mirror of
https://github.com/emmansun/gmsm.git
synced 2025-04-24 03:06:18 +08:00
316 lines
6.6 KiB
Go
316 lines
6.6 KiB
Go
package bn256
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"math/big"
|
|
)
|
|
|
|
// curvePoint implements the elliptic curve y²=x³+5. Points are kept in Jacobian
|
|
// form and t=z² when valid. G₁ is the set of points of this curve on GF(p).
|
|
type curvePoint struct {
|
|
x, y, z, t gfP
|
|
}
|
|
|
|
var curveB = newGFp(5)
|
|
var threeCurveB = newGFp(3 * 5)
|
|
|
|
// curveGen is the generator of G₁.
|
|
var curveGen = &curvePoint{
|
|
x: *fromBigInt(bigFromHex("93DE051D62BF718FF5ED0704487D01D6E1E4086909DC3280E8C4E4817C66DDDD")),
|
|
y: *fromBigInt(bigFromHex("21FE8DDA4F21E607631065125C395BBC1C1C00CBFA6024350C464CD70A3EA616")),
|
|
z: *one,
|
|
t: *one,
|
|
}
|
|
|
|
func (c *curvePoint) String() string {
|
|
c.MakeAffine()
|
|
x, y := &gfP{}, &gfP{}
|
|
montDecode(x, &c.x)
|
|
montDecode(y, &c.y)
|
|
return "(" + x.String() + ", " + y.String() + ")"
|
|
}
|
|
|
|
func (c *curvePoint) Set(a *curvePoint) {
|
|
c.x.Set(&a.x)
|
|
c.y.Set(&a.y)
|
|
c.z.Set(&a.z)
|
|
c.t.Set(&a.t)
|
|
}
|
|
|
|
func (c *curvePoint) polynomial(x *gfP) *gfP {
|
|
x3 := &gfP{}
|
|
gfpSqr(x3, x, 1)
|
|
gfpMul(x3, x3, x)
|
|
gfpAdd(x3, x3, curveB)
|
|
return x3
|
|
}
|
|
|
|
// IsOnCurve returns true if c is on the curve.
|
|
func (c *curvePoint) IsOnCurve() bool {
|
|
c.MakeAffine()
|
|
if c.IsInfinity() { // TBC: This is not same as golang elliptic
|
|
return true
|
|
}
|
|
|
|
y2 := &gfP{}
|
|
gfpSqr(y2, &c.y, 1)
|
|
|
|
x3 := c.polynomial(&c.x)
|
|
|
|
return y2.Equal(x3) == 1
|
|
}
|
|
|
|
func NewCurvePoint() *curvePoint {
|
|
c := &curvePoint{}
|
|
c.SetInfinity()
|
|
return c
|
|
}
|
|
|
|
func NewCurveGenerator() *curvePoint {
|
|
c := &curvePoint{}
|
|
c.Set(curveGen)
|
|
return c
|
|
}
|
|
|
|
func (c *curvePoint) SetInfinity() {
|
|
c.x.Set(zero)
|
|
c.y.Set(one)
|
|
c.z.Set(zero)
|
|
c.t.Set(zero)
|
|
}
|
|
|
|
func (c *curvePoint) IsInfinity() bool {
|
|
return c.z.Equal(zero) == 1
|
|
}
|
|
|
|
func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int) {
|
|
sum, t := &curvePoint{}, &curvePoint{}
|
|
sum.SetInfinity()
|
|
|
|
for i := scalar.BitLen(); i >= 0; i-- {
|
|
t.Double(sum)
|
|
if scalar.Bit(i) != 0 {
|
|
sum.Add(t, a)
|
|
} else {
|
|
sum.Set(t)
|
|
}
|
|
}
|
|
|
|
c.Set(sum)
|
|
}
|
|
|
|
// MakeAffine reverses the Jacobian transform.
|
|
// the Jacobian coordinates are (x1, y1, z1)
|
|
// where x = x1/z1² and y = y1/z1³.
