Skip to content

Commit

Permalink
Merge pull request #280 from relic-toolkit/fm18
Browse files Browse the repository at this point in the history 
Add initial support to FM18 curves.
  • Loading branch information
@dfaranha
dfaranha authored Nov 23, 2023
2 parents c5ac648 + 18d1396 commit 1b36887
Show file tree
Hide file tree
Showing 29 changed files with 346 additions and 148 deletions.
2 changes: 1 addition & 1 deletion include/relic_core.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ typedef struct _ctx_t {
/** Value of constant one in Montgomery form. */
bn_st one;
#endif /* FP_RDC == MONTY */
#if FP_INV == JUMPDS || !defined(STRIP)
#if FP_INV == JMPDS || !defined(STRIP)
/** Value of constant for divstep-based inversion. */
bn_st inv;
#endif /* FP_INV */
Expand Down
8 changes: 5 additions & 3 deletions include/relic_ep.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,14 +65,14 @@ enum {
EP_B12,
/* New family from Fotiadis-Martindale family with embedding degree 16. */
EP_N16,
/* Fotiadis-Martindale famile with embedding degree 16. */
/* Fotiadis-Martindale family with embedding degree 16. */
EP_FM16,
/* Kachisa-Schaefer-Scott family with embedding degree 16. */
EP_K16,
/* Fotiadis-Martindale family with embedding degree 18. */
EP_FM18,
/* Kachisa-Schaefer-Scott family with embedding degree 18. */
EP_K18,
/* Fotiadis-Martindale family with embedding degree 18. */
EP_FM18,
/* Scott-Guillevic family with embedding degree 18. */
EP_SG18,
/* Barreto-Lynn-Scott family with embedding degree 24. */
Expand Down Expand Up @@ -179,6 +179,8 @@ enum {
N16_P765,
/* Fotiadis-Moartindale with embedding degree 16. */
FM16_P765,
/* Fotiadis-Moartindale with embedding degree 18. */
FM18_P768,
/** Kachisa-Schaefer-Scott with embedding degree 16. */
K16_P766,
/** 1536-bit supersingular curve. */
Expand Down
10 changes: 0 additions & 10 deletions include/relic_epx.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -459,16 +459,6 @@ typedef iso2_st *iso2_t;
#define ep2_dbl(R, P) ep2_dbl_projc(R, P);
#endif

/**
* Multiplies a point in an elliptic curve over a quadratic extension field by
* an unrestricted integer scalar. Computes R = [k]P.
*
* @param[out] R - the result.
* @param[in] P - the point to multiply.
* @param[in] K - the integer.
*/
#define ep2_mul_big(R, P, K) ep2_mul_basic(R, P, K)

/**
* Multiplies a point in an elliptic curve over a quadratic extension field.
* Computes R = [k]P.
Expand Down
2 changes: 2 additions & 0 deletions include/relic_fp.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,8 @@ enum {
N16_765,
/** 765-bit prime for FM curve with embeddind degree 16. */
FM16_765,
/** 768-bit prime for FM curve with embedding degree 18. */
FM18_768,
/** 766-bit prime for KSS curve with embedding degree 16. */
K16_766,
/** 1024-bit prime for CTIDH. */
Expand Down
2 changes: 2 additions & 0 deletions preset/x64-pbc-fm18-768.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/sh
cmake -DWSIZE=64 -DRAND=UDEV -DSHLIB=OFF -DSTBIN=ON -DTIMER=CYCLE -DCHECK=off -DVERBS=off -DARITH=x64-asm-12l -DBN_PRECI=3072 -DFP_PRIME=768 -DFP_METHD="INTEG;INTEG;INTEG;MONTY;JMPDS;JMPDS;SLIDE" -DCFLAGS="-O3 -funroll-loops -fomit-frame-pointer -march=native -mtune=native" -DFP_PMERS=off -DFP_QNRES=off -DFPX_METHD="INTEG;INTEG;LAZYR" -DEP_PLAIN=off -DEP_SUPER=off -DPP_METHD="LAZYR;OATEP" -DWITH="ALL" $1
9 changes: 9 additions & 0 deletions src/ep/relic_ep_mul.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,15 @@ void ep_mul_basic(ep_t r, const ep_t p, const bn_t k) {
return;
}

if (bn_bits(k) <= RLC_DIG) {
ep_mul_dig(r, p, k->dp[0]);
if (bn_sign(k) == RLC_NEG) {
ep_neg(r, r);
}
RLC_FREE(naf);
return;
}

