forked from xuos/xiuos
				
			
		
			
				
	
	
		
			970 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			C
		
	
	
		
			Executable File
		
	
	
			
		
		
	
	
			970 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			C
		
	
	
		
			Executable File
		
	
	
| /*
 | |
| * Copyright (c) 2020 AIIT Ubiquitous Team
 | |
| * XiUOS is licensed under Mulan PSL v2.
 | |
| * You can use this software according to the terms and conditions of the Mulan PSL v2.
 | |
| * You may obtain a copy of Mulan PSL v2 at:
 | |
| *        http://license.coscl.org.cn/MulanPSL2
 | |
| * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
 | |
| * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
 | |
| * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
 | |
| * See the Mulan PSL v2 for more details.
 | |
| */
 | |
| 
 | |
| /**
 | |
| * @file qn.c
 | |
| * @brief arithmetic in extention field, and arithmetic in group G2, frobenius and LastPower in BiLinearPairing
 | |
| * @version 1.0 
 | |
| * @author AIIT Ubiquitous Team
 | |
| * @date 2021-04-24
 | |
| */
 | |
| #include <qn.h>
 | |
| 
 | |
| big8w t; // sm9 ecc parameter
 | |
| big8w qnr; // (-1/2) mod curve.q
 | |
| big8w frobenius_constant_1[12];
 | |
| big8w frobenius_constant_2[12];
 | |
| /**
 | |
|  * @brief print the point in group G2
 | |
|  * 
 | |
|  * @param point a pointer of point in group G2
 | |
|  * 
 | |
|  * @return null
 | |
|  * 
 | |
|  */
 | |
| void G2pointPrint(G2point* point) 
 | |
| {
 | |
| 	Big8wPrint(&point->x.high);
 | |
| 	Big8wPrint(&point->x.low);
 | |
| 	Big8wPrint(&point->y.high);
 | |
| 	Big8wPrint(&point->y.low);
 | |
| }
 | |
| /**
 | |
|  * @brief print a number in Fq12
 | |
|  * 
 | |
|  * @param number a pointer of number in Fq12
 | |
|  * 
 | |
|  * @return null
 | |
|  * 
 | |
|  */
 | |
| void Q12Print(q12* number)
 | |
| {
 | |
| 	Big8wPrint(&number->high.high.high);
 | |
| 	Big8wPrint(&number->high.high.low);
 | |
| 	Big8wPrint(&number->high.low.high);
 | |
| 	Big8wPrint(&number->high.low.low);
 | |
| 
 | |
| 	Big8wPrint(&number->mid.high.high);
 | |
| 	Big8wPrint(&number->mid.high.low);
 | |
| 	Big8wPrint(&number->mid.low.high);
 | |
| 	Big8wPrint(&number->mid.low.low);
 | |
| 
 | |
| 	Big8wPrint(&number->low.high.high);
 | |
| 	Big8wPrint(&number->low.high.low);
 | |
| 	Big8wPrint(&number->low.low.high);
 | |
| 	Big8wPrint(&number->low.low.low);
 | |
| }
 | |
| /**
 | |
|  * @brief convert q12 to big_12big
 | |
|  * 
 | |
|  * @param num pointer of number in Fq12
 | |
|  * @param ret pointer of big_12big, store the result
 | |
|  * 
 | |
|  * @result ret
 | |
|  * 
 | |
|  */
 | |
| void Q12To12big(q12* num, big_12big* ret)
 | |
| {
 | |
| 	ret->word[0] = num->high.high.high;
 | |
| 	ret->word[1] = num->high.high.low;
 | |
| 	ret->word[2] = num->high.low.high;
 | |
| 	ret->word[3] = num->high.low.low;
 | |
| 
 | |
| 	ret->word[4] = num->mid.high.high;
 | |
| 	ret->word[5] = num->mid.high.low;
 | |
| 	ret->word[6] = num->mid.low.high;
 | |
| 	ret->word[7] = num->mid.low.low;
 | |
| 
 | |
| 	ret->word[8] = num->low.high.high;
 | |
| 	ret->word[9] = num->low.high.low;
 | |
| 	ret->word[10] = num->low.low.high;
 | |
| 	ret->word[11] = num->low.low.low;
 | |
| }
 | |
| /**
 | |
|  * @brief set a number in Fq12 to 0
 | |
|  * 
 | |
|  * @param num pointer of a number in Fq12
 | |
|  * 
 | |
|  * @resulr num
 | |
|  * 
 | |
|  */
 | |
| void Q2Zero(q2* num)
 | |
| {
 | |
| 	memset(num->high.word, 0x00, BIG8W_BYTESIZE);
 | |
| 	memset(num->low.word, 0x00, BIG8W_BYTESIZE);
 | |
| }
 | |
| /**
 | |
|  * @brief set a number in Fq4 to 0
 | |
|  * 
 | |
|  * @param num number in Fq4
 | |
|  * 
 | |
|  * @result num
 | |
|  * 
 | |
|  */
 | |
| void Q4Zero(q4* num)
 | |
| {
 | |
| 	Q2Zero(&num->high);
 | |
| 	Q2Zero(&num->low);
 | |
| }
 | |
| /**
 | |
|  * @brief set a number in Fq12 to 0
 | |
|  * 
 | |
|  * @param num pointer of a number in Fq12
 | |
|  * 
 | |
|  * @result num
 | |
|  * 
 | |
|  */
 | |
| void Q12Zero(q12* num)
 | |
| {
 | |
| 	Q4Zero(&num->high);
 | |
| 	Q4Zero(&num->mid);
 | |
| 	Q4Zero(&num->low);
 | |
| }
 | |
| /**
 | |
|  * @brief return num1 == num2
 | |
|  * 
 | |
|  * @param num1 pointer of the first number in Fq2
 | |
|  * @param num2 pointer of the second number in Fq2
 | |
|  * 
 | |
|  * @return true if num1 == num2; else false
 | |
|  * 
 | |
|  */
 | |
| bool Q2Equal(q2* num1, q2* num2)
 | |
| {
 | |
| 	return Big8wEqual(&num1->high, &num2->high) 
 | |
| 		&& Big8wEqual(&num1->low, &num2->low);
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 + num2)
 | |
|  * 
 | |
|  * @param num1 the first number in Fq2
 | |
|  * @param num2 the second number in Fq2
 | |
|  * 
 | |
|  * @return ret, a number in Fq2, ret = num1 + num2.
