monty_cf()
999 ret = fp_add_monty(&t4, &in1->X, &in1->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1000 ret = fp_add_monty(&t5, &in2->X, &in2->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1005 ret = fp_add_monty(&t5, &in1->Y, &in1->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1006 ret = fp_add_monty(&out->X, &in2->Y, &in2->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1008 ret = fp_mul_monty(&t5, &t5, &out->X); EG(ret, err); in __prj_pt_add_monty_cf()
1009 ret = fp_add_monty(&out->X, &t1, &t2); EG(ret, err); in __prj_pt_add_monty_cf()
1010 ret = fp_sub_monty(&t5, &t5, &out->X); EG(ret, err); in __prj_pt_add_monty_cf()
1011 ret = fp_mul_monty(&out->Z, &in1->crv->a_monty, &t4); EG(ret, err); in __prj_pt_add_monty_cf()
1012 ret = fp_mul_monty(&out->X, &in1->crv->b3_monty, &t2); EG(ret, err); in __prj_pt_add_monty_cf()
1014 ret = fp_add_monty(&out->Z, &out->X, &out->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1015 ret = fp_sub_monty(&out->X, &t1, &out->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1016 ret = fp_add_monty(&out->Z, &t1, &out->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1017 ret = fp_mul_monty(&out->Y, &out->X, &out->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1021 ret = fp_mul_monty(&t2, &in1->crv->a_monty, &t2); EG(ret, err); in __prj_pt_add_monty_cf()
1022 ret = fp_mul_monty(&t4, &in1->crv->b3_monty, &t4); EG(ret, err); in __prj_pt_add_monty_cf()
1026 ret = fp_mul_monty(&t2, &in1->crv->a_monty, &t2); EG(ret, err); in __prj_pt_add_monty_cf()
1029 ret = fp_add_monty(&out->Y, &out->Y, &t0); EG(ret, err); in __prj_pt_add_monty_cf()
1032 ret = fp_mul_monty(&out->X, &t3, &out->X); EG(ret, err); in __prj_pt_add_monty_cf()
1033 ret = fp_sub_monty(&out->X, &out->X, &t0); EG(ret, err); in __prj_pt_add_monty_cf()
1035 ret = fp_mul_monty(&out->Z, &t5, &out->Z); EG(ret, err); in __prj_pt_add_monty_cf()
1036 ret = fp_add_monty(&out->Z, &out->Z, &t0); in __prj_pt_add_monty_cf()
1039 * checking if Y = Z = 0 as output (see the Bosma-Lenstra in __prj_pt_add_monty_cf()
1056 * side-channel attacks. in __prj_pt_add_monty_cf()
1058 ret = fp_iszero(&(out->Z), &cmp1); EG(ret, err); in __prj_pt_add_monty_cf()
1059 ret = fp_iszero(&(out->Y), &cmp2); EG(ret, err); in __prj_pt_add_monty_cf()
1077 * - not supporting aliasing,
1078 * - requiring caller to check in parameter is initialized
1091 ret = prj_pt_init(out, in->crv); EG(ret, err); in _prj_pt_dbl_monty()
1130 * The function returns 0 on success, -1 on error.
1151 * - not supporting aliasing,
1152 * - requiring caller to check in1 and in2 parameter
1159 prj_pt_src_t in2) in _prj_pt_add_monty() argument
1162 return __prj_pt_add_monty_cf(out, in1, in2); in _prj_pt_add_monty()
1164 return __prj_pt_add_monty_no_cf(out, in1, in2); in _prj_pt_add_monty()
1172 * - in1 and in2 are initialized
1173 * - in1 and in2 are on the same curve
1175 * The function will initialize 'out'. The function returns 0 on success, -1
1180 prj_pt_src_t in2) in _prj_pt_add_monty_aliased() argument
1186 ret = _prj_pt_add_monty(&out_cpy, in1, in2); EG(ret, err); in _prj_pt_add_monty_aliased()
1197 * init checks of 'in1' and 'in2' parameters, along with the check they
1200 * 'in1' or 'in2' parameter.
1202 * The function returns 0 on success, -1 on error.