RLC_TRY {
ep_new(t);
if (naf == NULL) {
Expand Down
69 changes: 30 additions & 39 deletions src/ep/relic_ep_mul_cof.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,19 +38,22 @@
/*============================================================================*/

void ep_mul_cof(ep_t r, const ep_t p) {
ep_t v;
bn_t k;
bn_t l;
ep_t u, v;
bn_t k, l;

bn_null(k);
bn_null(l);
ep_null(u);
ep_null(v);

RLC_TRY {
bn_new(k);
bn_new(l);
ep_new(u);
ep_new(v);

fp_prime_get_par(k);

switch (ep_curve_is_pairf()) {
#if defined(EP_ENDOM) && !defined(STRIP)
case EP_BN:
Expand All @@ -61,53 +64,37 @@ void ep_mul_cof(ep_t r, const ep_t p) {
case EP_B48:
/* Multiply by (1-x) to get the correct group, as proven in
* Piellard. https://eprint.iacr.org/2022/352.pdf */
fp_prime_get_par(k);
bn_neg(k, k);
bn_add_dig(k, k, 1);
if (bn_bits(k) < RLC_DIG) {
ep_mul_dig(r, p, k->dp[0]);
} else {
ep_mul_basic(r, p, k);
}
ep_mul_basic(r, p, k);
break;
case EP_N16:
/* if (u % 2) == 0, compute = (u * (u**3+1)/2)*P
* else Compute (u * (u**3+1))*P */
fp_prime_get_par(k);
bn_sqr(l, k);
bn_mul(l, l, k);
bn_add_dig(l, l, 1);
bn_mul(k, l, k);
if (bn_is_even(k)) {
bn_hlv(k, k);
}
if (bn_bits(k) < RLC_DIG) {
ep_mul_dig(r, p, k->dp[0]);
} else {
ep_mul_basic(r, p, k);
}
ep_mul_basic(r, p, k);
break;
case EP_FM16:
/* Compute (u/2)*P + [u^3]*phi([u/2]P) */
fp_prime_get_par(k);
bn_sqr(l, k);
bn_mul(l, l, k);
if (bn_is_even(k)) {
bn_hlv(k, k);
}
if (bn_bits(k) < RLC_DIG) {
ep_mul_dig(r, p, k->dp[0]);
} else {
ep_mul_basic(r, p, k);
}
ep_mul_basic(r, p, k);
ep_psi(v, r);
ep_mul_basic(v, v, l);
ep_add(r, r, v);
ep_norm(r, r);
break;
case EP_K16:
/* Compute 1250*(P + [(u+1)/2]phi(P)) */
fp_prime_get_par(k);
bn_add_dig(k, k, 1);
bn_hlv(k, k);
ep_dbl(r, p);
Expand All @@ -119,32 +106,39 @@ void ep_mul_cof(ep_t r, const ep_t p) {
ep_norm(r, r);
ep_psi(v, r);
ep_neg(v, v);
if (bn_bits(k) < RLC_DIG) {
ep_mul_dig(v, v, k->dp[0]);
} else {
ep_mul_basic(v, v, k);
}
ep_mul_basic(v, v, k);
ep_add(r, r, v);
ep_norm(r, r);
break;
case EP_K18:
/* Compute 343*(P + [u+3]psi(P)). */
fp_prime_get_par(k);
bn_add_dig(k, k, 3);
ep_psi(v, p);
if (bn_bits(k) < RLC_DIG) {
ep_mul_dig(v, v, k->dp[0]);
} else {
ep_mul_basic(v, v, k);
}
ep_mul_basic(v, v, k);
ep_add(v, v, p);
ep_norm(r, v);
ep_mul_dig(r, r, 49);
ep_mul_dig(r, r, 7);
break;
case EP_FM18:
/* Compute S = [(u-1)/3]P, P - 2\phi(S) + [(u^2+u+1)*3 - 1]*S */
bn_sqr(l, k);
bn_add(l, l, k);
bn_add_dig(l, l, 1);
bn_mul_dig(l, l, 3);
bn_sub_dig(l, l, 1);
bn_sub_dig(k, k, 1);
bn_div_dig(k, k, 3);
ep_mul_basic(v, p, k);
ep_psi(u, v);
ep_dbl(u, u);
ep_sub(r, p, u);
ep_mul_basic(v, v, l);
ep_add(r, r, v);
ep_norm(r, r);
break;
case EP_SG18:
/* Compute [3u^2-1]P. */
fp_prime_get_par(k);
ep_mul_basic(v, p, k);
bn_mul_dig(k, k, 3);
ep_mul_basic(v, v, k);
Expand All @@ -155,17 +149,14 @@ void ep_mul_cof(ep_t r, const ep_t p) {
default:
/* multiply by cofactor to get the correct group. */
ep_curve_get_cof(k);
if (bn_bits(k) < RLC_DIG) {
ep_mul_dig(r, p, k->dp[0]);
} else {
ep_mul_basic(r, p, k);
}
ep_mul_basic(r, p, k);
}
} RLC_CATCH_ANY {
RLC_THROW(ERR_CAUGHT);
} RLC_FINALLY {
bn_free(k);
bn_free(l);
ep_free(u);
ep_free(v);
}
}
50 changes: 43 additions & 7 deletions src/ep/relic_ep_param.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -699,6 +699,22 @@
/** @} */
#endif