 | |
|  */
 | |
| q2 Q2Add(q2 num1, q2 num2)
 | |
| {
 | |
| 	q2 ret;
 | |
| 
 | |
| 	ret.high = Big8wAddMod(num1.high, num2.high, curve.q);
 | |
| 	ret.low = Big8wAddMod(num1.low, num2.low, curve.q);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 - num2)
 | |
|  * 
 | |
|  * @param num1 the first number in Fq2
 | |
|  * @param num2 the second number in Fq2
 | |
|  * 
 | |
|  * @return ret, a number in Fq2, ret = num1 - num2.
 | |
|  */
 | |
| q2 Q2Minus(q2 num1, q2 num2)
 | |
| {
 | |
| 	q2 ret;
 | |
| 
 | |
| 	ret.high = Big8wMinusMod(num1.high, num2.high, curve.q);
 | |
| 	ret.low = Big8wMinusMod(num1.low, num2.low, curve.q);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief 
 | |
|  * 		set num1 = (a, b), num2 = (c, d), num1*num2 = (a*d + b*c, b*d - 2*a*c)......(high, low)
 | |
|  * 		Toom-Cook: (a*d + b*c) = (a + b)(c + d) - a*c - b*d
 | |
|  * 		Calls: Big8wMultMod, Big8wAddMod, Big8wMinusMod
 | |
|  * 		Called By: G2pointAdd, Q4Mult, Q2Reverse and more
 | |
|  * @param num1 the first number in Fq2
 | |
|  * @param num2 the second number in Fq2
 | |
|  * 
 | |
|  * @return ret, a number in Fq2, ret = num1 * num2
 | |
|  * 
 | |
|  */
 | |
| q2 Q2Mult(q2 num1, q2 num2) 
 | |
| { // num1 = (a1, a0), num2 = (b1, b0).....(high, low)
 | |
| 	q2 ret;
 | |
| 	big8w a0b0, a1b1;
 | |
| 	// Toom-Cook
 | |
| 	a0b0 = Big8wMultMod(num1.low, num2.low, curve.q);
 | |
| 	a1b1 = Big8wMultMod(num1.high, num2.high, curve.q);
 | |
| 
 | |
| 	ret.high = Big8wMultMod(
 | |
| 		Big8wAddMod(num1.high, num1.low, curve.q),
 | |
| 		Big8wAddMod(num2.high, num2.low, curve.q), 
 | |
| 		curve.q);
 | |
| 
 | |
| 	ret.high = Big8wMinusMod(
 | |
| 		ret.high,
 | |
| 		Big8wAddMod(a0b0, a1b1, curve.q),
 | |
| 		curve.q);
 | |
| 
 | |
| 	ret.low = Big8wMinusMod(
 | |
| 		a0b0,
 | |
| 		Big8wAddMod(a1b1, a1b1, curve.q),
 | |
| 		curve.q);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * 
 | |
|  * @brief num1 = (a, b), num2 = (c, d), num1*num2*u = (b*d - 2*a*c, -2*(a*d +b*c)). compare Q2Mult
 | |
|  *              
 | |
|  * @param num1 the first number in Fq2
 | |
|  * @param num2 the second number in Fq2
 | |
|  * 
 | |
|  * @return ret, a number in Fq2; ret = a * b * u
 | |
|  * 
 | |
|  */
 | |
| q2 Q2MultFlag(q2 num1, q2 num2)
 | |
| {
 | |
| 	q2 ret = Q2Mult(num1, num2);
 | |
| 	big8w temp = ret.high;
 | |
| 
 | |
| 	ret.high = ret.low;
 | |
| 	ret.low = Big8wMinusMod(
 | |
| 		curve.q,
 | |
| 		Big8wAddMod(temp, temp, curve.q), curve.q);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * 
 | |
|  * @brief num = (a, b), num^(-1) = ((-a)/(b*b +2*a*a), b/(b*b, 2*a*a))
 | |
|  * 
 | |
|  * @param num number in Fq2
 | |
|  * 
 | |
|  * @return ret, number in Fq2, ret = num^(-1).