|
|
func (c *curvePoint) AffineFromJacobian() {
|
|
if c.z.Equal(one) == 1 {
|
|
return
|
|
} else if c.z.Equal(zero) == 1 {
|
|
c.x.Set(zero)
|
|
c.y.Set(one)
|
|
c.t.Set(zero)
|
|
return
|
|
}
|
|
|
|
zInv := &gfP{}
|
|
zInv.Invert(&c.z)
|
|
|
|
t, zInv2 := &gfP{}, &gfP{}
|
|
gfpMul(t, &c.y, zInv) // t = y/z
|
|
gfpSqr(zInv2, zInv, 1)
|
|
|
|
gfpMul(&c.x, &c.x, zInv2) // x = x / z^2
|
|
gfpMul(&c.y, t, zInv2) // y = y / z^3
|
|
|
|
c.z.Set(one)
|
|
c.t.Set(one)
|
|
}
|
|
|
|
func (c *curvePoint) Neg(a *curvePoint) {
|
|
c.x.Set(&a.x)
|
|
gfpNeg(&c.y, &a.y)
|
|
c.z.Set(&a.z)
|
|
c.t.Set(zero)
|
|
}
|
|
|
|
// A curvePointTable holds the first 15 multiples of a point at offset -1, so [1]P
|
|
// is at table[0], [15]P is at table[14], and [0]P is implicitly the identity
|
|
// point.
|
|
type curvePointTable [15]*curvePoint
|
|
|
|
// Select selects the n-th multiple of the table base point into p. It works in
|
|
// constant time by iterating over every entry of the table. n must be in [0, 15].
|
|
func (table *curvePointTable) Select(p *curvePoint, n uint8) {
|
|
if n >= 16 {
|
|
panic("sm9: internal error: curvePointTable called with out-of-bounds value")
|
|
}
|
|
p.SetInfinity()
|
|
for i, f := range table {
|
|
cond := subtle.ConstantTimeByteEq(uint8(i+1), n)
|
|
curvePointMovCond(p, f, p, cond)
|
|
}
|
|
}
|
|
|
|
// Equal compare e and other
|
|
func (e *curvePoint) Equal(other *curvePoint) bool {
|
|
return e.x.Equal(&other.x) == 1 &&
|
|
e.y.Equal(&other.y) == 1 &&
|
|
e.z.Equal(&other.z) == 1 &&
|
|
e.t.Equal(&other.t) == 1
|
|
}
|
|
|
|
// Below methods are POC yet, the line add/double functions are still based on
|
|
// Jacobian coordination.
|
|
func (c *curvePoint) Add(p1, p2 *curvePoint) {
|
|
curvePointAddComplete(c, p1, p2)
|
|
}
|
|
|
|
func (c *curvePoint) AddComplete(p1, p2 *curvePoint) {
|
|
curvePointAddComplete(c, p1, p2)
|
|
}
|
|
|
|
func (c *curvePoint) Double(p *curvePoint) {
|
|
curvePointDoubleComplete(c, p)
|
|
}
|
|
|
|
func (c *curvePoint) DoubleComplete(p *curvePoint) {
|
|
curvePointDoubleComplete(c, p)
|
|
}
|
|
|
|
// MakeAffine reverses the Projective transform.
|
|
// A = 1/Z1
|
|
// X3 = A*X1
|
|
// Y3 = A*Y1
|
|
// Z3 = 1
|
|
func (c *curvePoint) MakeAffine() {
|
|
// TODO: do we need to change it to constant-time implementation?
|
|
if c.z.Equal(one) == 1 {
|
|
return
|
|
} else if c.z.Equal(zero) == 1 {
|
|
c.x.Set(zero)
|
|
c.y.Set(one)
|
|
c.t.Set(zero)
|
|
return
|
|
}
|
|
zInv := &gfP{}
|
|
zInv.Invert(&c.z)
|
|
gfpMul(&c.x, &c.x, zInv)
|
|
gfpMul(&c.y, &c.y, zInv)
|
|
c.z.Set(one)
|
|
c.t.Set(one)
|
|
}
|
|
|
|
func (c *curvePoint) AffineFromProjective() {
|
|
c.MakeAffine()
