Let us walk on the 3-isogeny graph
Loading...
Searching...
No Matches
elligator.c File Reference
#include "elligator.h"
Include dependency graph for elligator.c:

Go to the source code of this file.

Functions

void elligator (proj *plus, proj *minus, const proj *A)
void elligator_seeded (proj *Tp, proj *Tm, proj const *A, fp const *u)

Function Documentation

◆ elligator()

void elligator ( proj * plus,
proj * minus,
const proj * A )

Definition at line 6 of file elligator.c.

7{
8 for (;;) {
9 fp u;
10 fp_random(u);
11 // memset(u, 1, sizeof(u));
12
13 // long long reject = fp_iszero(&u);
14 long long reject = fp_iszero(u);
15 // crypto_declassify(&reject,sizeof reject);
16 if (reject) continue; /* bad RNG outputs 0 */
17
18 fp u2; fp_sq2(&u2,(const fp*) &u);
19 fp D = {0}; fp_sub3(&D,(const fp*) &u2,&fp_1);
20
21 // reject = fp_iszero(&D);
22
23 reject = fp_iszero(D);
24 // crypto_declassify(&reject,sizeof reject);
25 if (reject) continue; /* bad RNG outputs +-1 */
26
27 fp M; fp_mul3(&M,&A->x,(const fp*) &u2); /* M = u^2 A->x */
28 fp T; fp_mul3(&T,&A->x,(const fp*) &M); /* T = u^2 A->x^2 */
29
30 // long long control = fp_iszero(&A->x);
31 long long control = fp_iszero(A->x);
32 fp P;
33 fp_copy(P, A->x);
34 fp_cmov_ctidh(&P,&fp_1,control); /* P = 1 if A->x = 0 else A->x */
35 fp_cmov_ctidh(&M,&fp_1,control); /* M = 1 if A->x = 0 else u^2 A->x */
36 fp_cmov_ctidh(&T,&fp_1,control); /* T = 1 if A->x = 0 */
37
38 fp_mul2(&D,&A->z); /* D = (u^2-1) A->z */
39
40 fp D2; fp_sq2(&D2,(const fp*) &D); /* D2 = (u^2-1)^2 A->z^2 */
41
42 fp_add2(&T,(const fp*) &D2); /* T = 1 + (u^2-1)^2 A->z^2 if A->x = 0, else u^2 A->x^2 + (u^2-1)^2 A->z^2 */
43 fp_mul2(&T,(const fp*) &D);
44 fp_mul2(&T,(const fp*) &P);
45 /* T = (u^2-1)A->z(1+(u^2-1)^2 A->z^2) if A->x = 0 */
46 /* else (u^2-1) A->z A->x(u^2 A->x^2 + (u^2-1)^2 A->z^2) */
47
48 /* plus point will be P/D = 1/(u^2-1)A->z if A->x = 0 else A/(u^2-1) */
49 /* and minus point will be -M/D = -1/(u^2-1)A->z if A->x = 0 else -u^2 A/(u^2-1) */
50 /* unless they're flipped, which is determined by T */
51
52 /* T = Az^4 (1-u^2)^4 ((P/D)^3+A(P/D)^2+(P/D)) */
53 /* so T squareness says whether P/D is on curve */
54
55 /* also says whether -M/D is not on curve: */
56 /* in all cases -M/D = -P/D-A */
57 /* so (-M/D)^3+A(-M/D)^2+(-M/D) = (-P/D-A)^3+A(-P/D-A)^2+(-P/D-A) */
58 /* = ((P/D)^3+A(P/D)^2+(P/D)) (-1-AD/P) */
59 /* and by construction -1-AD/P is a non-square */
60 /* since it's -1 if A=0, else -u^2 */
61
62 fp_copy(plus->x, P);
63 fp_neg2(&minus->x,(const fp*) &M);
64
65
66
67// x0 = plus->x;
68// y0 = minus->x;
69
70 // test x0, y0;
71 // x0[0] = 1;
72 // y0[0] = 2;
73
74
75 fp_cswap(plus->x,minus->x,1-fp_sqrt(&T));
76
77
78 fp_copy(plus->z, D);
79 fp_copy(minus->z, D);
80
81 return;
82 }
83}
fp
uint64_t fp[NUMBER_OF_WORDS]
Definition fp-gmp.h:22
fp_1
#define fp_1
Definition fp-gmp.h:48
fp_copy
#define fp_copy
Definition fp-gmp.h:79
fp_cswap
#define fp_cswap
Definition fp-gmp.h:82
fp_random
#define fp_random
Definition fp-gmp.h:85
fp_sqrt
void fp_sqrt(fp_t output, const fp_t input)
Definition fp.c:168
tests.A
A
Definition tests.py:29
proj::z
fp z
Definition proj.h:20
proj::x
fp x
Definition proj.h:19

References fp_1, fp_copy, fp_cswap, fp_random, fp_sqrt(), proj::x, and proj::z.

Here is the call graph for this function:

◆ elligator_seeded()

void elligator_seeded ( proj * Tp,
proj * Tm,
proj const * A,
fp const * u )

Definition at line 86 of file elligator.c.

87{
88 fp Ap, C_times_u_squared_minus_one, AC_times_u_squared_minus_one,
89 u_squared, u_squared_plus_one, u_squared_minus_one,
90 alpha, beta, tmp, aux;
91
92 fp_add(Ap, A->x, A->x);
93 fp_sub(Ap, Ap, A->z);
94 fp_add(Ap, Ap, Ap);
95
96 fp_sqr(u_squared, *u);
97
98 fp_add(u_squared_plus_one, u_squared, fp_1);
99 fp_sub(u_squared_minus_one, u_squared, fp_1);
100
101 fp_mul(C_times_u_squared_minus_one, A->z, u_squared_minus_one);
102 fp_mul(AC_times_u_squared_minus_one, Ap, C_times_u_squared_minus_one);
103
104 fp_sqr(tmp, Ap);
105 fp_mul(tmp, tmp, u_squared);
106 fp_sqr(aux, C_times_u_squared_minus_one);
107 fp_add(tmp, tmp, aux);
108 fp_mul(tmp, AC_times_u_squared_minus_one, tmp);
109
110 fp_set0(alpha);
111 fp_copy(beta, *u);
112 fp_cswap(alpha, beta, fp_iszero(tmp));
113 fp_mul(u_squared_plus_one, alpha, u_squared_plus_one);
114 fp_mul(alpha, alpha, C_times_u_squared_minus_one);
115
116 fp_add(Tp->x, Ap, alpha);
117 fp_mul(Tm->x, Ap, u_squared);
118 fp_add(Tm->x, Tm->x, alpha);
119 fp_sub(Tm->x, fp_0, Tm->x);
120
121 fp_add(tmp, tmp, u_squared_plus_one);
122 fp_cswap(Tp->x, Tm->x, 1 - fp_issquare(tmp));
123
124 fp_copy(Tp->z, C_times_u_squared_minus_one);
125 fp_copy(Tm->z, C_times_u_squared_minus_one);
126}
fp_sqr
#define fp_sqr
Definition fp-gmp.h:73
fp_sub
#define fp_sub
Definition fp-gmp.h:67
fp_mul
#define fp_mul
Definition fp-gmp.h:70
fp_issquare
#define fp_issquare
Definition fp-gmp.h:76
fp_0
#define fp_0
Definition fp-gmp.h:50
fp_add
#define fp_add
Definition fp-gmp.h:64

References fp_0, fp_1, fp_add, fp_copy, fp_cswap, fp_issquare, fp_mul, fp_sqr, fp_sub, proj::x, and proj::z.