 | |
|  * 
 | |
|  */
 | |
| q2 Q2Reverse(q2 num)
 | |
| {
 | |
| 	big8w temp;
 | |
| 	q2 ret;
 | |
| 
 | |
| 	temp = Big8wMultMod(num.high, num.high, curve.q); // a*a
 | |
| 	temp = Big8wAddMod(temp, temp, curve.q); // 2*a*a
 | |
| 	temp = Big8wAddMod(temp, 
 | |
| 		Big8wMultMod(num.low, num.low, curve.q), curve.q); // (b*b +2*a*a)
 | |
| 	temp = Big8wReverse(temp, curve.q); // (1/(b*b + 2*a*a))
 | |
| 
 | |
| 	ret.high = Big8wMinusMod(curve.q, num.high, curve.q); // (-a)
 | |
| 	ret.high = Big8wMultMod(ret.high, temp, curve.q); 
 | |
| 	ret.low = Big8wMultMod(num.low, temp, curve.q);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return (-num);(-num.high, -num.low) mod curve.q = (curve.q - num.high, curve.q - num.low)
 | |
|  * 
 | |
|  * @param num number in Fq2
 | |
|  * 
 | |
|  * @return ret, a number in Fq2
 | |
|  * 
 | |
|  */
 | |
| q2 Q2Negate(q2 num)
 | |
| {
 | |
| 	num.high = Big8wMinusMod(curve.q, num.high, curve.q);
 | |
| 	num.low = Big8wMinusMod(curve.q, num.low, curve.q);
 | |
| 
 | |
| 	return num;
 | |
| }
 | |
| /**
 | |
|  * @brief 
 | |
|  * 
 | |
|  * @param num number in Fq2
 | |
|  * 
 | |
|  * @return num
 | |
|  * 
 | |
|  */
 | |
| q2 Q2Txx(q2 num)
 | |
| {
 | |
| 	big8w temp;
 | |
| 
 | |
| 	temp = num.high;
 | |
| 	num.high = num.low;
 | |
| 	num.low = Big8wMinusMod(curve.q, temp, curve.q);
 | |
| 	num.low = Big8wAddMod(num.low, num.low, curve.q);
 | |
| 
 | |
| 	return num;
 | |
| }
 | |
| /**
 | |
|  * @brief add of two points in group G2
 | |
|  * 
 | |
|  * @param point1 the first point in group G2
 | |
|  * @param point2 the second point in group G2
 | |
|  * 
 | |
|  * @return ret, a point in group G2
 | |
|  * 
 | |
|  */
 | |
| G2point G2PointAdd(G2point point1, G2point point2)
 | |
| {
 | |
| 	q2 temp, lambda;
 | |
| 	G2point ret;
 | |
| 
 | |
| 	memset(&temp, 0x00, BIG8W_BYTESIZE * 2);
 | |
| 
 | |
| 	// temp = zero
 | |
| 	// infinite point judge
 | |
| 	if (Q2Equal(&point1.x, &temp) && Q2Equal(&point1.y, &temp))
 | |
| 		return point2;
 | |
| 	else if (Q2Equal(&point2.x, &temp) && Q2Equal(&point2.y, &temp))
 | |
| 		return point1;
 | |
| 
 | |
| 	if (Big8wEqual(&point1.x.high, &point2.x.high)
 | |
| 		&& Big8wEqual(&point1.x.low, &point2.x.low)) { // x1 = x2
 | |
| 
 | |
| 		if (!Big8wEqual(&point1.y.high, &point2.y.high)
 | |
| 			|| !Big8wEqual(&point1.y.low, &point2.y.low)) // y1 != y2 (y1 = -y2)
 | |
| 		{
 | |
| 			memset(&ret, 0x00, BIG8W_BYTESIZE * 4);
 | |
| 			return ret; // ret = O
 | |
| 		}
 | |
| 
 | |
| 		temp = Q2Mult(point1.x, point1.x);
 | |
| 
 | |
| 		lambda = Q2Add(temp, temp);
 | |
| 		lambda = Q2Add(lambda, temp);
 | |
| 		lambda = Q2Mult(lambda, Q2Reverse(Q2Add(point1.y, point1.y)));
 | |
| 	}
 | |
| 
 | |
| 	else {
 | |
| 		lambda = Q2Mult(
 | |
| 			Q2Minus(point1.y, point2.y),
 | |
| 			Q2Reverse(Q2Minus(point1.x, point2.x)));
 | |
| 	}
 | |
| 
 | |
| 	ret.x = Q2Mult(lambda, lambda);
 | |
| 	ret.x = Q2Minus(ret.x, point1.x);
 | |
| 	ret.x = Q2Minus(ret.x, point2.x);
 | |
| 
 | |
| 	ret.y = Q2Minus(point1.x, ret.x);
 | |
| 	ret.y = Q2Mult(lambda, ret.y);
 | |
| 	ret.y = Q2Minus(ret.y, point1.y);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief mult point in group G2. (num * point)
 | |
|  * 
 | |
|  * @param num big number, num > 0
 | |
|  * @param point point in group G2
 | |
|  * 
 | |
|  * @return ret, a point in group G2
 | |
|  * 
 | |
|  */
 | |
| G2point G2PointMult(big8w num, G2point point)
 | |
| {
 | |
| 	bool flag = 0;
 | |
| 	int i = BIGNUMBER_SIZE_8WORD - 1;
 | |
