Refactor hashing to curves with a = 0.

relic-toolkit · Jul 11, 2023 · 67ef519 · 67ef519
1 parent 5d60890
commit 67ef519
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 45 deletions.
diff --git a/include/relic_core.h b/include/relic_core.h
@@ -274,7 +274,7 @@ typedef struct _ctx_t {
 	/** The distinguished non-square used by the mapping function */
 	fp_st ep_map_u;
 	/** Precomputed constants for hashing. */
-	fp_st ep_map_c[6];
+	fp_st ep_map_c[7];
 #ifdef EP_ENDOM
 #if EP_MUL == LWNAF || EP_FIX == COMBS || EP_FIX == LWNAF || EP_SIM == INTER || !defined(STRIP)
 	/** Parameters required by the GLV method. @{ */
@@ -379,8 +379,6 @@ typedef struct _ctx_t {
 	bn_st ep4_r;
 	/** The cofactor of the group order in the elliptic curve. */
 	bn_st ep4_h;
-	/** The constants needed for hashing. */
-	fp4_t ep4_map_c[2];
 	/** Optimization identifier for the a-coefficient. */
 	int ep4_opt_a;
 	/** Optimization identifier for the b-coefficient. */

diff --git a/src/ep/relic_ep_curve.c b/src/ep/relic_ep_curve.c
@@ -92,6 +92,7 @@ static void ep_curve_set_map(void) {
 	dig_t *c3 = ctx->ep_map_c[3];
 	dig_t *c4 = ctx->ep_map_c[4];
 	dig_t *c5 = ctx->ep_map_c[5];
+	dig_t *c6 = ctx->ep_map_c[6];
 
 	RLC_TRY {
 		bn_new(t);
@@ -200,6 +201,11 @@ static void ep_curve_set_map(void) {
 			fp_exp(c4, c4, t);
 			fp_inv(c4, c4);
 			fp_exp_dig(c5, c5, r);
+			/* Compute 1/sqrt(-1) as well. */
+			fp_set_dig(c6, 1);
+			fp_neg(c6, c6);
+			fp_srt(c6, c6);
+			fp_inv(c6, c6);
 		}
 
 		/* If a = 0, precompute and store a square root of -3. */

diff --git a/src/ep/relic_ep_map.c b/src/ep/relic_ep_map.c
@@ -245,7 +245,6 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 	bn_t k;
 
 	bn_null(k);
-	bn_null(n);
 	fp_null(c);
 	fp_null(t);
 	fp_null(u);
@@ -307,7 +306,7 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 			fp_mul(z1, z1, c);
 			fp_mul(z1, z1, ep_curve_get_a());
 			fp_dbl(z1, z1);
-			/* v = num2 = c^4*t0^8 - 2*c^2t0^4t1^4 + t1^8 - 16*a^3*c^2*/
+			/* v = num2 = c^4*t0^8 - 2*c^2t0^4*t1^4 + t1^8 - 16*a^3*c^2*/
 			fp_sub(v, y1, x1);
 			fp_add(v, v, y);
 			fp_sub(v, v, z1);
@@ -317,8 +316,8 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 			fp_sub(w, w, y1);
 			fp_sub(w, w, y1);
 			fp_sub(w, w, y1);
-			fp_mul(w, w, c);
 			fp_mul(w, w, u);
+			fp_mul(w, w, c);
 			fp_mul(w, w, ep_curve_get_a());
 			/* z1 = num1 = t1 * ac^2(c^4t0^8 + 2c^2t0^4*t1^4 - 3^t1^8 + 16a^3c^2)*/
 			fp_sub(z1, z1, y);
@@ -330,10 +329,11 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 			fp_mul(z1, z1, c);
 			fp_mul(z1, z1, c);
 			fp_mul(z1, z1, ep_curve_get_a());
-			/* v2 = num2/den = z1/w. */
+			/* v2 = num2/den = v/w. */
 			fp_mul(w, w, p->z);
 			fp_mul(z1, z1, p->z);
 			fp_mul(v, v, p->z);
+			fp_inv(v, v);
 