#if defined(EP_ENDOM) && FP_PRIME == 768
/**
* Parameters for a 768-bit pairing-friendly prime curve.
*/
/** @{ */
#define FM18_P768_A "0"
#define FM18_P768_B "5"
#define FM18_P768_X "BC33688D1AC52E3CE122F5131A98EBE2271E327233E96D1F7B01C350B235C3923E79FCBB364C74541D1D0FAF3C9F5CA09B0CFB70175115C00E5BFF1C17ADD53970DF5513E1543A408B4D66239C4E8F5D3DA311BF7BDF98A0B8181C6E0FE13164"
#define FM18_P768_Y "6D10E9367FC30A56E1006948D6114574CFBB0AA19E3D830A30B48C08AA81BEAB976F2EA269348BE808B06D95DBA2F55924512BC165FD02585D62195DE45892563C998FF27CBFFCD0B8F3AA250C247C2EA2477F1EE5F1E37962C704165E1DE03F"
#define FM18_P768_R "FFFFFFF27FA00045F4380E5F9EE3795E88D88C72E7B408B61E4CA1FB2558E7C336F40FAAEC98807AF3600C06C0300001"
#define FM18_P768_H "FFFFFFF27FA00045F4380E5F9EE3795E88D88C72E7B408B51E4CA201E588E7B75B7161FCA67631F38EFABA0D80600001"
/** @} */
#endif



