|
|
|
|
@ -18,9 +18,11 @@ struct MapToT { |
|
|
|
|
typedef mcl::Fp2T<Fp> Fp2; |
|
|
|
|
typedef mcl::EcT<Fp> G1; |
|
|
|
|
typedef mcl::EcT<Fp2> G2; |
|
|
|
|
Fp c1; // sqrt(-3)
|
|
|
|
|
Fp c2; // (-1 + sqrt(-3)) / 2
|
|
|
|
|
mpz_class cofactor; |
|
|
|
|
typedef util::HaveFrobenius<G2> G2withF; |
|
|
|
|
Fp c1_; // sqrt(-3)
|
|
|
|
|
Fp c2_; // (-1 + sqrt(-3)) / 2
|
|
|
|
|
mpz_class cofactor_; |
|
|
|
|
mpz_class z_; |
|
|
|
|
int legendre(const Fp& x) const |
|
|
|
|
{ |
|
|
|
|
return gmp::legendre(x.getMpz(), Fp::getOp().mp); |
|
|
|
|
@ -40,6 +42,14 @@ struct MapToT { |
|
|
|
|
x.a *= y; |
|
|
|
|
x.b *= y; |
|
|
|
|
} |
|
|
|
|
/*
|
|
|
|
|
P.-A. Fouque and M. Tibouchi, |
|
|
|
|
"Indifferentiable hashing to Barreto Naehrig curves," |
|
|
|
|
in Proc. Int. Conf. Cryptol. Inform. Security Latin Amer., 2012, vol. 7533, pp.1-17. |
|
|
|
|
|
|
|
|
|
w = sqrt(-3) t / (1 + b + t^2) |
|
|
|
|
Remark: throw exception if t = 0, c1, -c1 and b = 2 |
|
|
|
|
*/ |
|
|
|
|
template<class G, class F> |
|
|
|
|
void calc(G& P, const F& t) const |
|
|
|
|
{ |
|
|
|
|
@ -51,11 +61,11 @@ struct MapToT { |
|
|
|
|
*w.getFp0() += Fp::one(); |
|
|
|
|
if (w.isZero()) goto ERR_POINT; |
|
|
|
|
F::inv(w, w); |
|
|
|
|
mulFp(w, c1); |
|
|
|
|
mulFp(w, c1_); |
|
|
|
|
w *= t; |
|
|
|
|
for (int i = 0; i < 3; i++) { |
|
|
|
|
switch (i) { |
|
|
|
|
case 0: F::mul(x, t, w); F::neg(x, x); *x.getFp0() += c2; break; |
|
|
|
|
case 0: F::mul(x, t, w); F::neg(x, x); *x.getFp0() += c2_; break; |
|
|
|
|
case 1: F::neg(x, x); *x.getFp0() -= Fp::one(); break; |
|
|
|
|
case 2: F::sqr(x, w); F::inv(x, x); *x.getFp0() += Fp::one(); break; |
|
|
|
|
} |
|
|
|
|
@ -70,21 +80,48 @@ struct MapToT { |
|
|
|
|
throw cybozu::Exception("MapToT:calc:bad") << t; |
|
|
|
|
} |
|
|
|
|
/*
|
|
|
|
|
cofactor is for G2 |
|
|
|
|
Faster Hashing to G2 |
|
|
|
|
Laura Fuentes-Castaneda, Edward Knapp, Francisco Rodriguez-Henriquez |
|
|
|
|
section 6.1 |
|
|
|
|
for BN |
|
|
|
|
Q = zP + Frob(3zP) + Frob^2(zP) + Frob^3(P) |
|
|
|
|
= -(18x^3 + 12x^2 + 3x + 1)cofactor_ P |
|
|
|
|
*/ |
|
|
|
|
void init(const mpz_class& cofactor) |
|
|
|
|
void mulByCofactor(G2& Q, const G2& P) const |
|
|
|
|
{ |
|
|
|
|
if (!Fp::squareRoot(c1, -3)) throw cybozu::Exception("MapToT:init:c1"); |
|
|
|
|
c2 = (c1 - 1) / 2; |