 			bn_read_raw(k, fp_prime_get(), RLC_FP_DIGS);
 			if ((k->dp[0] & 0xF) == 5) {
@@ -343,55 +343,80 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 			} else if ((k->dp[0] & 0xF) == 13) {
 				/* n = (p + 3)/16 */
 				bn_add_dig(k, k, 3);
+			} else {
+				RLC_THROW(ERR_NO_VALID);
 			}
 			bn_rsh(k, k, 4);
-			/* Compute x1 = f = t^3 + a*t = t(t^2 + a). */
+			/* Compute x1 = f = (1/v2)^3 + a*(1/v2) = (1/v2)((1/v2)^2 + a). */
 			fp_sqr(x1, v);
 			fp_add(x1, x1, ep_curve_get_a());
 			fp_mul(x1, x1, v);
-			/* Compute y = theta, w = theta^4. */
+			/* Compute y = theta, zp = theta^4. */
 			fp_exp(y, x1, k);
-			fp_sqr(w, y);
-			fp_sqr(w, w);
+			fp_sqr(p->z, y);
+			fp_sqr(p->z, p->z);
+			/* Perform the base change from (t0,t1) to (u0, u1). */
+			fp_sqr(u, u);
+			fp_mul(u, u, c);
+			fp_sqr(t, t);
+			fp_mul(t, t, c);
 			/* Compute c = i^r * f. */
 			fp_mul(c, ctx->ep_map_c[5], x1);
-			/* TODO: sorting + endomorphisms */
 			fp_copy(p->x, v);
 			fp_sqr(p->y, y);
-			fp_set_dig(p->z, 1);
 			p->coord = BASIC;
+			/* We use zp as temporary, but there is no problem with \psi. */
+			int index = 0;
+			fp_copy(y1, u);
+			/* Make the following constant-time. */
+			for (int m = 0; m < 4; m++) {
+				fp_mul(y1, y1, ctx->ep_map_c[5]);
+				index += (fp_bits(y1) < fp_bits(u));
+			}
+			for (int m = 0; m < index; m++) {
+				ep_psi(p, p);
+			}
 			fp_neg(y1, x1);
 			/* Compute 1/d * 1/theta. */
 			fp_inv(y, y);
 			fp_mul(y, y, ctx->ep_map_c[4]);
-			dig_t c0 = fp_cmp(w, x1);
-			dig_t c1 = fp_cmp(w, y1);
-			dig_t c2 = fp_cmp(w, c);
+			dig_t c0 = fp_cmp(p->z, x1) == RLC_EQ;
+			dig_t c1 = fp_cmp(p->z, y1) == RLC_EQ;
+			dig_t c2 = fp_cmp(p->z, c) == RLC_EQ;
 			fp_neg(c, c);
-			dig_t c3 = fp_cmp(w, c);
-			c2 = (c0 != RLC_EQ) && (c1 != RLC_EQ) && (c2 == RLC_EQ);
-			c3 = (c0 != RLC_EQ) && (c1 != RLC_EQ) && (c2 != RLC_EQ) && (c3 == RLC_EQ);
+			dig_t c3 = fp_cmp(p->z, c) == RLC_EQ;
+			c2 = !c0 && !c1 && c2;
+			c3 = !c0 && !c1 && !c2 && c3;
+			fp_copy(p->z, ctx->ep_map_c[6]);
+			fp_mul(p->z, p->z, p->y);
+			dv_copy_cond(p->y, p->z, RLC_FP_DIGS, c1);
 			fp_copy(y1, ctx->ep_map_c[4]);
-			/* Compute (x,y) = (x0/(d\theta)^2, y0/(d\theta)^3). */
-			fp_mul(w, w, y);
-			fp_sqr(y, y);
-			fp_mul(u, u, y);
+			/* Convert from projective coordinates on the surface to affine. */
+			fp_mul(u, u, v);
+			fp_mul(t, t, v);
+			fp_sqr(v, v);
+			fp_mul(w, w, v);
+			fp_mul(z1, z1, v);
+			/* Compute (x,y) = (x0/(d*theta)^2, y0/(d*theta)^3). */
+			fp_sqr(y1, y);
+			fp_mul(u, u, y1);
 			fp_mul(w, w, y);
+			fp_mul(w, w, y1);
 			dv_copy_cond(p->x, u, RLC_FP_DIGS, c2);
 			dv_copy_cond(p->y, w, RLC_FP_DIGS, c2);
-			/* Compute (x,y) = (x1/(d^3\theta)^2, y1/(d^3\theta)^3). */
+			/* Compute (x,y) = (x1/(d^3*theta)^2, y1/(d^3*theta)^3). */
+			fp_mul(z1, z1, y);
+			fp_mul(t, t, y1);
+			fp_mul(z1, z1, y1);
+			fp_sqr(y, ctx->ep_map_c[4]);
 			fp_mul(z1, z1, y);
 			fp_sqr(y, y);
 			fp_mul(t, t, y);
 			fp_mul(z1, z1, y);
-			fp_sqr(y1, y1);
-			fp_mul(z1, z1, y1);
-			fp_sqr(y1, y1);
-			fp_mul(t, t, y1);
-			fp_mul(z1, z1, y1);
 			dv_copy_cond(p->x, t, RLC_FP_DIGS, c3);
 			dv_copy_cond(p->y, z1, RLC_FP_DIGS, c3);
 			/* Multiply by cofactor. */
+			fp_set_dig(p->z, 1);
 			ep_mul_cof(p, p);
 		} else {
 			/* This is the SwiftEC case per se. */
@@ -469,7 +494,6 @@ void ep_map_swift(ep_t p, const uint8_t *msg, size_t len) {
 	}
 	RLC_FINALLY {
 		bn_free(k);
-		bn_free(n);
 		fp_free(c);
 		fp_free(t);
 		fp_free(u);