| 	int index = Big8wHighestbit(&num);
 | |
| 	uint32_t elem;
 | |
| 	G2point ret = point, temp = point;
 | |
| 
 | |
| 	while (num.word[i] == 0)
 | |
| 		i--;
 | |
| 	elem = num.word[i];
 | |
| 
 | |
| 	index--;
 | |
| 	while (index >= 0) {
 | |
| 		flag = (elem >> (index--)) & 1;
 | |
| 		ret = G2PointAdd(temp, temp); 
 | |
| 		if (flag) 
 | |
| 			ret = G2PointAdd(ret, point);
 | |
| 		temp = ret;
 | |
| 	}
 | |
| 
 | |
| 	i--; 
 | |
| 	for (; i >= 0; i--) {
 | |
| 		elem = num.word[i];
 | |
| 		index = 31;
 | |
| 
 | |
| 		while (index >= 0) {
 | |
| 			flag = (elem >> (index--)) & 1;
 | |
| 			ret = G2PointAdd(temp, temp);
 | |
| 			if (flag)
 | |
| 				ret = G2PointAdd(ret, point);
 | |
| 			temp = ret;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 + num2)
 | |
|  * 
 | |
|  * @param num1 the first number in Fq4
 | |
|  * @param num2 the second number in Fq4
 | |
|  * 
 | |
|  * @return ret, a number in Fq4, ret = (num1 + num2)
 | |
|  * 
 | |
|  */
 | |
| q4 Q4Add(q4 num1, q4 num2)
 | |
| {
 | |
| 	q4 ret;
 | |
| 
 | |
| 	ret.high = Q2Add(num1.high, num2.high);
 | |
| 	ret.low = Q2Add(num1.low, num2.low);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 - num2)
 | |
|  * 
 | |
|  * @param num1 the first number in Fq4
 | |
|  * @param num2 the second number in Fq4
 | |
|  * 
 | |
|  * @return ret, a number in Fq4, ret = (num1 - num2)
 | |
|  * 
 | |
|  */
 | |
| q4 Q4Minus(q4 num1, q4 num2)
 | |
| {
 | |
| 	q4 ret;
 | |
| 
 | |
| 	ret.high = Q2Minus(num1.high, num2.high);
 | |
| 	ret.low = Q2Minus(num1.low, num2.low);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief num1 * num2; num1, num2 are numbers in Fq4, the way to compute is similar to Q2Mult
 | |
|  * 			q4 num = (num1, num2), similar to Q2Mult, except num1 = (a1, a0), a0, a1 is big8w
 | |
|  * 
 | |
|  * @param num1 the first number in Fq4
 | |
|  * @param num2 the second number in Fq4
 | |
|  * 
 | |
|  * @return ret, a number in Fq4
 | |
|  */
 | |
| q4 Q4Mult(q4 num1, q4 num2)
 | |
| {// num1 = (a1, a0), num2 = (b1, b0). left high value
 | |
| 	q4 ret;
 | |
| 	q2 a0b0, a1b1;
 | |
| 
 | |
| 	// Toom-Cook
 | |
| 	a1b1 = Q2Mult(num1.high, num2.high);
 | |
| 	a0b0 = Q2Mult(num1.low, num2.low);
 | |
| 
 | |
| 	ret.high = Q2Mult(
 | |
| 		Q2Add(num1.high, num1.low),
 | |
| 		Q2Add(num2.high, num2.low));
 | |
| 
 | |
| 	ret.high = Q2Minus(
 | |
| 		ret.high,
 | |
| 		Q2Add(a0b0, a1b1));
 | |
| 
 | |
| 	ret.low.high = Big8wAddMod(a0b0.high, a1b1.low, curve.q);
 | |
| 	ret.low.low = Big8wMinusMod(
 | |
| 		a0b0.low,
 | |
| 		Big8wAddMod(a1b1.high, a1b1.high, curve.q),
 | |
| 		curve.q);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return num1 * num2 * u; num1, num2 are numbers in Fq4
 | |
|  * 
 | |
|  * @param num1 the first number in Fq4
 | |
|  * @param num2 the second number in Fq4
 | |
|  * 
 | |
|  * @return ret, a number in Fq4
 | |
|  * 
 | |
|  */
 | |
| q4 Q4MultFlag(q4 num1, q4 num2)
 | |
| {
 | |
| 	q4 ret;
 | |
| 
 | |
| 	ret.high = Q2Add(
 | |
| 		Q2Mult(num1.low, num2.low),
 | |
| 		Q2MultFlag(num1.high, num2.high));
 | |
| 	ret.low = Q2Add(
 | |
| 		Q2MultFlag(num1.high, num2.low),
 | |
| 		Q2MultFlag(num1.low, num2.high));
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief 
 | |
|  * 
 | |
|  * @param num number in Fq4
 | |
|  * 
 | |
|  * @return ret, a number in Fq4
 | |
|  * 
 | |
|  */
 | |
| q4 Q4Txx(q4 num)
 | |
| {
 | |
| 	q2 temp;
 | |
| 
 | |
| 	temp = num.high;
 | |
| 	num.high = num.low;
 | |
| 	num.low = Q2Txx(temp);
 | |
| 	
 | |
| 	return num;
 | |
| }