|
|
|
|
this->cofactor = cofactor; |
|
|
|
|
#if 0 |
|
|
|
|
G2::mulGeneric(Q, P, cofactor_); |
|
|
|
|
#else |
|
|
|
|
#if 0 |
|
|
|
|
mpz_class t = -(1 + z_ * (3 + z_ * (12 + z_ * 18))); |
|
|
|
|
G2::mulGeneric(Q, P, t * cofactor_); |
|
|
|
|
#else |
|
|
|
|
G2 T0, T1, T2; |
|
|
|
|
/*
|
|
|
|
|
G2::mul (GLV method) can't be used because P is not on G2 |
|
|
|
|
*/ |
|
|
|
|
G2::mulGeneric(T0, P, z_); |
|
|
|
|
G2::dbl(T1, T0); |
|
|
|
|
T1 += T0; // 3zP
|
|
|
|
|
G2withF::Frobenius(T1, T1); |
|
|
|
|
G2withF::Frobenius2(T2, T0); |
|
|
|
|
T0 += T1; |
|
|
|
|
T0 += T2; |
|
|
|
|
G2withF::Frobenius3(T2, P); |
|
|
|
|
G2::add(Q, T0, T2); |
|
|
|
|
#endif |
|
|
|
|
#endif |
|
|
|
|
} |
|
|
|
|
/*
|
|
|
|
|
P.-A. Fouque and M. Tibouchi, |
|
|
|
|
"Indifferentiable hashing to Barreto Naehrig curves," in Proc. Int. Conf. Cryptol. Inform. Security Latin Amer., 2012, vol. 7533, pp.1-17. |
|
|
|
|
|
|
|
|
|
w = sqrt(-3) t / (1 + b + t^2) |
|
|
|
|
Remark: throw exception if t = 0, c1, -c1 and b = 2 |
|
|
|
|
cofactor_ is for G2 |
|
|
|
|
*/ |
|
|
|
|
void init(const mpz_class& cofactor, const mpz_class &z) |
|
|
|
|
{ |
|
|
|
|
if (!Fp::squareRoot(c1_, -3)) throw cybozu::Exception("MapToT:init:c1_"); |
|
|
|
|
c2_ = (c1_ - 1) / 2; |
|
|
|
|
cofactor_ = cofactor; |
|
|
|
|
z_ = z; |
|
|
|
|
} |
|
|
|
|
void calcG1(G1& P, const Fp& t) const |
|
|
|
|
{ |
|
|
|
|
calc<G1, Fp>(P, t); |
|
|
|
|
@ -96,11 +133,8 @@ struct MapToT { |
|
|
|
|
void calcG2(G2& P, const Fp2& t) const |
|
|
|
|
{ |
|
|
|
|
calc<G2, Fp2>(P, t); |
|
|
|
|
assert(cofactor != 0); |
|
|
|
|
/*
|
|
|
|
|
G2::mul (GLV method) can't be used because P is not on G2 |
|
|
|
|
*/ |
|
|
|
|
G2::mulGeneric(P, P, cofactor); |
|
|
|
|
assert(cofactor_ != 0); |
|
|
|
|
mulByCofactor(P, P); |
|
|
|
|
assert(!P.isZero()); |
|
|
|
|
} |
|
|
|
|
}; |
|
|
|
|
@ -435,7 +469,7 @@ struct ParamT : public util::CommonParamT<Fp> { |
|
|
|
|
void init(const CurveParam& cp = CurveFp254BNb, fp::Mode mode = fp::FP_AUTO) |
|
|
|
|
{ |
|
|
|
|
Common::initCommonParam(cp, mode, false); |
|
|
|
|
mapTo.init(2 * this->p - this->r); |
|
|
|
|
mapTo.init(2 * this->p - this->r, this->z); |
|
|
|
|
glv1.init(this->r, this->z); |
|
|
|
|
glv2.init(this->r, this->z); |
|
|
|
|
} |
|
|
|
|
|
MITSUNARI Shigeo
7 years ago