diff --git a/src/epx/relic_ep4_curve.c b/src/epx/relic_ep4_curve.c
@@ -424,19 +424,6 @@ void ep4_curve_set_twist(int type) {
 			}
 		}
 
-		/* if b = 0, precompute sqrt(-1) and 3*a^2 for hashing. */
-		if (ep4_curve_opt_b() == RLC_ZERO) {
-			ep4_curve_get_a(ctx->ep4_map_c[0]);
-			fp4_neg(ctx->ep4_map_c[0], ctx->ep4_map_c[0]);
-			fp4_sqr(ctx->ep4_map_c[0], ctx->ep4_map_c[0]);
-			fp4_dbl(ctx->ep4_map_c[1], ctx->ep4_map_c[0]);
-			fp4_add(ctx->ep4_map_c[0], ctx->ep4_map_c[0], ctx->ep4_map_c[1]);
-
-			fp4_set_dig(ctx->ep4_map_c[1], 1);
-			fp4_neg(ctx->ep4_map_c[1], ctx->ep4_map_c[1]);
-			fp4_srt(ctx->ep4_map_c[1], ctx->ep4_map_c[1]);
-		}
-
 #if defined(WITH_PC)
 		/* Compute pairing generator. */
 		pc_core_calc();

diff --git a/src/epx/relic_ep4_map.c b/src/epx/relic_ep4_map.c
@@ -86,7 +86,10 @@ void ep4_map(ep4_t p, const uint8_t *msg, size_t len) {
 
 			ep4_curve_get_a(a);
 			fp4_neg(a, a);
-			fp4_copy(c, ctx->ep4_map_c[0]);
+			/* Compute c = 3a^2, t = 9a^2u. */
+			fp4_sqr(c, a);
+			fp4_dbl(t, c);
+			fp4_add(c, c, t);
 			fp4_dbl(t, c);
 			fp4_add(t, t, c);
 			fp4_mul(t, t, u);
@@ -132,7 +135,8 @@ void ep4_map(ep4_t p, const uint8_t *msg, size_t len) {
 			dv_copy_cond(t[1][1], y1[1][1], RLC_FP_DIGS, !c1);
 
 			/* Compute x = 2^4*i*3*a^2*u / (3*(3*u^2 - a))^2. */
-			fp4_copy(y, ctx->ep4_map_c[1]);
+			fp4_zero(y);
+			fp_copy(y[0][0], ctx->ep_map_c[6]);
 			fp4_mul(c, c, u);
 			for (int i = 0; i < 2; i++) {
 				for (int j = 0; j < 2; j++) {