 | |
| /**
 | |
|  * @brief return (-num), similar to Q2Negate
 | |
|  * 
 | |
|  * @param num a number in Fq4
 | |
|  * 
 | |
|  * @return num, a number in Fq4
 | |
|  * 
 | |
|  */
 | |
| q4 Q4Negate(q4 num)
 | |
| {
 | |
| 	num.high = Q2Negate(num.high);
 | |
| 	num.low = Q2Negate(num.low);
 | |
| 
 | |
| 	return num;
 | |
| }
 | |
| /**
 | |
|  * @brief return num^(-1)
 | |
|  * 
 | |
|  * @param num number in Fq4
 | |
|  * 
 | |
|  * @return num, number in Fq4
 | |
|  * 
 | |
|  */
 | |
| q4 Q4Reverse(q4 num)
 | |
| {
 | |
| 	q2 t1, t2;
 | |
| 	
 | |
| 	t1 = Q2Mult(num.low, num.low);
 | |
| 	t2 = Q2Mult(num.high, num.high);
 | |
| 	t2 = Q2Txx(t2);
 | |
| 	t1 = Q2Minus(t1, t2);
 | |
| 	t1 = Q2Reverse(t1);
 | |
| 	num.low = Q2Mult(num.low, t1);
 | |
| 	t1 = Q2Negate(t1);
 | |
| 	num.high = Q2Mult(num.high, t1);
 | |
| 
 | |
| 	return num;
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 * num2);
 | |
|  * 
 | |
|  * @param num1 the first number in Fq12
 | |
|  * @param num2 the second number in Fq12
 | |
|  * 
 | |
|  * @return a number in Fq12
 | |
|  * 
 | |
|  */
 | |
| q12 Q12MultMod(q12 num1, q12 num2)
 | |
| {
 | |
| 	q12 ret;
 | |
| 
 | |
| 	ret.high = Q4Add(
 | |
| 		Q4Mult(num1.high, num2.low),
 | |
| 		Q4Mult(num1.mid, num2.mid));
 | |
| 
 | |
| 	ret.high = Q4Add(
 | |
| 		ret.high, 
 | |
| 		Q4Mult(num1.low, num2.high));
 | |
| 
 | |
| 	ret.mid = Q4Add(
 | |
| 		Q4Mult(num1.low, num2.mid),
 | |
| 		Q4Mult(num1.mid, num2.low));
 | |
| 
 | |
| 	ret.mid = Q4Add(
 | |
| 		ret.mid, 
 | |
| 		Q4MultFlag(num1.high, num2.high));
 | |
| 
 | |
| 	ret.low = Q4Add(
 | |
| 		Q4MultFlag(num1.high, num2.mid),
 | |
| 		Q4MultFlag(num1.mid, num2.high));
 | |
| 
 | |
| 	ret.low = Q4Add(
 | |
| 		ret.low, 
 | |
| 		Q4Mult(num1.low, num2.low));
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 - num2)
 | |
|  * 
 | |
|  * @param num1 the first number in Fq12
 | |
|  * @param num2 the second number in Fq12
 | |
|  * 
 | |
|  * @return ret, a number in Fq12.
 | |
|  * 
 | |
|  */
 | |
| q12 Q12MinusMod(q12 num1, q12 num2)
 | |
| {
 | |
| 	q12 ret;
 | |
| 
 | |
| 	ret.high = Q4Minus(num1.high, num2.high);
 | |
| 	ret.mid = Q4Minus(num1.mid, num2.mid);
 | |
| 	ret.low = Q4Minus(num1.low, num2.low);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return (num1 + num2)
 | |
|  * 
 | |
|  * @param num1 the first number in Fq12
 | |
|  * @param num2 the second number in Fq12
 | |
|  * 
 | |
|  * @return ret, a number in Fq12
 | |
|  * 
 | |
|  */
 | |
| q12 Q12AddMod(q12 num1, q12 num2)
 | |
| {
 | |
| 	q12 ret;
 | |
| 
 | |
| 	ret.high = Q4Add(num1.high, num2.high);
 | |
| 	ret.mid = Q4Add(num1.mid, num2.mid);
 | |
| 	ret.low = Q4Add(num1.low, num2.low);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief return num^(-1)
 | |
|  * 
 | |
|  * @param num number in Fq12
 | |
|  * 
 | |
|  * @return ret, number in Fq12
 | |
|  * 
 | |
|  */
 | |
| q12 Q12Reverse(q12 num)
 | |
| {
 | |
| 	q12 ret;
 | |
| 	q4 temp1, temp2;
 | |
| 
 | |
| 	ret.low = Q4Mult(num.low, num.low);
 | |
| 	ret.mid = Q4Mult(num.mid, num.high);
 | |
| 	ret.mid = Q4Txx(ret.mid);
 | |
| 	ret.low = Q4Minus(ret.low, ret.mid);
 | |
| 
 | |
| 	ret.high = Q4Mult(num.high, num.high);
 | |
| 	ret.high = Q4Txx(ret.high);
 | |
| 	ret.mid = Q4Mult(num.low, num.mid);
 | |
| 	ret.mid = Q4Minus(ret.high, ret.mid);
 | |
| 
 | |
| 	ret.high = Q4Mult(num.mid, num.mid);
 | |
| 	temp1 = Q4Mult(num.low, num.high);
 | |
| 	ret.high = Q4Minus(ret.high, temp1);
 | |
| 
 | |
| 	temp1 = Q4Mult(num.mid, ret.high);