1204 int prj_pt_add(prj_pt_t out, prj_pt_src_t in1, prj_pt_src_t in2) in prj_pt_add() argument
1209 ret = prj_pt_check_initialized(in2); EG(ret, err); in prj_pt_add()
1210 MUST_HAVE((in1->crv == in2->crv), ret, err); in prj_pt_add()
1212 if ((out == in1) || (out == in2)) { in prj_pt_add()
1213 ret = _prj_pt_add_monty_aliased(out, in1, in2); in prj_pt_add()
1215 ret = _prj_pt_add_monty(out, in1, in2); in prj_pt_add()
1228 * Double-and-Add-Always and Montgomery Ladder masked using Itoh et al. anti-ADPA
1229 * (Address-bit DPA) countermeasure.
1230 * See "A Practical Countermeasure against Address-Bit Differential Power Analysis"
1233 * NOTE: these masked variants of the Double-and-Add-Always and Montgomery Ladder algorithms
1244 * - The scalar m is < q (the order), in this case we compute:
1245 * -
1248 * -
1249 * - The scalar m is >= q and < q**2, in this case we compute:
1250 * -
1253 * -
1254 * - The scalar m is >= (q**2), in this case m == m'
1258 * anyways). In the two first cases, Double-and-Add-Always and Montgomery Ladder are
1271 /* NOTE: to limit stack usage, we reuse out->Z as a temporary in _blind_projective_point()
1276 ret = prj_pt_init(out, in->crv); EG(ret, err); in _blind_projective_point()
1279 ret = fp_get_random(&(out->Z), in->X.ctx); EG(ret, err); in _blind_projective_point()
1285 ret = fp_mul_monty(&(out->X), &(in->X), &(out->Z)); EG(ret, err); in _blind_projective_point()
1286 ret = fp_mul_monty(&(out->Y), &(in->Y), &(out->Z)); EG(ret, err); in _blind_projective_point()
1287 ret = fp_mul_monty(&(out->Z), &(in->Z), &(out->Z)); in _blind_projective_point()
1296 * et al. countermeasure against A-DPA as it is quite consuming.
1336 curve_order = &(in->crv->order); in _prj_pt_mul_ltr_monty_dbl_add_always()
1368 mlen--; in _prj_pt_mul_ltr_monty_dbl_add_always()
1381 ret = prj_pt_init(&T[0], in->crv); EG(ret, err); in _prj_pt_mul_ltr_monty_dbl_add_always()
1382 ret = prj_pt_init(&T[1], in->crv); EG(ret, err); in _prj_pt_mul_ltr_monty_dbl_add_always()
1391 /* T[r[n-1]] = T[2] */ in _prj_pt_mul_ltr_monty_dbl_add_always()
1397 --mlen; in _prj_pt_mul_ltr_monty_dbl_add_always()
1415 /* Add: T[1-r[i+1]] = ECADD(T[r[i+1]],T[2]) */ in _prj_pt_mul_ltr_monty_dbl_add_always()
1416 ret_ops |= prj_pt_add(&T[1-rbit], &T[rbit], &T[2]); in _prj_pt_mul_ltr_monty_dbl_add_always()
1483 curve_order = &(in->crv->order); in _prj_pt_mul_ltr_monty_dbl_add_always()
1519 mlen--; in _prj_pt_mul_ltr_monty_dbl_add_always()
1526 ret = prj_pt_init(&dbl, in->crv); EG(ret, err2); in _prj_pt_mul_ltr_monty_dbl_add_always()
1530 --mlen; in _prj_pt_mul_ltr_monty_dbl_add_always()
1546 ret = nn_cnd_swap(!mbit, &(out->X.fp_val), &(dbl.X.fp_val)); EG(ret, err2); in _prj_pt_mul_ltr_monty_dbl_add_always()
1547 ret = nn_cnd_swap(!mbit, &(out->Y.fp_val), &(dbl.Y.fp_val)); EG(ret, err2); in _prj_pt_mul_ltr_monty_dbl_add_always()
1548 ret = nn_cnd_swap(!mbit, &(out->Z.fp_val), &(dbl.Z.fp_val)); EG(ret, err2); in _prj_pt_mul_ltr_monty_dbl_add_always()
1588 curve_order = &(in->crv->order); in _prj_pt_mul_ltr_monty_ladder()
1623 mlen--; in _prj_pt_mul_ltr_monty_ladder()