|
|
}
|
|
|
|
func curvePointDouble(c, a *curvePoint) {
|
|
// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/doubling/dbl-2009-l.op3
|
|
A, B, C := &gfP{}, &gfP{}, &gfP{}
|
|
gfpSqr(A, &a.x, 1)
|
|
gfpSqr(B, &a.y, 1)
|
|
gfpSqr(C, B, 1)
|
|
|
|
t := &gfP{}
|
|
gfpAdd(B, &a.x, B)
|
|
gfpSqr(t, B, 1)
|
|
gfpSub(B, t, A)
|
|
gfpSub(t, B, C)
|
|
|
|
d, e := &gfP{}, &gfP{}
|
|
gfpDouble(d, t)
|
|
gfpDouble(B, A)
|
|
gfpAdd(e, B, A)
|
|
gfpSqr(A, e, 1)
|
|
|
|
gfpDouble(B, d)
|
|
gfpSub(&c.x, A, B)
|
|
|
|
gfpMul(&c.z, &a.y, &a.z)
|
|
gfpDouble(&c.z, &c.z)
|
|
|
|
gfpDouble(B, C)
|
|
gfpDouble(t, B)
|
|
gfpDouble(B, t)
|
|
gfpSub(&c.y, d, &c.x)
|
|
gfpMul(t, e, &c.y)
|
|
gfpSub(&c.y, t, B)
|
|
}
|
|
|
|
func curvePointAdd(c, a, b *curvePoint) int {
|
|
// See http://hyperelliptic.org/EFD/g1p/auto-code/shortw/jacobian-0/addition/add-2007-bl.op3
|
|
var pointEq int
|
|
// Normalize the points by replacing a = [x1:y1:z1] and b = [x2:y2:z2]
|
|
// by [u1:s1:z1·z2] and [u2:s2:z1·z2]
|
|
// where u1 = x1·z2², s1 = y1·z2³ and u1 = x2·z1², s2 = y2·z1³
|
|
z12, z22 := &gfP{}, &gfP{}
|
|
gfpSqr(z12, &a.z, 1)
|
|
gfpSqr(z22, &b.z, 1)
|
|
|
|
u1, u2 := &gfP{}, &gfP{}
|
|
gfpMul(u1, &a.x, z22)
|
|
gfpMul(u2, &b.x, z12)
|
|
|
|
t, s1 := &gfP{}, &gfP{}
|
|
gfpMul(t, &b.z, z22)
|
|
gfpMul(s1, &a.y, t)
|
|
|
|
s2 := &gfP{}
|
|
gfpMul(t, &a.z, z12)
|
|
gfpMul(s2, &b.y, t)
|
|
|
|
// Compute x = (2h)²(s²-u1-u2)
|
|
// where s = (s2-s1)/(u2-u1) is the slope of the line through
|
|
// (u1,s1) and (u2,s2). The extra factor 2h = 2(u2-u1) comes from the value of z below.
|
|
// This is also:
|
|
// 4(s2-s1)² - 4h²(u1+u2) = 4(s2-s1)² - 4h³ - 4h²(2u1)
|
|
// = r² - j - 2v
|
|
// with the notations below.
|
|
h := &gfP{}
|
|
gfpSub(h, u2, u1)
|
|
|
|
gfpDouble(t, h)
|
|
// i = 4h²
|
|
i := &gfP{}
|
|
gfpSqr(i, t, 1)
|
|
// j = 4h³
|
|
j := &gfP{}
|
|
gfpMul(j, h, i)
|
|
|
|
gfpSub(t, s2, s1)
|
|
|
|
pointEq = h.Equal(zero) & t.Equal(zero)
|
|
|
|
r := &gfP{}
|
|
gfpDouble(r, t)
|
|
|
|
v := &gfP{}
|
|
gfpMul(v, u1, i)
|
|
|
|
// t4 = 4(s2-s1)²
|
|
t4, t6 := &gfP{}, &gfP{}
|
|
gfpSqr(t4, r, 1)
|
|
gfpDouble(t, v)
|
|
gfpSub(t6, t4, j)
|
|
|
|
gfpSub(&c.x, t6, t)
|
|
|
|
// Set y = -(2h)³(s1 + s*(x/4h²-u1))
|
|
// This is also
|
|
// y = - 2·s1·j - (s2-s1)(2x - 2i·u1) = r(v-x) - 2·s1·j
|
|
gfpSub(t, v, &c.x) // t7
|
|
gfpMul(t4, s1, j) // t8
|
|
gfpDouble(t6, t4) // t9
|
|
gfpMul(t4, r, t) // t10
|
|
gfpSub(&c.y, t4, t6)
|
|
|
|
// Set z = 2(u2-u1)·z1·z2 = 2h·z1·z2
|
|
gfpAdd(t, &a.z, &b.z) // t11
|
|
gfpSqr(t4, t, 1) // t12
|
|
gfpSub(t, t4, z12) // t13
|
|
gfpSub(t4, t, z22) // t14
|
|
gfpMul(&c.z, t4, h)
|
|
|
|
return pointEq
|
|
}
|