 | |
| 	temp1 = Q4Txx(temp1);
 | |
| 
 | |
| 	temp2 = Q4Mult(num.low, ret.low);
 | |
| 	temp1 = Q4Add(temp1, temp2);
 | |
| 
 | |
| 	temp2 = Q4Mult(num.high, ret.mid);
 | |
| 	temp2 = Q4Txx(temp2);
 | |
| 	temp1 = Q4Add(temp1, temp2);
 | |
| 
 | |
| 	temp1 = Q4Reverse(temp1);
 | |
| 
 | |
| 	ret.low = Q4Mult(ret.low, temp1);
 | |
| 	ret.mid = Q4Mult(ret.mid, temp1);
 | |
| 	ret.high = Q4Mult(ret.high, temp1);
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief compute g^r. scan every bit of r
 | |
|  * 
 | |
|  * @param g a number in Fq12
 | |
|  * @param r power, a big number, r >= 0
 | |
|  * 
 | |
|  * @return ret, a number in Fq12
 | |
|  * 
 | |
|  */
 | |
| q12 Q12PowerMod(q12 g, big8w r)
 | |
| {
 | |
| 	bool flag;
 | |
| 	int bitindex = Big8wHighestbit(&r);
 | |
| 	int i = BIGNUMBER_SIZE_8WORD - 1;
 | |
| 	uint32_t elem;
 | |
| 	q12 ret = g, temp = g;
 | |
| 	q12 one;
 | |
| 
 | |
| 	memset(&one, 0x00, BIG8W_BYTESIZE * 12);
 | |
| 	one.low.low.low.word[0] = 1;
 | |
| 
 | |
| 	while (i && r.word[i] == 0)
 | |
| 		i--;
 | |
| 	if (i < 0)
 | |
| 		return one;
 | |
| 	elem = r.word[i];
 | |
| 
 | |
| 	bitindex--;
 | |
| 	while (bitindex >= 0) {
 | |
| 		flag = (elem >> (bitindex--)) & 1;
 | |
| 		ret = Q12MultMod(temp, temp); 
 | |
| 		if (flag)
 | |
| 			ret = Q12MultMod(ret, g);
 | |
| 		temp = ret;
 | |
| 	}
 | |
| 
 | |
| 	i--; 
 | |
| 	for (; i >= 0; i--) {
 | |
| 		elem = r.word[i];
 | |
| 		bitindex = 31;
 | |
| 		while (bitindex >= 0) {
 | |
| 			flag = (elem >> (bitindex--)) & 1;
 | |
| 			ret = Q12MultMod(temp, temp); 
 | |
| 			if (flag)
 | |
| 				ret = Q12MultMod(ret, g); 
 | |
| 			temp = ret;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return ret;
 | |
| }
 | |
| /**
 | |
|  * @brief compute f^(curve.q^(flag)); f = (f11, f10, ... f0), f^(curve.q^(flag)) = (f11*c11, f10*c10, ... f0*c0)
 | |
|  * 
 | |
|  * @param f pointer of a number in Fq12
 | |
|  * @param flag 1, 2, 6;
 | |
|  * 
 | |
|  * @return null
 | |
|  */
 | |
| void Q12Frobenius(q12* f, uint8_t flag)
 | |
| {
 | |
| 	if (flag == 1) {
 | |
| 		f->high.high.high = Big8wMultMod(f->high.high.high, frobenius_constant_1[11], curve.q);
 | |
| 		f->high.high.low = Big8wMultMod(f->high.high.low, frobenius_constant_1[10], curve.q);
 | |
| 		f->high.low.high = Big8wMultMod(f->high.low.high, frobenius_constant_1[9], curve.q);
 | |
| 		f->high.low.low = Big8wMultMod(f->high.low.low, frobenius_constant_1[8], curve.q);
 | |
| 
 | |
| 		f->mid.high.high = Big8wMultMod(f->mid.high.high, frobenius_constant_1[7], curve.q);
 | |
| 		f->mid.high.low = Big8wMultMod(f->mid.high.low, frobenius_constant_1[6], curve.q);
 | |
| 		f->mid.low.high = Big8wMultMod(f->mid.low.high, frobenius_constant_1[5], curve.q);
 | |
| 		f->mid.low.low = Big8wMultMod(f->mid.low.low, frobenius_constant_1[4], curve.q);
 | |
| 
 | |
| 		f->low.high.high = Big8wMultMod(f->low.high.high, frobenius_constant_1[3], curve.q);
 | |
| 		f->low.high.low = Big8wMultMod(f->low.high.low, frobenius_constant_1[2], curve.q);
 | |
| 		f->low.low.high = Big8wMultMod(f->low.low.high, frobenius_constant_1[1], curve.q);
 | |
| 		f->low.low.low = Big8wMultMod(f->low.low.low, frobenius_constant_1[0], curve.q);
 | |
| 	}
 | |
| 
 | |
| 	else if (flag == 2) {
 | |
| 
 | |
| 		f->high.high.high = Big8wMultMod(f->high.high.high, frobenius_constant_2[11], curve.q);
 | |
| 		f->high.high.low = Big8wMultMod(f->high.high.low, frobenius_constant_2[10], curve.q);
 | |
| 		f->high.low.high = Big8wMultMod(f->high.low.high, frobenius_constant_2[9], curve.q);