1636 ret = prj_pt_init(&T[0], in->crv); EG(ret, err); in _prj_pt_mul_ltr_monty_ladder()
1637 ret = prj_pt_init(&T[1], in->crv); EG(ret, err); in _prj_pt_mul_ltr_monty_ladder()
1638 ret = prj_pt_init(&T[2], in->crv); EG(ret, err); in _prj_pt_mul_ltr_monty_ladder()
1640 /* Initialize T[r[n-1]] to input point */ in _prj_pt_mul_ltr_monty_ladder()
1647 /* Initialize T[1-r[n-1]] with ECDBL(T[r[n-1]])) */ in _prj_pt_mul_ltr_monty_ladder()
1654 ret_ops |= prj_pt_add(&T[1-rbit], &T[rbit], &T[rbit]); in _prj_pt_mul_ltr_monty_ladder()
1656 ret_ops |= prj_pt_dbl(&T[1-rbit], &T[rbit]); in _prj_pt_mul_ltr_monty_ladder()
1662 --mlen; in _prj_pt_mul_ltr_monty_ladder()
1683 /* T[0] = T[2-(d[i] ^ r[i])] */ in _prj_pt_mul_ltr_monty_ladder()
1688 ret = nn_copy(&(T[0].X.fp_val), &(T[2-(mbit ^ rbit_next)].X.fp_val)); EG(ret, err); in _prj_pt_mul_ltr_monty_ladder()
1689 ret = nn_copy(&(T[0].Y.fp_val), &(T[2-(mbit ^ rbit_next)].Y.fp_val)); EG(ret, err); in _prj_pt_mul_ltr_monty_ladder()
1690 ret = nn_copy(&(T[0].Z.fp_val), &(T[2-(mbit ^ rbit_next)].Z.fp_val)); EG(ret, err); in _prj_pt_mul_ltr_monty_ladder()
1744 ret = prj_pt_init(&out_cpy, in->crv); EG(ret, err); in _prj_pt_mul_ltr_monty_aliased()
1799 q = &(in->crv->order); in prj_pt_mul_blind()
1860 explen = (bitcnt_t)(explen - 1); in __prj_pt_unprotected_mult()
1864 explen = (bitcnt_t)(explen - 1); in __prj_pt_unprotected_mult()
1906 * The function returns 0 on success, -1 on error. The value check is set to 1 if the projective
1946 …* Point at infinity (0, 1) -> (0, 1, 0) is treated as an exception, which is trivially not con…
1950 * The function returns 0 on success, -1 on error.
1964 ret = curve_edwards_shortw_check(in_edwards->crv, shortw_crv, alpha_edwards); EG(ret, err); in aff_pt_edwards_to_prj_pt_shortw()
1969 ret = fp_init(&one, in_edwards->x.ctx); EG(ret, err); in aff_pt_edwards_to_prj_pt_shortw()
1976 ret = fp_iszero(&(in_edwards->x), &iszero); EG(ret, err); in aff_pt_edwards_to_prj_pt_shortw()
1977 ret = fp_cmp(&(in_edwards->y), &one, &cmp); EG(ret, err); in aff_pt_edwards_to_prj_pt_shortw()
1998 …* Point at infinity with Z=0 (in projective coordinates) -> (0, 1) is treated as an exception,…
2002 * The function returns 0 on success, -1 on error.
2015 ret = curve_edwards_shortw_check(edwards_crv, in_shortw->crv, alpha_edwards); EG(ret, err); in prj_pt_shortw_to_aff_pt_edwards()
2018 ret = aff_pt_init(&in_shortw_aff, in_shortw->crv); EG(ret, err); in prj_pt_shortw_to_aff_pt_edwards()
2029 ret = fp_init(&zero, in_shortw->X.ctx); EG(ret, err1); in prj_pt_shortw_to_aff_pt_edwards()
2030 ret = fp_init(&one, in_shortw->X.ctx); EG(ret, err1); in prj_pt_shortw_to_aff_pt_edwards()
2058 * The function returns 0 on success, -1 on error.
2070 ret = curve_montgomery_shortw_check(in_montgomery->crv, shortw_crv); EG(ret, err); in aff_pt_montgomery_to_prj_pt_shortw()
2089 * The function returns 0 on success, -1 on error.
2099 ret = curve_montgomery_shortw_check(montgomery_crv, in_shortw->crv); EG(ret, err); in prj_pt_shortw_to_aff_pt_montgomery()
2102 ret = aff_pt_init(&in_shortw_aff, in_shortw->crv); EG(ret, err); in prj_pt_shortw_to_aff_pt_montgomery()