#if defined(EP_SUPER) && FP_PRIME == 1536
/**
* Parameters for a 1536-bit supersingular elliptic curve.
Expand Down Expand Up @@ -1167,6 +1183,13 @@ void ep_param_set(int param) {
pairf = EP_K16;
break;
#endif
#if defined(EP_ENDOM) && FP_PRIME == 768
case FM18_P768:
ASSIGN(FM18_P768, FM18_768);
endom = 1;
pairf = EP_FM18;
break;
#endif
#if defined(EP_SUPER) && FP_PRIME == 1536
case SS_P1536:
ASSIGN(SS_P1536, SS_1536);
Expand Down Expand Up @@ -1222,47 +1245,53 @@ void ep_param_set(int param) {
}
break;
case EP_B12:
/* lambda = z^2 - 1 */
/* lambda = u^2 - 1 */
bn_sqr(lamb, lamb);
bn_sub_dig(lamb, lamb, 1);
break;
case EP_N16:
case EP_FM16:
/* lambda = -z^4. */
/* lambda = -u^4. */
bn_sqr(lamb, lamb);
bn_sqr(lamb, lamb);
bn_neg(lamb, lamb);
break;
case EP_K16:
/* lambda = -(z^4 + 24)/7 */
/* lambda = -(u^4 + 24)/7 */
bn_sqr(t, lamb);
bn_sqr(lamb, t);
bn_add_dig(lamb, lamb, 24);
bn_div_dig(lamb, lamb, 7);
bn_neg(lamb, lamb);
break;
case EP_K18:
/* lambda = z^3 + 18 */
/* lambda = u^3 + 18 */
bn_sqr(t, lamb);
bn_mul(lamb, t, lamb);
bn_add_dig(lamb, lamb, 18);
break;
case EP_FM18:
/* lambda = u^3 - 1 */
bn_sqr(t, lamb);
bn_mul(lamb, lamb, t);
bn_sub_dig(lamb, lamb, 1);
break;
case EP_SG18:
/* lambda = -9z^3 - 2 */
/* lambda = -9u^3 - 2 */
bn_sqr(t, lamb);
bn_mul(lamb, t, lamb);
bn_mul_dig(lamb, lamb, 9);
bn_add_dig(lamb, lamb, 2);
bn_neg(lamb, lamb);
break;
case EP_B24:
/* lambda = z^4 - 1. */
/* lambda = u^4 - 1. */
bn_sqr(lamb, lamb);
bn_sqr(lamb, lamb);
bn_sub_dig(lamb, lamb, 1);
break;
case EP_B48:
/* lambda = z^8 - 1. */
/* lambda = u^8 - 1. */
bn_sqr(lamb, lamb);
bn_sqr(lamb, lamb);
bn_sqr(lamb, lamb);
Expand Down Expand Up @@ -1441,6 +1470,8 @@ int ep_param_set_any_endom(void) {
//ep_param_set(FM16_P765);
#elif FP_PRIME == 766
ep_param_set(K16_P766);
#elif FP_PRIME == 768
ep_param_set(FM18_P768);
#else
r = RLC_ERR;
#endif
Expand Down Expand Up @@ -1563,6 +1594,10 @@ int ep_param_set_any_pairf(void) {
ep_param_set(K16_P766);
type = RLC_EP_MTYPE;
extension = 4;
#elif FP_PRIME == 768
ep_param_set(FM18_P768);
type = RLC_EP_MTYPE;
extension = 3;
#elif FP_PRIME == 1536
ep_param_set(SS_P1536);
extension = 1;
Expand Down Expand Up @@ -1812,6 +1847,7 @@ int ep_param_embed(void) {
case EP_K16:
return 16;
case EP_K18:
case EP_FM18:
case EP_SG18:
return 18;
case EP_B24:
Expand Down
14 changes: 7 additions & 7 deletions src/epx/relic_ep2_dbl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,14 +127,14 @@ static void ep2_dbl_projc_imp(ep2_t r, const ep2_t p) {
fp2_null(t5);

RLC_TRY {
if (ep_curve_opt_a() == RLC_ZERO) {
fp2_new(t0);
fp2_new(t1);
fp2_new(t2);
fp2_new(t3);
fp2_new(t4);
fp2_new(t5);
fp2_new(t0);
fp2_new(t1);
fp2_new(t2);
fp2_new(t3);
fp2_new(t4);
fp2_new(t5);

if (ep_curve_opt_a() == RLC_ZERO) {
fp2_sqr(t0, p->x);
fp2_add(t2, t0, t0);
fp2_add(t0, t2, t0);
Expand Down
9 changes: 9 additions & 0 deletions src/epx/relic_ep2_mul.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,15 @@ void ep2_mul_basic(ep2_t r, const ep2_t p, const bn_t k) {
return;
}

if (bn_bits(k) <= RLC_DIG) {
ep2_mul_dig(r, p, k->dp[0]);
if (bn_sign(k) == RLC_NEG) {
ep2_neg(r, r);
}
RLC_FREE(naf);
return;
}

RLC_TRY {
ep2_new(t);
if (naf == NULL) {
Expand Down
Loading

0 comments on commit 1b36887

Please sign in to comment.