 | |
| 		f->high.low.low = Big8wMultMod(f->high.low.low, frobenius_constant_2[8], curve.q);
 | |
| 
 | |
| 		f->mid.high.high = Big8wMultMod(f->mid.high.high, frobenius_constant_2[7], curve.q);
 | |
| 		f->mid.high.low = Big8wMultMod(f->mid.high.low, frobenius_constant_2[6], curve.q);
 | |
| 		f->mid.low.high = Big8wMultMod(f->mid.low.high, frobenius_constant_2[5], curve.q);
 | |
| 		f->mid.low.low = Big8wMultMod(f->mid.low.low, frobenius_constant_2[4], curve.q);
 | |
| 
 | |
| 		f->low.high.high = Big8wMultMod(f->low.high.high, frobenius_constant_2[3], curve.q);
 | |
| 		f->low.high.low = Big8wMultMod(f->low.high.low, frobenius_constant_2[2], curve.q);
 | |
| 		f->low.low.high = Big8wMultMod(f->low.low.high, frobenius_constant_2[1], curve.q);
 | |
| 		f->low.low.low = Big8wMultMod(f->low.low.low, frobenius_constant_2[0], curve.q);
 | |
| 
 | |
| 	}
 | |
| 
 | |
| 	else if (flag == 6) {
 | |
| 		f->high.high.high = Big8wMinusMod(curve.q, f->high.high.high, curve.q);
 | |
| 		f->high.high.low = Big8wMinusMod(curve.q, f->high.high.low, curve.q);
 | |
| 
 | |
| 		f->mid.low.high = Big8wMinusMod(curve.q, f->mid.low.high, curve.q);
 | |
| 		f->mid.low.low = Big8wMinusMod(curve.q, f->mid.low.low, curve.q);
 | |
| 
 | |
| 		f->low.high.high = Big8wMinusMod(curve.q, f->low.high.high, curve.q);
 | |
| 		f->low.high.low = Big8wMinusMod(curve.q, f->low.high.low, curve.q);
 | |
| 	}
 | |
| }
 | |
| /**
 | |
|  * 
 | |
|  * @brief compute Frobenius(Q)
 | |
|  *		  Q = Q(x, y), point in group G2;first convert x, y to q12 number:(x*beta^(-1/2), y*beta(-1/3))
 | |
|  *        then run Q12Frobenius, last convert back to G2point(ret.x*(beta^(1/2)), ret.y*(beta^(1/3)))
 | |
|  * 
 | |
|  * @param Q point in group G2
 | |
|  * @param Q1 pointer of a point in group G2, store the result
 | |
|  * @param flag power of frobenius
 | |
|  * 
 | |
|  * @result Q1
 | |
|  * 
 | |
|  */
 | |
| void G2pointFrobenius(G2point Q, G2point* Q1, uint8_t flag)
 | |
| {
 | |
| 	q12 temp, ret;
 | |
| 	
 | |
| 	Q12Zero(&temp);
 | |
| 	Q12Zero(&ret);
 | |
| 
 | |
| 	ret.low.low = Q.x;
 | |
| 	temp.mid.high.high = qnr;
 | |
| 	ret = Q12MultMod(ret, temp);
 | |
| 	Q12Frobenius(&ret, flag);
 | |
| 	memset(temp.mid.high.high.word, 0x00, BIG8W_BYTESIZE);
 | |
| 	temp.high.low.low.word[0] = 1;
 | |
| 	ret = Q12MultMod(ret, temp);
 | |
| 	Q1->x = ret.low.low;
 | |
| 
 | |
| 	Q12Zero(&ret);
 | |
| 	Q12Zero(&temp);
 | |
| 
 | |
| 	ret.low.low = Q.y;
 | |
| 	temp.low.high.high = qnr;
 | |
| 	ret = Q12MultMod(ret, temp);
 | |
| 	Q12Frobenius(&ret, flag);
 | |
| 	memset(temp.low.high.high.word, 0x00, BIG8W_BYTESIZE);
 | |
| 	temp.low.high.low.word[0] = 1;
 | |
| 	ret = Q12MultMod(ret, temp);
 | |
| 	Q1->y = ret.low.low;
 | |
| }
 | |
| /**
 | |
|  * @brief line function defined in SM9 and a Q12MultMod
 | |
|  * 
 | |
|  * @param P a point in group G1
 | |
|  * @param T a pointer of a point in group G2
 | |
|  * @param Q a point in group G2
 | |
|  * @param doubleflag if (*T) == Q
 | |
|  * @param f a pointer of a number in Fq12, (*f) = (*f) * g(T, Q, P), g(T, Q, P) is the line function defined in SM9
 | |
|  * 
 | |
|  * @return null
 | |
|  * 
 | |
|  */
 | |
| void Line(G1point P, G2point* T, G2point Q, bool doubleflag, q12* f)
 | |
| {
 | |
| 	q2 lambda, temp;
 | |
| 	q12 ret;
 | |
| 
 | |
| 	Q12Zero(&ret);
 | |
| 	Q2Zero(&temp);
 | |
| 
 | |
| 	if (doubleflag) {
 | |
| 
 | |
| 		if (Q2Equal(&Q.x, &temp) && Q2Equal(&Q.y, &temp)) // Q = T = O
 | |
| 			return;
 | |
| 
 | |
| 		lambda = Q2Mult(Q.x, Q.x);
 | |
| 		lambda = Q2Add(lambda, Q2Add(lambda, lambda));
 | |
| 		lambda = Q2Mult(
 | |
| 			lambda,
 | |
| 			Q2Reverse(Q2Add(Q.y, Q.y)));
 | |
| 	}
 | |
| 	else {
 | |
| 		if (Q2Equal(&T->x, &Q.x)){
 | |
| 			// T = -Q => T = T + Q = O
 | |
| 			Q2Zero(&T->x), Q2Zero(&T->y);
 | |
| 			// g(T, Q, P) = xP - xQ
 | |
| 			temp.high = qnr;
 | |
| 			temp = Q2Mult(temp, Q.x);
 | |
| 			temp = Q2Negate(temp);
 | |
| 			ret.mid.high = temp;
 | |
| 			ret.low.low.low = P.x;
 | |
| 
 | |
| 			*f = Q12MultMod(*f, ret);
 | |
| 		}
 | |
| 		else if (Q2Equal(&T->x, &temp) && Q2Equal(&T->y, &temp)){ // T = O
 | |
| 			// g(U, V, O) = 1 => f * g(U, V, O) = f; *T = T + Q = Q
 | |
| 			*T = Q;
 | |
| 			return;
 | |
| 		}
 | |
| 		else if (Q2Equal(&Q.x, &temp) && Q2Equal(&Q.y, &temp)){ // Q = O
 | |
| 			// g(U, V, O) = 1 => f * g(U, V, O) = f; *T = T + Q = T
 | |
| 			return;
 | |
| 		}
 | |
| 		
 | |
| 		lambda = Q2Mult(
 | |
| 			Q2Minus(T->y, Q.y),
 | |
| 			Q2Reverse(Q2Minus(T->x, Q.x)));
 | |
| 	}
 | |
| 
 | |
| 	temp.high = qnr;
 | |
| 
 | |
| 	ret.high.high = lambda;
 | |
| 	ret.high.high.high = Big8wMultMod(ret.high.high.high, P.x, curve.q);
 | |
| 	ret.high.high.low = Big8wMultMod(ret.high.high.low, P.x, curve.q);
 | |
| 	ret.high.high = Q2Mult(ret.high.high, temp);
 | |
| 
 | |
| 	ret.low.high = Q2Minus(
 | |
| 		T->y,
 | |
| 		Q2Mult(lambda, T->x));
 | |
| 	ret.low.high = Q2Mult(temp, ret.low.high);
 | |
| 
 | |
| 	ret.low.low.low = Big8wMinusMod(curve.q, P.y, curve.q);
 | |
| 
 | |
| 	*T = G2PointAdd(Q, *T);
 | |
| 	*f = Q12MultMod(ret, *f);
 | |
| }
 | |
| /**
 | |
|  * @brief compute (f^(curve.q^(12) - 1)), called by BiLinearParing function(in topfunc.h).
 | |
|  * 
 | |
|  * @param f a pointer of a number in Fq12
 | |
|  * 
 | |
|  * @return null, result stored in *f.
 | |
|  * 
 | |
|  */
 | |
| // t = 0x60000000 0058F98A
 | |
| void LastPower(q12* f)
 | |
| {
 | |
| 	q12 m, g, s, temp;
 | |
| 
 | |
| 	m = Q12Reverse(*f);
 | |
| 	Q12Frobenius(f, 6);
 | |
| 	// f = f^(q^6 - 1)
 | |
| 	*f = Q12MultMod(*f, m);
 | |
| 	m = *f;
 | |
| 	Q12Frobenius(f, 2);
 | |
| 	*f = Q12MultMod(*f, m);  // f = f^(q^6 - 1)(q^2+1)
 | |
| 	s = *f;  
 | |
| 
 | |
| 	// hard part
 | |
| 	s = *f;
 | |
| 	m = s, temp = m;
 | |
| 	Q12Frobenius(&temp, 1);
 | |
| 	s = temp;
 | |
| 	Q12Frobenius(&temp, 1);
 | |
| 	s = Q12MultMod(s, temp);
 | |
| 	Q12Frobenius(&temp, 1);
 | |
| 	s = Q12MultMod(s, temp);
 | |
| 
 | |
| 	temp = Q12PowerMod(m, t);
 | |
| 	temp = Q12PowerMod(temp, t);
 | |
| 
 | |
| 	g = Q12MultMod(temp, temp);
 | |
| 	temp = Q12MultMod(g, g);
 | |
| 	temp = Q12MultMod(temp, g);
 | |
| 	Q12Frobenius(&temp, 2);
 | |
| 
 | |
| 	s = Q12MultMod(s, temp);
 | |
| 
 | |
| 	temp = m;
 | |
| 	Q12Frobenius(&temp, 6);
 | |
| 	temp = Q12MultMod(temp, temp);
 | |
| 	s = Q12MultMod(s, temp);
 | |
| 	g = temp;
 | |
| 
 | |
| 	temp = Q12MultMod(g, g);
 | |
| 	g = Q12MultMod(temp, g);
 | |
| 	g = Q12PowerMod(g, t);
 | |
| 	
 | |
| 	temp = Q12MultMod(g, g);
 | |
| 	s = Q12MultMod(s, Q12MultMod(temp, g));
 | |
| 	Q12Frobenius(&temp, 1);
 | |
| 	s = Q12MultMod(s, temp);
 | |
| 
 | |
| 	g = Q12PowerMod(g, t);
 | |
| 	temp = Q12MultMod(g, g);
 | |
| 	m = Q12MultMod(g, temp);
 | |
| 	s = Q12MultMod(s, m);
 | |
| 	s = Q12MultMod(s, temp); 
 | |
| 	g = m;
 | |
| 	Q12Frobenius(&m, 1);
 | |
| 	s = Q12MultMod(s, m);
 | |
| 
 | |
| 	g = Q12MultMod(g, g);
 | |
| 	g = Q12PowerMod(g, t);
 | |
| 
 | |
| 	s = Q12MultMod(s, g);
 | |
| 	Q12Frobenius(&g, 1);
 | |
| 	s = Q12MultMod(s, g);
 | |
| 
 | |
| 	*f = s;;
 | |
| } |